The boards of medium sized businesses are being warned to step up and not be complacent about the risks posed by cybercrime.
The alarm call, from security specialists Digital Craftsmen, comes as cyber criminals are widening their focus to include not just large, listed enterprises but medium sized firms too. In fact, every business is now at risk from a cyber-attack - cyber criminals are not selective who they target.
Many cyber criminals are now able to buy hacking software and stolen databases on the dark web for just a few hundred pounds, which gives them the tools to commit cybercrime, including data theft and ransomware attacks, without requiring any technical expertise.
Simon Wilcox, MD of Digital Craftsmen has led an expert round up of the increasing risks of cybercrime for medium-sized businesses. Their assessment features in Cyber Trends a Sky Business programme. The programme is intended to help educate business leaders about the ransomware dangers they face and the critical actions they can take to protect their firms.
He is joined by leading cyber security experts , including Matt Middleton-Leal, MD (EMEA North) at Qualys; Paul Baird, UK Chief Technical Security Officer at Qualys; Barry Coatesworth, Director of Risk, Compliance & Security at Guidehouse, Brian Brackenborough Chief Information Security officer, Channel 4, and Paul Orrock, Technical Director, Digital Craftsmen.
His advises: “The serious risks posed by cybercrime include ransomware attacks, in which criminals invade and occupy company systems and demand significant sums to release the system. One route is phishing activities, in which employees are tricked into revealing sensitive security details and company data. Other routes include malware and exploiting software vulnerabilities.”
Education and collaboration are key elements of the defence against cybercrime. Simon adds: “We see companies sharing data security insights and information, to enable higher levels of cyber security protection across their business sectors. They are protecting their own organisation and helping to protect their peers, which produces the wider effect of improved cyber security across the business community.”
He continues: “We believe in the principle of ‘a rising tide lifts all boats’ and the more the business community knows, the more it will raise their cyber security standards, and the greater the deterrent to opportunist cyber criminals.
“The purpose of the Sky TV programme is to advise business of the scale of cybercrime risks and the importance of businesses taking key steps to protect against cybercrime.”
Simon Wilcox provides a stark reminder of the failure to face up to cybercrime risks: “The consequences of cybercrime can be significant. In addition to substantial, perhaps crippling business disruption, boards need to consider the reputational impact of data losses.”
He continues: “Financially, there are also huge fines for businesses if they don’t properly secure or safeguard client data. Under the General Data Protection Regulation (GDPR), the EU's data protection authorities can impose fines of up to €20 million, or 4% of worldwide turnover for the preceding financial year – whichever is higher. In addition, directors can be held personally liable for data breaches or other data protection failures in their business, with personal fines of up to five hundred thousand pounds.”
Simon concludes: “It’s simply a misconception by many business owners that cyber criminals are not interested in their commercial data and digital assets. They are increasingly a target, and forward-thinking Board members need to plan how to protect their business data and commercial future, rather than think they are not on the radar for cybercriminals.”
Six key steps that companies can take to protect against cybercrime.
Whilst it’s not entirely possible to eliminate the threat of ransomware, Paul Baird, UK Chief Technical Security Officer at Qualys takes the opportunity on the programme to advise that there are six key steps that companies can take to protect against cybercrime.
1. Organisations need to be aware of all their data assets and understand what they have on their network.
2. Firms need to think about vulnerability management across their systems, understanding where the vulnerabilities and misconfigurations in their systems lie.
3. Businesses need to prioritise the IT machines most important to their business and devise a clear plan for patching and protecting the most important machines, in priority order.
4. Patching their machines. Many organisations understand their vulnerabilities and what threats they face, but never get round to pushing those systems patches out to resolve vulnerabilities and misconfigurations.
5. Companies need to commit to anti-virus and endpoint detection response capabilities to stop or mitigate ransomware ever getting onto their machines in the first place.
6. The simplest step is education and awareness, including teaching and continuously reminding staff about malicious links and malicious emails which can easily come into the business. This has been harder during the pandemic when people have moved away from the office, and there need to be constant reminders to be vigilant.