We are very much in a digital age and this has brought with it an astounding new range of solutions to problems, innovations and new ways to connect businesses with customers. But it has also brought a series of new challenges that businesses need to cope with and top of that list is the various types of cybercrime.
From identity theft to hacking of websites and even digital document theft, businesses need to protect themselves and their customers against cybercrime as much as possible.
Perceived top challenges
Before we look at the reality of the issues, it is worth summarising the results of a study that spoke to small and medium-sized businesses and asked them what their top cyber security challenges were.
Of those that the study interviews, nearly 20% said that the biggest challenge was that the company depended on too many manual or informal processes to handle cybersecurity challenges. This could be anything from not having a clear website security process to not knowing exactly how confidential shredding is handled.
27% of respondents said the biggest problem was that there were too many disconnected tools used for cybersecurity and that it was difficult to manage, to be effective and even to know what to do. As companies build up their cyber security, there is often overlap and unclear processes that lead to confusion – and missed steps.
The same number also said that business managers didn’t understand or support strong cybersecurity. For some businesses, there is still the idea that this kind of thing only happens to ‘big’ companies, but this isn’t the truth and any size company can be targeted.
One quarter of the survey said that non-technical employees weren’t trained appropriately on cyber security issues, meaning they unwittingly became the weak spots in the system. And 24% said that the company simply didn’t have the skills within it to handle cyber threats.
Identity theft is a dual risk for businesses – there’s the risk of the business suffering a data breach that leads criminals to get access to customer data. Then there’s the risk of the business itself suffering from ID theft, which is less common but potentially just as devastating.
The other issue is there’s no one-size-fits-all solution to covering the risks of identity theft. It has to be worked out based on what the business does, what processes it uses and what kind of data it holds.
Assessing the risk
It is always important to start by assessing the risk and looking at the ways that criminals could potentially get sensitive information from the business. There are two main threats – internal and external. While external threats such as hackers breaking into the business systems are the most well publicised, internal threats are just as big of a problem.
Some of the questions to ask include:
· Do you know where sensitive information is on your network?
· Do you know who has access to it?
· Have your restricted it based on who needs access to it?
It is also worth assessing the data from the viewpoint of a cybercriminal. What is the most valuable and what can be easily used? Top of that list would be things like credit card or bank account information so if you hold or process these, this has to be the priority in terms of the created risk.
Another way to really assess the situation is to use the Gordon and Loeb model. This breaks down estimated loss and risk to help identify investments and savings while providing a full picture of the cyber security position of the business. An example of the process would be
1. Estimate the loss if a breach was to occur (£ loss)
2. Estimate the risk – the probability of loss from this breach (% risk)
3. Identify investments – what do you need to invest in to help combat the loss (£ invest)
4. Estimate savings – estimate the reduction in the probability of a breach for each investment made )% save)
5. Calculate potential savings = £ loss x % risk x % save
Protecting customer data
Once you have worked through this assessment, you will likely see a few main areas to work with to improve or tidy up your identity theft protection. Some examples of these could be:
By limiting who has access to what, you are immediately reducing the risk. Employees should only ever be able to access systems and data that is needed for them to complete their job. Each employee should also have an ID so access can be tracked and there should be a strong password system in place.
All software will have regular updates, and these are often key to ensure they remain secure and up to date. Often, companies will make amendments that help to improve the cyber security of their products and therefore by conducting updates, you are effectively upgrading your business systems. Having a process in place to ensure these updates are done as soon as possible after release is an important part of business security.
Invest in new tech
There’s always a temptation to cut costs by keeping older tech in place because it still works. But it may not work as well as you think, and this could be creating a vulnerability. A simple firewall or antivirus software isn’t the solution to all cyber problems and older technology is far more likely to be vulnerable than updated or newer versions.
For many businesses, the website is the online home of the company and is a key part of marketing and customer building efforts. It is also often involved with e-commerce, where customers can buy products or services through the site. This means another big challenge in combating cyber crime is to make sure that the website is secure.
Comprehensive website security is about a lot more than just a firewall and antivirus software to protect against common threats. It is also about handling things like disruptive hacks such as the WannaCry virus that held websites hostage around the world and demand payment to release them. Ransomware hacks like this one are on the rise and businesses often can’t afford to lose access to their site so end up paying the ransom.
