Chancellor Philip Hammond announced last week that, over the next five years, the government will invest £1.9bn in trying to tackle cyber attacks.
There’s an argument that a sizable chunk of this funding should be directed towards stopping the problem at source abroad, but for UK-based entrepreneurs, their fight against cyber crime will necessarily be fought from their workplace.
Most organisations aren’t adequately prepared for cyber risks that change daily. Investment in policies, procedures and training is as important as putting in place the right technology to prevent attacks.
However, from startups to the FTSE 100 – one size doesn’t fit all. Entrepreneurs should start by identifying what assets are most at risk, how they are most likely to be compromised and what the most proportionate solutions are, bearing in mind that cyber security needs to be realistic.
Employees need to download attachments and click on links to do their job. It is no good trying to implement an outright ban on such activities or trying to discourage normal user activity. So, a business may wish to segregate its information, invest in better contracts, train its staff or hire a full-time security manager.
Whether negligent or malicious, cyber breaches often expose more fundamental weaknesses within an organisation.
At some point, an employee is bound to leave a laptop on the tube. If a business is mature in its approach to cyber security, that laptop will be registered, encrypted and wiped remotely. A business that is not sophisticated could lose an unencrypted laptop and not know it’s missing for a week because the employee will be too fearful to report it.
Too many companies don’t have a plan in place for when things go wrong. We saw this with TalkTalk, which was fined a record £400,000 last month and reprimanded by the Information Commissioner for failing to implement the most basic cyber security measures. TalkTalk didn’t know what to say to the press, the regulator and customers, which magnified the problem. Response procedures and communications can be considered in advance, so that customers and the reputation of the company are best protected.
Once you’ve mitigated cyber risks as far as you practically can, businesses should transfer the remaining financial exposure to an insurer, by putting a proper cyber insurance policy in place. It’s comparable to dealing with health and safety risks: identify and mitigate risks, but have general liability insurance to pay for losses that do arise.
The cyber insurance industry remains small in Europe because insurable costs are still relatively modest when compared to those in the US. The new EU General Data Protection Regulation – which will come in before Brexit and sees the introduction of mandatory notification requirements with fines calculated at up to 4 per cent of annual worldwide turnover – should change this.
Reacting quickly to a breach can lead to a better result than is often expected – in many cases information and money are recoverable. In a cyber fraud case, criminals can be identified through rapid investigatory work combined with data analytics, and court orders can be used to raid premises to recover what has been stolen and freeze bank accounts.
Entrepreneurs need to be nimble and flexible in the fight against cyber crime. Clearly there are trade-offs when running a profitable business which seizes the digital opportunity, but also seeks to manage cyber like any other business risk. The preparation and fight against cyber threats is a matter of devoting the time and resources to ensure the business is resilient in defence and proactive in attack.