In light of the very recent Cyber Attacks on the NHS, Business News Wales asks businesses in Wales;
How can Welsh businesses ensure they are protected from any future Cyber Attacks?
Head of Cyber Security, School of Computing and Mathematics | University of South Wales
Basic Cyber Security should start with a risk assessment to define which assets a business needs to protect. The Queen does not leave the crown jewels on the lawn outside the palace for obvious reasons! The IBM Security Services 2014 Cyber Security Intelligence Index report said over 95 percent of all incidents investigated recognize human error as a contributing factor. Very simple steps like ensuring all default accounts and passwords have either been disabled or changed to a suitably strong password can improve security quickly in the short term. Ensuring all security patches for software running on computers and network devices that are connected to or capable of connecting to the Internet are installed automatically will also help maintain security. Effective training to raise employees’ awareness is vital. Organisations can use a number of frameworks to help further reduce the cyber threat.
Two popular frameworks used in the UK are ISO 27001 and Cyber Essentials further information is available online at here and here. Wales has a large number of companies specialising in cyber security who can be found via the South Wales Cyber Security Cluster.
Managing Director | Pervade Software
The bad news is that it is impossible to “ensure” that you are protected from any cyber attacks. The good news is that the vast majority of cyber attacks can be prevented by taking 5 relatively simple precautions:-
- Install anti-malware software on all of your computers
- Only use current versions of software and install all patches and updates
These two measures alone would have prevented computers in 150 countries being locked by WannaCry Ransomware this weekend!
- Fit a firewall
- Ensure systems are configured for maximum security
- Ensure that systems are only accessed by the right people
These 5 steps are detailed in the Government’s Cyber Essentials Scheme and organisations can be recognised for having implemented them with a certificate for just £300.
Even if you are attacked, you can quickly recover your data if you have been making comprehensive backups daily – start doing that now!
Managing Director | Astrix Integrated Systems
To keep your business protected from Future Cyberattacks, I suggest doing the basics of IT security well
- Keep all systems up to date with security patches, this means operating systems (Windows 7, 10, Server etc) and also applications (Adobe, Java etc) – This is easier said than done and can be a time-consuming task. If you have more than a couple of PCs, engage a good IT firm that have systems to patch automatically and can provide a monthly report to show what is up to date.
- Ensure you have a good security/Antivirus software installed and up to date. These are not as effective as they once were as the threats have evolved, but they can deal with the vast majority of attacks and are good value for money.
- Effective offsite backup of data. Make sure you have an automated system, preferably with reports to confirm it has completed. This can be cloud based or onsite with removable media, in either case make sure it is encrypted.
- Look into achieving a security standard, this will go through your system highlighting weaknesses and will also demonstrate to potential customers and partners that you will look after their data. Cyber Essentials (here) is a good place to start and cost effective, with the coming GDPR standard looming next year this will become more important for Businesses.
Director | Grapevine Event Management
Most hackers are after your information so you need to take precautionary measure to protect it. You should always backup your information. Clouds can be great places to store data, but external hard drives have the advantage of being offline so there is nothing to hack!
Change your passwords! It is recommended that passwords to your systems are changed every couple of months. Also, adding a two-step authorisation login on your accounts like username/password and a human test where you have to tick matching pictures or type in the words you see on the screen can make it more difficult for hacker to access your data.
Computer systems have updates and you can never be sure if there is something embedded in the code which can give hackers access to your device, so make sure your devices have regular scans for spyware and malware.
Finally, have you ever noticed the little green lock at the beginning of a URL? This is a HTTPS and it encrypts data that passes from your device to the internet server. This means any hacker can’t decipher your private info. Make sure to keep an eye out for this when searching the web as websites without it won’t protect you.
Director of Cyber Security & Network Services | Capital Network Solutions
The recent NHS cyber security breach was mainly a result of a failure to update out of date Operating System Software and poor user education. As a patch preventing devices from becoming infected was released in May 2017, it could have been easily prevented by implementing regular updates of system software and educating staff on the dangers of opening suspicious emails and attachments, or preventing the emails from being delivered in the first place. We strongly recommend that all business consider implementing the UK Government Cyber Essentials standard which would have helped prevent and reduce the impact of this and similar attacks by ensuring technical controls such as regular patching of system software, implementing anti-virus and filtering suspicious emails.
Cyber Essentials is a low-cost certification available to businesses of all sizes that protects against 80% of the most common attacks. Government, Ministry of Defence and NHS departments already requires they suppliers are certified to the standard in many cases. In addition to the Cyber Essentials standard all organisations should implement and test a robust backup and restore solution, provide end user security awareness training, and review Information Assurance policies in general.
