While completely disconnecting systems might not be practical, there are several long-term strategic decisions and actions that organisations can take to enhance their cyber defence posture.
The Small Firms Association (SFA) is keen for all small businesses to really look at every element of their cybersecurity issues and to invest time and money to make sure all employees are using the most up-to-date technology in the business, according to Elizabeth Bowen, SFA public affairs lead.
“The second issue is training,” says Bowen. “We advise training everyone, from the receptionist to the CEO [chief executive], to ensure they know what cybersecurity is and how it applies to their business. The third element is mitigation. On top of training, you really need to plan how to mitigate any attack.”
Training according to Bowen should make everyone aware of links in emails, and scams such as someone pretending to be a supplier wanting to change their bank address.
“Timing is important too as often these scams happen on a Friday or before a period when the office might be closed and any theft goes undetected immediately. If the staff are trained, they are less likely to fall for such scams and how to handle genuine requests of this nature,” she says.
Despite representing the SFA, Bowen points out that the threats are the same for small businesses right the way up to multinationals.
“Email fraud and invoice fraud is aimed at all companies big and small. It’s vital that all companies put in place the training and awareness.”
Bowen also argues that the best defence is a mixture of internal staff coupled with external expertise or advice.
“Companies need to sit down as a team and really understand how they can mitigate the problem of cyber threat and how to reduce it. The risks need to be analysed and if you cannot put in processes internally then we suggest you get outside help.
“Sometimes, if the risk is too expensive, then you might consider changing your process, and not engaging in that behaviour. Looking at the occupation health and safety documentation can help too as it often provides insight into existing processes within a company,” says Bowen.
Jaap Meijer, Huawei western Europe chief cybersecurity and privacy officer, believes that one of the most important aspects is to ensure that cybersecurity is a priority at the board level. Having executive buy-in and support can lead to better allocation of resources and organisational focus on cybersecurity.
“When trying to identify how to implement a cyber secure network implementation, it is important to start with a thorough risk assessment to identify and prioritise potential vulnerabilities and threats. This will help allocate resources effectively to areas with the highest risk. Other areas that should be addressed are developing comprehensive cybersecurity policies and guidelines for employees, contractors and partners and provide regular training to create a culture of security awareness,” says Meijer.
On a technical level, organisations could Implement network segmentation to isolate critical systems from less critical ones, establish a robust patch management process to keep software, operating systems, and applications up to date.
“Furthermore, we recommend that the company implements an identity assessment management system, to follow the principle of least privilege and granting users only the permissions they need to perform their tasks and make use of multifactor authentication for accessing sensitive systems and data. Remember that cybersecurity is an ongoing process, and the threat landscape evolves over time. Regularly reassess and adjust your cybersecurity strategy to address new challenges and vulnerabilities,” says Meijer.
John Ward is a director of ServBlock which specialises in cybersecurity in the pharmaceutical supply chain by facilitating trusted data exchange through digital certificates of analysis. His response is to apply technology such as blockchain.
“Both small businesses and large corporations can equally benefit from the robustness of blockchain-based security protocols. The technology offers an added layer of security, enhancing the integrity and authenticity of the data, regardless of the scale of operations,” says Ward.
Venket Naga, chief executive of Serenity Shield, echoes Ward’s advice: “From our position in the Web3 and blockchain space, it’s clear that both technical issues and human risks present significant dangers to cybersecurity in general terms. Technical vulnerabilities, including smart contract flaws and protocol weaknesses, can result in breaches and associated financial losses. Simultaneously, human errors like phishing attacks, social engineering, and insider threats remain a primary cause of security breaches.
“To effectively mitigate risks, a comprehensive and ongoing cybersecurity approach that addresses both technical and human aspects is essential. Organisations must focus on bolstering technical defences and enhancing employee awareness and training to create a robust security posture — it is a constant process,” Naga says.
Another player in the blockchain world, Jon Ruth, public goods funding operations lead at Gitcoin, says: “As an open-source platform for incentivising and funding work in the Ethereum ecosystem, Gitcoin is committed to maintaining a secure environment for all users. We try to encourage our citizens to adopt security as a mindset, although it is easier said than done.
“Some top tips that are relatively easy to implement include setting up 2fa authentication — this is basic and effective, 1Password and DuoMobile are simple to use. Installing Malwarebytes on your devices protects against known malware.
“Finally, be extra careful when accepting requests on common social media platforms. We have witnessed more and more impersonators contacting our citizens, particularly following large events and conferences,” says Ruth.
Telecommunications company Three is often asked to do security penetration testing for their clients to help assess where the vulnerabilities lie. It’s a critical starting point for head of Three Connected Solutions, Karl McDermott.
“Sometimes it is very transparent. We look at devices and often there are known vulnerabilities around the software versions which require upgrading, so that is something we focus on. Then password updates and multifactor authentication.
“We also check to see if usernames and passwords have been hacked and are available for sale on the dark web — this can be done simply through tools.”
The size of the organisation is largely irrelevant. McDermott references research offered by Forbes where some 43 per cent of all cyberattacks were on SMEs with the result that 60 per cent of these companies filed for bankruptcy within six months.
With regard to bringing in outside experts, McDermott suggests that this can be helpful especially when there are not the resources internally and notes there are now companies offering a virtual service.
The weakest link is most often the human one. The old Nigerian prince email may be an occasion of some merriment but it has been updated in the form of delivery texts for packages. McDermott advises installing software that will quickly identify a dodgy URL and prohibit the user clicking on the link.
“Multifactor authentication, change passwords and training are all beneficial but companies need to make it easy for employees too. Put in place tools that make their life easier like firewalled backup software rather than USB keys. Install VPNs on employee laptops so they won’t access public wifi.”
Three also employs a security company to test employees by sending phishing emails and uncertain links. If the employee clicks on the link, they have to do additional mandatory worksafe training.
“I was caught out recently and I wasn’t the only one. Now, that certainly focused the mind and I won’t be doing silly stuff like that again,” says McDermott.
David McNamara, chief executive of CommSec, says there are three main things to keep your company secure.
“Firstly, enable multifactor authentication. Secondly, ensure all security patches are up to date because that’s where the vulnerabilities are exposed. And the third thing I would suggest would be to educate your users.
“And in terms of timing, we think an 18-month to three-years strategy is worthwhile and keep a keen eye on new threats in the interim,” says McNamara.