Home News Cyber security: why and how you should protect your business

Cyber security: why and how you should protect your business

May 27, 2021 Leo Expert advice

While the methods used by online criminals are becoming continually sophisticated, cyber security is not just limited to digital activity or data hacking. You could also suffer data breaches in the form of a stolen laptop, mis-placed phone or simply an email sent to the wrong recipient.

In every case, you’re not alone. Big companies have also fallen foul of data breaches and attacks, often at huge scales. What matters most is how you prepare and how you deal with them when they happen. Here, we’ll go over what you need to know and what to do if you experience a data breach.

The stats

How have companies been impacted?

Since the Covid pandemic caused the vast majority of the population to shift most of their shopping activity online and businesses found ways for their staff to work remotely, it’s no surprise there has been a significant increase in data breaches and cyber crime.

A study by Symantec revealed that in 2018-19 an average of 4,800 websites per month were compromised by form-jacking code, with criminals netting $2.2 million (approx £1.55 million) from obtaining only 10 credit cards per site. Alarmingly, a study by IBM identified the average time to identify a data breach in 2020 was 288 days. The same study stated the average total cost globally of a data breach as being $3.86 million (approx £2,73 million).

How bad can it get?

In April 2021 in the UK alone, companies such as drinks distributor MCB, the government’s Department for Digital, Culture, Media & Sport and even HMRC have experienced a significant loss of customer personal data. And this is on top of a string of high-profile cases in 2020, which saw major corporations such as EasyJet, Twitter and Marriott Hotels all suffer large data breaches. Online meeting service Zoom was also humiliated after 500,000 of its contact details were discovered for sale on the dark web in April 2020.

Why cyber security is vital to business operations

In an increasingly privacy-focused world, with more concerns than ever over personal data and online security, it’s essential for businesses to do more than pay lip service to cyber security. If you fail to act, then a problem with security could affect you in the following ways:

Fines

Stringent GDPR laws in the UK and EU mean that if you are found to be negligent in your cyber security and data protection, you could be liable for significant fines or sanctions that could significantly harm your business. Although the Information Commissioner’s Office (ICO) tends to deal more with unsolicited email or SMS spam, they fined Marriott Hotels £18.4 million and British Airways £20 million for failing to protect their customers’ personal details. They also secured a prison term for a motor industry employee who passed on personal information without consent.

Trust

As the guardian of your customers’ data, you have a responsibility to them to take every step within your power to safeguard their personal information. One of the first and largest casualties of a data breach is the trust customers had in that business or organisation. Conversely, the biggest gain for companies taking active steps to improve their cyber security will be the increase in trust within their customer base. As a business owner, you know you will only retain people’s custom for as long as you have their trust. So it’s in your best interest to ensure your cyber security is on point.

Where you should focus your attention

There are a number of steps you can take to protect your business and your customers from cyber crime and data breaches. Some are simple, others more complex. The basics to consider are:

Appoint a team member as your Data Protection Officer with responsibility for ensuring all your cyber security is up to date and handling any data breaches that may occur. If an individual or sole trader, this will be yourself.
Change your passwords regularly on your machines and all software and apps you use, both personally and as a company. Consider using an encrypted service like LastPass to protect passwords.
Invest in robust anti-virus software. There are many free options available to install but they will not provide a high level of security and may not be updated against the very latest online threats.
Give people knowledge. Most of the time, nobody takes any action on cyber security because they don’t perceive any problems. Make your team aware of the risks and what they can do to prevent issues.

Outsourcing for the best results

The most effective way to manage the above steps and more is to work with a specialist IT company who knows exactly the best steps to take in your particular circumstances. It would be a huge challenge to stay on top of all the developments in cyber security yourself, but the expert teams at an outsourced service will be handling this on a daily basis. You won’t be able to beat their level of familiarity with the field.

At Comms Unite, we have in-depth experience of cyber security for businesses of a range of sizes, operating in a number of specialist sectors. If you are unsure about any aspect of cyber security, please give our engineers a call and they’ll do what they can to offer advice and assistance.

What to do if you have a data breach

The moment when you realise you’ve had a data breach can be gut-wrenching, but don’t panic. If you follow the correct procedure step-by-step you’ll minimise the damage and probably go a long way to regaining credibility in the eyes of your customers by taking ownership of the situation. You might also be able to get help from the Information Commissioner’s Office (ICO), who provide guidance on all aspects of data protection in the UK.

Step 1: Find out exactly what happened

The first step is always to take a close look at what has occurred and get a full picture of the breach. No matter how big or small, take notes. What date and time did it happen? Were any particular machines affected? How much data was compromised, and what was it? Were any staff aware of it at the time? Was it due to user error or an outside incursion? Keeping a log of all the details and times around your breach will stand in your favour in the case of any investigation and will help clarify both the facts and your thoughts as you proceed.

Step 2: Make all attempts to contain it

Depending on the nature of the breach, you’ll be able to do a number of things to nip it in the bud right away. If simply an email mistake, you could immediately ask the recipient to ignore and delete it without delay. If your laptop has been stolen or phone misplaced, then you could wipe the information remotely, if you have the capability to do so (a good reason to have an expert IT company on your side). You can also change all passwords on all machines across your company to prevent any attempt from outside parties to log on to your systems.

Step 3: Assess the risk to those involved

Take a step back from the immediate incident and consider all the elements around it. Think about everyone involved and how they may be affected by this breach. Try to see the situation from the victim’s point of view and anticipate how they would like to be treated. If you’ve merely sent an email to the wrong person, then a considered view could indicate that nothing more malicious will arise. All that’s needed is a follow-up email to notify the person of the error and request that they delete it from their systems. If your CRM has been compromised by cyber criminals, then it should be easy to imagine how a large data set can be sold or distributed to people who would enjoy access to your customers’ information for their own ends. You need to protect people from identity theft, profile hacks and online fraud, amongst other things.

Step 4: Act as necessary

If the breach is of a variety and size that merits it, then you should take further appropriate action to mitigate damage – both to yourself and the people affected. Again, it’s useful in this situation to put yourself in people’s shoes. If your own personal information had been leaked, then it’s fairly likely you would want to be told about it and given advice as to what measures to take – be that changing passwords, being vigilant for new malicious emails or updating your malware detection. At the very least, you’d expect an apology.

Step 5: Submit a report to the ICO, if necessary

You might not actually need to submit a report on your issue to the ICO. Minor cases that can be handled quickly and easily by yourself – such as a mis-sent email – will not concern them, unless they have received a string of complaints from the public. To find out if you really need to submit a report visit the ICO website and use their self-assessment tool. If you do need to report your breach, then by law you must do so without undue delay and within 72 hours of discovering it (not within 72 hours of it occurring). Acting within the guidelines will be in your favour in the case of an investigation. Remember: not every breach results in formal action by the ICO. Their primary concern is to educate businesses and individuals about the importance of data security and to help them get it right in future. You can find more information and current news regarding data security for your business – whether a private sector company, public body or sole trader – on the ICO website.

Are you happy with your cyber security, IT and comms systems?

If you want to chat about possible improvements to your current set-up and discover new solutions that could fast-track your business, give us a call on 01473 599020 or email hello@comms-unite.co.uk

We’re here to get it done, and won’t stop until everyone’s happy.