Deputy Commercial Business Director | CCV Cardiff – Part of the Towergate group
The events surrounding the NHS last week show why Businesses and Organisations of all sizes need to understand the importance of Cyber Resilience. Hackers looking for vulnerabilities in computer systems are often one or two steps ahead of the global organisations trying to prevent them gaining access to the vast amount of data held on both personal and business computer systems.
Despite all the money big businesses and government bodies spend on Cyber Security, they still find themselves the victims of attacks where their systems have been opened up either through a hacker finding a vulnerability or a member of staff inadvertently allowing access.
We have insurance policies available which protect against loss of income, cost of notifying people effected by a data breach and credit monitoring, all of which can be damaging.
Insurance is not the total answer to protect against a Cyber Attack but when combined with as comprehensive a security system around your IT infrastructure provides a level of risk transfer to avoid any costly incidents potentially seriously effecting your business.
Managing Director | Wolfestone
The frequency and sophistication of cyber-attacks is increasing each year, and the impact of these attacks can be devastating. It’s often not only the business itself that suffers when security is compromised, but also the clients and partners connected to that business. It’s therefore imperative that businesses keep both themselves and their clients protected.
Experts often agree that, although a company may have state-of-the-art security systems, one of the biggest risks to that setup is the human element. This is particularly true for remote workers, whose devices operate outside of a company’s secure network, increasing exposure to potential threats that can infect the company’s entire network.
It pays then to have clear plans and policies for staff, and to provide training for spotting and avoiding potential threats. Consistently backing up important files, installing the latest software updates and being cautious when opening unfamiliar emails or websites significantly enhances security setups. Instilling this approach across a company’s workforce can protect enormously both the business and its clients.
Head of Business Corporate Banking | Barclays
In this digital age, cyber security should be a priority for every single business. More must be done to help businesses recognise the threat an attack could have not just on their bottom line, but to their reputation or even future existence. Keeping customers’ data safe and secure is a legal responsibility so they need to prepare for the unforeseeable.
SMEs need a strategy in place to weather cyber-storms- a head in the sand approach won’t do. This could include a resilience plan raising staff awareness of the common types of attack, investing in up to date software protection and knowing who to report the crime to if the unexpected occurs.
At Barclays we want to help UK businesses and their employees to fight back against the cyber criminals, so we’ve launched free cyber security training at our Eagle Lab sites across the country, led by Barclays’ Digital Eagles. Knowing how to stay safe and protected online is a major step forward for businesses to operate with digital confidence.
For more information visit here
Data Protection Expert | Acuity Legal
The NHS bore the brunt of the media coverage over the weekend of Friday’s global cyber-attack. This seems particularly unforgiving, when the same malicious software attacked some of the world’s largest companies, including FedEx, Nissan and Telefónica.
After the biggest ransomware outbreak in history, people have been working around the clock to fix systems and get things back to normal. Described by Europol as unprecedented in scale, a complex international investigation now begins to identify the culprits and bring them to justice.
Complex organisations are in a tricky position. There is so much organisations can do when handling data to make that data less vulnerable to exploitation.”
Digital hygiene is essential to protect people’s personal information, limit the exposure of sensitive data in the event of a breach and mitigate reputational damage. And with the biggest legislative changes to privacy compliance on the horizon, cyber security must surely move higher up the agenda for management teams across the country.
Graham Leslie Morgan
Managing Director | Business Doctors
The security of you IT and data systems is paramount and should be treated in that way. From my experience in business my advice would be:
- Have an appointed member of your team that leads on this element of risk in your business. Ideally a member of staff with an interest in the subject and some knowledge.
- At least quarterly check in place to review your exposures.
- Work with an independent professional who can undertake tests of your systems. Having some benchmarking helps the drive for continual improvement.
- Ensure you back up all your data ideally daily.
- Keep systems up to date with any updates to the protection software you use.
- Consider the risk to your specific business of an attach and have a contingency plan in place your Team are aware of
Managing Director | Dezrezlegal
Educate your staff. After ensuring the latest security updates are applied across all of your IT assets, educating your staff is the number one thing that businesses can do to protect themselves. When you consider the huge amount of information consumed by people across email and social media today it’s really important that individuals within your business are aware of the risks associated with these communication methods. The human being using the computer or mobile device is often the weakest point in the security loop. Individuals clicking on seemingly harmless links are an activation point for criminals to exploit weaknesses within your IT systems. Train your staff to be able to recognise communications that may carry risk and highlight to them that they should be vigilant and cautious when opening links, even if they have been forwarded by other staff members or friends and family.