As another cyber-attack hits some of Europe and the US’s largest companies, Blick Rothenberg partner Jim Brown discusses the need to take technology more seriously.
Large corporations have been subject to cyber-attacks for a number of years. Some of the largest and best-known names have been affected. Google has had usernames and passwords taken from its Gmail service and various celebrities have had personal photos stolen from Apple’s iCloud service.
The criminals behind these attacks do not only pick on multi-nationals however. Hospitals have previously been the subject of cyber-attack in the US, Russia and, more recently, the National Health Service (“NHS”) in the UK. A whole host of larger corporates was subject to the same attack at the same time without making quite the same headlines.
With all this publicity, you would think that smaller businesses would be aware of the risks and would look to minimize them as far as possible. Whilst the former is increasingly true, it remains the case that entrepreneurs are not focusing their thoughts, time or resources on how cyber security threats could be mitigated and the significant effects if they are not.
There are, however, a number of steps that a business can take, whatever its size. A number of these are not technical IT matters.
The simplest relate to governance. Aside from consideration at board/ownership level, simple steps can be taken such as mapping out the data held and understanding which of this data is “business critical”. This will allow more accurate assessment of the costs and benefits from investing in increased protection.
Raising awareness within the business is vitally important. In many phishing attacks there is an element of human error that can lead to a weakness within the systems. An education programme, reinforced with tests and further training for repeated perpetrators, can significantly reduce the ease with which an attack can succeed.
On the principle that an attack will happen, and at some point is likely to be successful, a communications plan that can be quickly enacted should be on hand. In the midst of an attack time is likely to be in short supply. Having a pre-defined and agreed plan of what will be communicated, to whom and when can both reduce the impact of negative feeling amongst clients, suppliers and employees and, as importantly, can prevent distractions for those trying to fix the problems.
It should not be underestimated how much time and expertise will be required to resolve the issues that can arise during an attack. Very few SMEs will have the expertise in-house to deal with this effectively. Having an agreed list of specialists that you can call upon to assist in such circumstances can be the difference between a (relatively) quick and painless resolution and a long, drawn-out potentially business-ending affair.
As the number of business failures attributed to such matters increases, attention will gradually be increasingly focused in this area. Those businesses that have considered cyber security as a part of their business planning, much of which can be non-technical in nature, will likely be one step ahead of their competition.
A longer version of this article first appeared in the June 2017 edition of ‘International Accountant’ magazine.
For more information please contact Jim Brown