Damon Rands, CEO and Founder of Wolfberry Cyber
Cyber-security is a process, not a product.
According to the Cyber Security Breaches Survey published by the UK government in March 2021, 39 per cent of UK businesses have reported a breach within the past 12 months – a 6 per cent decrease from last year’s report. However, the study suggests that the risk of cyber-attack is higher than ever before, with breaches not only happening more frequently but also going undetected.
The seismic shift in the way we work poses a plethora of risks to companies, leaving businesses to blindly navigate the new threat landscape of this post-pandemic world. With a majority of office staff working from home, there is lower visibility of user activity and more endpoints to keep track of. Many organisations continue to express their concerns, with 77 per cent of businesses stating cyber security is a high priority for their directors or senior managers. However only 52 per cent of businesses took action to identify security risks, leaving nearly half of businesses completely vulnerable.
In 2014 the UK government launched the Cyber Essentials scheme, a government-backed, industry-supported scheme to help organisations improve their cyber-security. However, the same survey tells us that only 14 per cent of UK businesses are aware of the scheme, suggesting that while many business owners are concerned, there is a general lack of awareness of cyber-security standards within the UK, or urgency to comply.
We all know the devastating effects that cyber-crime can have on businesses: the disruption and lasting damage is something we see daily. With all this in mind, what exactly is stopping UK businesses from taking control of their cyber-security?
For many businesses concerned with the effects cyber-criminals could have on their organisation, it can be an issue of not knowing who to turn to. Many companies may refer to their IT team, but cyber-security is not simply an IT issue – the organisation as a whole has a part to play in protecting and defending against a cyber-attack.
Many business owners turn to vendors, buying unnecessary hardware or software that is usually unsuitable for their systems. This results in many business owners being led down very expensive rabbit holes, with thousands spent but with no actual protection against a cyber-attack. Unfortunately this is something we see all too often. We recently began an engagement with a client who had invested over £100,000 in a disaster recovery site, only to be told that all of their sensitive data was stored in the cloud. This rendered their protection useless, a white elephant.
What businesses need to understand is that security is a process, not a product. The key is to identify what data is being held, how the data is used and what current controls are in place around it. That is why we recommend undertaking a cyber-audit with an external cyber-security consultancy to any business wanting to truly understand the threat.
A cyber-audit should be a comprehensive analysis of your systems, comprising of two main areas: technical and governance.
The technical review is a thorough examination of the internal and external systems of an organisation’s network. Penetration tests are performed to check for vulnerabilities in the external systems that may give cyber-criminals easy access to internal systems.
Vulnerability scans are performed to review the internal systems: checking the configuration of the organisation’s network, that systems are patched securely, whether the antivirus is working and whether devices are securely configured and installed. With 83 per cent of UK businesses reporting phishing attacks in the last year, testing the integrity of internal users is more important than ever. Bespoke phishing campaigns are created to fully test and train users to spot malicious emails.
The governance review is an assessment of the policies and procedures used to manage security throughout the company, reflecting the culture of cyber-security and appetite for risk within the company.
Once the audit is complete, a detailed and understandable report is given to the client, enabling them to fully understand their security posture and how they compare to industry standard frameworks. In turn this allows them to make informed changes and create a roadmap for improvement.
When it comes to cyber-security, preparation is key. Not having the proper controls in place before a cyber-attack happens can have devastating effects on any organisation. It’s not a matter of if but when a cyber-attack will happen.
Show that you take cyber security seriously – get in touch with Wolfberry today at www.wolfberrycs.com