Daring bank heists. System takeovers through home appliances. Russian spies tampering with elections. No these aren’t Ian Fleming plotlines. Sensational though they may seem, the above allude to events that have all occurred within the last year (the latter allegedly). As technology becomes more advanced, it seems that cybercrime becomes bigger, more daring, more astonishing.
In fact these attacks are so ambitious in scope and scale, so outrageous that there is a real danger of being dismissive, of thinking, ‘well cyber attacks happen to countries, big corporate organisations, or A-grade celebrities it won’t happen to my little start-up. I’m just a speck in the universe.’
However, the statistics would suggest the reverse is true. A 2016 report undertaken by the Ponemon institute discovered that 50% of the security systems of start-ups have been breached in the last year. The report suggests a few key reasons for this. Firstly these businesses have rich digital assets, and their security protocols aren’t as stringent as bigger systems meaning that they are much easier to infiltrate. And unlike a bigger business, a cyber attack can be fatal. As The Australian reported:
‘A cyber security breach can be damning for a start-up. They face costs around repairing their networks and plugging the vulnerability so it can’t be exploited again. Then there’s potential legal costs from companies or consumers who may want to pursue you for not protecting their data. Regulators may want their slice too.
If you’re in the early stages of a fledgling business, an attack could be fatal. If you feel like you’ve been complacent about your cyber security, it’s time to pause and seriously reconsider your practices.’
So what can start-ups do to make sure that their systems are safe?
1. Making cyber security a priority
First things first. It’s no use making sure your IT systems are up-to-date if Tim from marketing stores his password on his PC. As Gary S. Miliefsky, founder of SnoopWall Inc suggests:
‘You need to remember that most breaches occur behind firewalls. How many times have you heard of a trusted insider falling for a phishing scam or taking a phone call from someone who sounded important who needed ‘inside’ information? Realise that some employees will browse websites they shouldn’t, gamble online, or chat using instant messenger tools. Educate your staff about acceptable use of corporate resources, and demand careful adherence to security protocols.’
Cyber attacks aren’t just about vulnerable systems, they stem from terrible security practices. Even if you feel that you are a savvy operator, you cannot take for granted that your staff have the same level of knowledge (particularly as your business expands). In fact, research undertaken by a UK firm Norrie Johnston Recruitment demonstrated how blasé those interviewed were:
As Consultancy.UK succinctly put it: ‘The research found that staff pose a significant risk to their employer’s cyber security.’ In an interview with them, Norrie Johnston’s Recruitment Chief Executive, Graham Oates, summed up the issue: ‘It appears that people are bombarded by potential cyber threats in their private lives, and are quite savvy about how to avoid them. Yet when it comes to a work situation they don’t realise that they still need to be security aware. As a result, they are making their employers vulnerable to attack.’
So what can you do to make sure your staff understand the risks and embrace best security practices?
2. Have a cyber security policy
And you need to have this in place before you scale. Entrepreneur India suggests that your policy incorporates the following:
- A procedure for managing customer data
- Who is responsible for handling what data (and apply restrictions if necessary)
- Who is responsible for backing up sensitive data
- An emergency plan for if your network is breached
- Guidelines for staff security best practices
- Potential consequences for failing to adhere to best practices
3. Educate your staff
As the above research shows, educating your staff on best practices is one of the most important steps in maintaining the integrity of your systems. You cannot take for granted that your staff are going to be aware of how their online behaviour might impact the security of the network. As Commander David McLean, Australian Federal Police (AFP) Manager of Cybercrime Operations acknowledged, ‘Accept that you need to educate everyone,’ he says. ‘Everyone needs to invest time and money to make sure we lift awareness and our standards if we’re going to truly take cybercrime seriously.’ He suggests that business owners become members of the CERT and visit the website for tips and the latest updates. The AFP have also worked with key industry organisations such as The Commonwealth Bank, Telstra, The National Australia Bank and Westpac to help the Australian Cyber Crime Centre (ACSC) produce a guideline on how small businesses can protect themselves. The guide offers really practical advice on how you and your employees can understand the risks of their practices by promoting awareness and safe practices.
4. Don’t take cyber safety for granted
This last point may seem paranoid, but given how interconnected our devices have become, it only takes one small mistake, or one faulty entry point for a mistake to occur, a mistake that can compromise your business at a crucial stage of growth. Instead of acting when an attack has occurred, it’s critical that you are proactive, by keeping abreast of the current technological trends, the potential vulnerabilities and attacks that are occurring. At CeBIT Australia 2017 we will gather thought leaders and experts on cyber security who will examine how start-ups can be proactive in mitigating attacks. If you’d like to know more, then secure your spot today.