Businesses of all shapes and sizes need to protect themselves from hackers
A panel of experts discussed the threat cyber security and hackers poses to businesses at a high-level panel event.
The breakfast seminar was attended by more than 70 delegates and was held in city centre Manchester.
The event was supported by law firm CMS and technology specialist Cloud Kickers.
The panellists were:
Amit Tyagi, senior associate and solicitor advocate from CMS
Andy Barratt, UK managing director, Coalfire
Stephen Crow, head of defensive securities and compliance, UKFast
Melanie Oldham, chair of the Yorkshire Cyber Security Cluster
Simon Kenworthy, chief executive of Cloud Kickers
In my opinion the introduction of GDPR was probably the best sales pitch ever for cyber security insurance. It got everybody talking about the issue and generally raised awareness.
In the last couple of months we have had these two massive fines on British Airways and the Marriott data breach.
Actually, there has been a seismic change in the landscape as a result of GDPR. The Independent Commissioners Office had over 7,000 data breaches reported to them and of those 7,000 there were just seven fines.
We were thinking this might indicate we have a regulator without teeth but over the last several months it has become apparent that this is definitely not the case.
The ICO is a pretty fair regulator in the way it deals with breaches. It looks at them carefully and it will impose a fine on the basis of a very complicated set of criteria.
The thing is not to get to worried about the regulator. If a breach has happened then your priority is to make sure that your business is able to carry on performing.
Businesses need to think holistically about what is going on and what can be done to fix the problem.
I came to the industry in 2004 and the change and shift over that time has been quite phenomenal.
From my experience the main driver for the authorities is that people are able to show due diligence and are running their business properly.
They want people to show that they actually care about their customers and are taking all the necessary steps to protect their customers.
We are all creatures of habit who like routine and who like to be told what to do, that is why it is important to have regulators in place.
There is now a framework that people can cling on to and address the potential problems.
Criminals just want the quickest and easiest way in, so if you don’t lock your windows and bolt your days then they are just going to walk in and steal from you.
Be prepared, have a plan and react well. You can’t always be prepared for everything but you need to have a plan in place.
Having a good plan in place is probably as important as the technical measures that you also need to put into place.
You need to line up all the people you work with up. If you can’t line up your suppliers, your customers and contractors then the cost of investigation can go through the roof.
It hurts sometimes when we have to put a bill in front of people. But if people are badly prepared then the costs can be astronomical. That then means difficult conversations have to be had with people such as insurance partners.
Be well prepared and be well able to react, they are probably the two big takeaways I have for a conversation such as this.
I don’t think any firm is safe now from attack. We have found out from our customers that any business can be targeted.
From our side I think that organisations are ramping how up seriously they take the threat and in terms of the due diligence they are carrying out.
The amount of security based questions and tenders that we receive on a daily basis has increased massively.
Our customers now want reassurance in terms of the security controls we have in place. That is something that has changed massively in recent years.
The reality is that cyber criminals are a bit lazy and they want the low hanging fruit. You tend to find when it comes to the larger firms the rewards might be higher but so are the risks to the criminals.
Cyber Criminals get better results targeting large numbers of people with low levels of security because it is easy and it is not as difficult as targeting some of the more sophisticated firms.
That means small businesses in many ways are more at risk than some of the bigger high-profile firms. The problem is an attack can be potentially far more devastating for a smaller business.
It can wipe you in terms of damage to your reputation, losing accessing to information and a lot of other issues.
One of things I push people to do in smaller organisations is to have a level of continuity. The reality is that within every organisation you tend to put a lot of responsibility on to one person.
Sometimes it is important to have two people doing the role so there is someone to step into the breach when things go wrong.
There are two issues to this. There is an element of thinking about protecting your business but there is also the aspect of how it can be a facilitator to growth.
One style of hacking organisation would take a very indiscriminate approach. There are a lot of indiscriminate attacks and due diligence in a normal operation is the best approach to dealing with that.
That is not a complicated issue and can be solved by having the right processes in place.
People need to consider if they are at risk from a targeted attack. They need to ask themselves where has that come from?
They need to ask themselves if they have enemies, is my competitor likely to get desperate and have me attacked.
People need to ask themselves the question how high value am I and how much direct attention would a hacking organisation give to me and the organisation I lead?
The majority of cyber criminals are low level, if you are exposed on the internet there is so much technology out there that is constantly scanning for opportunities and openings and weaknesses.
The risks internally are all about the lack of education and awareness within your own IT staff. People might not be aware of what is available to protect a business from cyber attacks.
Internally it tends be more about a lack of awareness rather than maliciousness.