Employ best practices
At the heart of protecting the company website is the idea of employing the best practices to ensure risks are minimised. Three key areas for this are:
· Automating the updates of operating systems
· Ensuring the use of a strong password and 2-factor authentication
· Making certain email systems are secure and security processes are in place
We have already mentioned the importance of updating software used within the business and the company website is one of the most important things to add to this list. The good news is that there are lots of ways to automate this or have experts handle it for you so there’s no risk that the website is outdated and therefore vulnerable to hacking. Include automatic updates for firewalls, virus software and other protective measures in this system for maximum protection.
Strong password and 2-factor authentication
We all know that using one easy to remember password across all of our sites is a recipe for disaster, but businesses often let predictable patterns of behaviour come into passwords. That’s why enforcing strong password systems and using 2-factor authentication is key.
Setting up tough passwords is important and also ensuring the system regularly prompts users to change them is also a good idea – for both customers and staff. While it might be a pain to create a new password, it is better than a hack with stolen data.
With 2-factor authentication, users accessing the backend of the website need to input a user ID, their password and also an authenticator number. Google offers a system for this which makes it easy to secure the backend of the site. A 1-time code can be created and sent to the user’s smartphone each time they log in. Again, it slows things down but vastly decreases the chances of a hack.
Secure email procedures
Many of the problems experienced by businesses come via email. Network attacks, data breaches, hacks, these are all often started with someone clicking a link in an email or opening an attachment. That’s why having secure email procedures is very important. All attachments should be scanned before opening and ideally, links and attachments shouldn’t be opened on the business server.
Another area to ensure that the site is secure is to use secure hosting or a secure website platform. When you use your website for e-commerce, you are at a greater risk than when it is purely informational or has a blog with no products or services. And companies who offer this often use secure e-commerce platforms or hosting to increase their website security.
Look for platforms that are fully secure and PCI-compliant with their online store checkouts. Make sure they only use PCI-compliant payment processors. Also, ensure your site has an SSL certificate to protect the data on the site. A secure sockets layer or SSL ensures that all data passing between users and the website is encrypted and that it cannot be hacked, interrupted or accessed.
Set up fraud alerts
Setting up fraud alerts is a good way to protect both your business and potential customers as well as saving money in processing fraudulent orders. These tools look for things like:
· Mismatching user information for credit cards
· Repeat orders over a short time for the same customer with different cards
· A difference in shipping and billing addresses
· Chargeback abuse history
· International orders and those from blacklisted countries
The right tools can help with declined and mismatched payment information as well as tagging suspicious orders and also helps with repeat chargeback customers. While they aren’t 100% guaranteed, these tools can greatly reduce fraudulent transactions and save the business money.
The third challenge to consider for the modern business is document management. Cyber criminals have many complex ways to steal data from a business, but the oldest ways still work – finding documents discarded by the business that contain data. That’s why having a clear document management process is very important.
A document management system can be on-site or can be off-site and involves ensuring processes are in place to manage all kinds of documents. The key is that they are protected and securely shredded at the end of their lifespan to make sure hackers and other criminals cannot access the data that they contain.
There are companies who handle shredding and document storage for you so once the process is in place, it is less hands-on. For example, off-site storage allows you to store all business-critical documentation away from the business premises. There is online management available and a host of different ways to retrieve the data. It is secure at all times and if there was a break-in or a fire at the business property, the documentation would be safe off-site.
Backup tape storage
Backing up all data is a key part of protecting a business but where should those backup tapes be stored? A good tip in document management systems is to have them stored off-site. Like the documents themselves, these tapes can be stored at a special, secure facility with easy access if they are required. This means the tapes are protected, secure and in environmentally controlled facilities that means there is no degradation.
A final component in document management is asset tracking. This involves tracking assets of the business, including those that store data. It involves knowing where they are, what they are and whether they are onsite or offsite. Using specialist software ensures that assets can always be easily located and monitored.
Combating cyber criminals
Sadly, the need to combat cyber criminals isn’t one going away and as they become more sophisticated, so too are the measures businesses need to combat them. But with solid practices, a clear idea of the challenges and staff that are briefed on what they need to do, you can reduce your risks greatly.
For more information on our document management services, simply get in touch or visit our website.