With an ever-increasing number of devices going online, cybercrime risks are growing – prevention can never be guaranteed but a more proactive approach by businesses is essential.

Cyber fraud is growing significantly year on year, with the cost to organisations now running into billions of pounds.

According to the Hiscox Cyber Readiness Report 2017, more than half of firms (57%) surveyed in the UK, Germany and US have experienced an attack in the past year and two in five (42%) have had to deal with two or more.

Research published by Beaming in March 2017 also revealed that more than half of British businesses fell victim to some form of cybercrime in 2016 at a cost of £29.1 billion.

With insights from IT security experts, 3B Data Security and Pen Test Partners here we outline the risks of a cyber-attack for businesses and company directors, and what steps you can take to reduce those risks.

Cyber-attack risks

The financial implications of a cyber-attack can be huge for a business through lost customers, reputational damage and a fall in company value, but there are other risks which are often overlooked.

Company directors may face claims against them personally if their business suffers a cyber-attack and the board is shown to have failed to put in place adequate measures to minimise the risk of such an attack, and to deal with the repercussions of any attack once it has happened.

With the General Data Protection Regulation (GDPR) coming into force in May 2018, companies will be required to implement more stringent information security measures to ensure the safety of individuals’ data, such as staff members. Companies will be required to report personal data breaches caused by such actions as cyber-attacks within 72 hours.

All these aspects are going to result in shareholders, customers, suppliers, employees, regulators, insurers and bankers becoming more proactive in examining how companies and directors manage their cyber risk.

Failure to do so is inevitably going to result in some companies facing claims, and some directors facing claims against them personally.

The role of the directors

Directors have ultimate responsibility for managing cyber risk. Day-to-day management of the risk can be delegated, but the Board must proactively oversee this. Responsibility therefore starts and ends with them. This is enshrined in the Companies Act, 2006.

A cyber Incident Response Plan is essential to manage the response to a cyber-attack, covering the financial, reputational and legal risk. Contracts should be drafted, and existing contracts reviewed, to ensure that risk arising out of any future cyber-attack is allocated clearly between the company and third parties to minimise the company’s risk.

The role of HR

The internal workforce is responsible for a significant proportion of IT breaches. Hackers often prey on the weak by targeting frustrated or complacent employees or employees can be the subject of social engineering that can lure them into handing over valuable data.

HR departments therefore have a key role to play from the outset in the fight against cybercrime, particularly preventing data breaches and a more proactive approach is essential.

A cyber security and prevention program and a clear and well communicated staff policy aimed at educating employees should be put in place. It is important that any policy sets out the consequences of non-compliance, including potential for disciplinary action if there is a breach.

This should be accompanied by a training awareness session for all positions taking a boardroom to basement approach. Training should be given at the outset of employment as part of induction programs. It should educate and raise awareness among employees and include things like how to identify and deal with suspicious circumstances, emails and a list of the dos and don’ts in terms of using IT and receiving data. Training can also be interactive, such as using phishing exercises to engage employees, and should continue regularly, either informally or formally, acting as refreshers for employees.

Culturally, HR needs to support anyone that’s been impacted by a data breach with clear communication and an action plan which is aligned with wider company obligations.

With ransomware hitting the headlines in recent months, businesses are more aware of the issue but must act now to ensure they don’t fall victim.

In terms of IT systems and processes, being able to track and monitor information flow within a business is also essential. This should be supported by a database of employees who have access to confidential information and those permissions should be monitored.

It’s vital that HR and IT teams communicate regularly to help monitor information and any unusual activity and to enforce non-compliance, for example, if an employee tries to access documents which they wouldn’t usually have access to. Also check to see to what extent laptops and smartphones are encrypted and how knowledgeable employees are of using encryption methods when sending data.

Don’t be held to ransom

A growing concern for businesses is ransomware, a form of malware software that prevents the user from using a computer and accessing data until a ransom is paid.

With ransomware hitting the headlines in recent months, businesses are more aware of the issue but must act now to ensure they don’t fall victim.

To reduce the risk, organisations are advised to take these steps:

  1. As with any other security threat, computer software and applications should be kept up to date, and multiple antivirus tools used.
  2. Produce an Incident Response Plan including what action you will take if you suffer a ransomware or other cyber-attack. Have Incident Response experts on call, including IT security, legal, PR and HR to ensure you can respond as quickly as possible and that you are prepared and equipped with the information you need in advance of a possible attack, and to manage the fall out after an attack.
  3. Remind employees not to open attachments unless they know who has sent them and that the email is expected or legitimate as malware can also appear to come from known sources. Saving an attachment to disk rather than opening directly from an email can also reduce the risk.
  4. Back up data but don’t put all your eggs in one basket and use just one device such as a hard drive in case that also gets encrypted. Use multiple devices and sources.
  5. Back up data incrementally rather than replacing all your files in case you inadvertently overwrite a good file with an infected one.
  6. Enable the ‘Show file extensions’ option in the Windows settings on your computer. This will show whether a file such as a word doc is legitimate or not. Some files are malicious so will have ‘exe’ in the extension but that won’t be obvious unless you can see the full file name when it’s emailed to you.
  7. Larger organisations with lots of different networks should segregate the network environment and restrict access to shared servers. If you have 1,000 computers and these are all connected to each other, a virus will quickly spread. If networks don’t need to be connected, then don’t connect them. If a certain department doesn’t need access to a particular server, don’t give it to them.
  8. Disable MS Office macros and auto runs and/or utilise MS Office viewers. Malware is often written in macrocode so if your computer is automatically set up to enable macros, then you could inadvertently run an infected file.
  9. Consider insurance for the company and directors personally, but don’t use this to avoid taking active steps to ensure as far as possible that no claim against the company or directors arises in the first place.

With an ever-increasing number of devices going online, cybercrime risks are growing. Prevention can never be guaranteed but a more proactive approach by businesses is essential. Creating a culture which puts cybercrime prevention at the top of the company agenda and educating employees, including demonstrating a no or low tolerance policy for flagrant employee breaches, will minimise the risks for organisations and their directors.