Cyber security and cyber attacks are part of the business landscape and have been for years. The big attacks make headlines, create disruption and can result in large ransoms changing hands to unlock systems and data. However, for every headline there’s tens of thousands more attacks which don’t make the news.
Driving the conversation
Global e-commerce, tech and SaaS businesses – all have a significant amount of data. Having a strong understanding of your technology landscape and the data you hold, is essential as they present a risk if they’re compromised through a cyber attack.
Rob May, Managing Director of ramsac, who offer IT support and cyber security services, offered this advice. “The threats from cyber security are very real and no business or individual is immune from this. The Government and ICO have implemented legal measures and procedures that all organisations must conform to, and it is vital that we ready ourselves for when the inevitable attack happens. Businesses rely on data and technology assets, people, and procedures to achieve business objectives. Cyber security helps organisations reduce the risk of a cyber attack by focusing on the resilience measures necessary for each of these factors.
A cyber security breach can cost a company serious financial and reputational damage.
Cyber security is a hygiene factor in business today and it’s vital to protect your organisation.”
How does cyber security apply to fast-growth businesses?
After a fundraising round, new hires are taken on at pace meaning more training and levels of cyber security should be put in place. This is primarily because the risk at that time increases for cyber attacks given the new online data available from platforms like LinkedIn for hackers to use to their advantage, impersonate team members in order to breach and infiltrate business systems. Equally, when scaling, this critical safety measure sometimes gets pushed to the back burner as most focus is on growth.
Rob goes on to say, “When a business is in fast-growth or scale-up mode, it is easy to defer making some decisions around compliance or best practice. Skilled cyber criminals know this. They also look to identify links in the chain and a focus on supply chain cyber crime is a real problem. Your fast-growing business might not be the target, but your much bigger, important client or partner could well be.
Attackers cast a wide net to find vulnerable companies regardless of the size of the organisation. In the UK, money is paid from a corporate account to a criminal’s account every 15 minutes of each working day. Attackers target company employees using phishing attacks to gain access to company corporate networks. Phishing attacks account for 90% of data breaches.”
Attacks on e-commerce businesses
E-commerce online businesses can fall as particular prey to financial cyber attacks through fraudulent and deceptive transactions. Actions like credit card fraud, unauthorised transactions and fake returns or refunds are attempted regularly. Along with other things such as malware, ransomware, SQL injections, credit card skimmers, denial of service attacks and phishing to name but a few, putting measures in place after an attack which demonstrates a vulnerability can be key. In a recent article on X-cart.com, Statista estimates e-commerce losses for online payment fraud alone were 20 billion US dollars globally last year (‘How to prevent cyber attacks on your e-commerce website: 8 top threats and hot tips to grasp, X-cart.com, July 2022).
Once a breach has happened, or maybe you’re aware of an area that could be perceived as a weakness within your business security system, take steps such as:
- creating compliant payment gateways
- validating email addresses both internally and externally and that they don’t contain fraudulent information (be vigilant as fraudsters are looking to infiltrate and access regular communication channels)
- securing customer payment details
- have up-to-date shopping cart solutions
- automated fraud detection solutions
- establish firewalls and two-factor authentication
- require complex passwords and multi-factor authentication
- regularly back up data
- have secure OS and web browser, and
- utilise encryption devices.
Being vigilant and looking across all areas where hackers and other fraudulent actions are being attempted, either after or before an attack, can mitigate damage and cost significantly.
How does your existing security measure up?
If you’re using modern, best-in-class, cloud-powered solutions, chances are your business is quite well-positioned. However, having a cyber security professional assess your business systems is critical.
Rob advises, “Given you have a responsibility to govern and protect your organisation, it’s important that you have a methodology to measure what is in place, how effective it is and identify the gaps or areas of improvement. A cyber security risk assessment should be carried out on your organisation at least annually to understand the current security posture.
This risk assessment should cover all aspects of the business in terms of people, processes, and technology, only then can a company understand their ability to defend against a cyber-attack and necessary steps to improve their cyber security capabilities. There are a number of ways you can facilitate this e.g. engaging a Cyber Essentials Consultant or opting for a Cyber Resilience Audit who then award resilience certifications and a clear path and actions for the organisation and all stakeholders.”
Why penetration testing is vital
As part of an overall risk assessment for your business, penetration testing is an essential piece that should be included in your cyber security plan, especially for tech and SaaS businesses building a product.
Penetration testing allows you to test your system for known vulnerabilities and using something like the Open Web Application Security Project (OWASP), which offers the top 10 most critical web applications risks, you can be up-to-date on the latest potential risks.
The frequency of testing is by choice however there are automated scans you can set to test either daily, weekly or monthly, rather than just yearly using the latest known possibilities trying to manipulate and breach your security systems.
If you opt not to have automated testing in place, be sure to subscribe to sites, like OWASP, that will keep you up to date on latest risks that should then inform your software development and choices to secure and protect your business against cyber crime.
Damon Alder from Dionach, an independent global provider of information security solution, offered his insight. “We see penetration testing as an essential part of an organisation's commitment to improving their security posture, mitigating risk, and limiting exposure in their infrastructure, applications and public facing assets.
Penetration testing, sometimes known as ethical hacking, is a mainstay of security evaluation programmes aimed at identifying an organisation’s vulnerabilities by using techniques employed by real-world cyber criminals and will set organisations on the right course to accurately evaluate risk and, where necessary, choose the right remedial solutions.
Manual penetration testing should be a key element in any robust development cycle, whether performed in an agile or pre-release context, providing product managers with valuable insight into whether implemented functionality introduces new attack vectors or widens an application's attack surface.
Exploited vulnerabilities and breaches within a network or application can have serious consequences including significant fines from the ICO and other regulatory bodies, damage to an organisation's reputation and costly post-incident response.“
Key measures to put in place for your business:
- Understand your technology – spend some time reviewing the data protection and security policies.
- Consider insurance – understand what your business interruption policy covers and if more is needed.
- Engage with specialists – IT security experts should assess your systems, it’s their business to keep yours as safe as it can be.
- Keep your software up to date – upgrades usually includes patches for known vulnerabilities.
- Cyber security essentials – train your people at induction and on an ongoing basis. So often in a cyber attack, the vulnerability exploited is the people rather than technology.
- Use multi-factor authentication – more than just a password, even a complex one, a secondary source of authentication adds another layer of protection.
- Carry out penetration testing – if you’ve developed an application, you should engage with a third-party specialist or implement automated penetration testing to identify system vulnerabilities on a regular basis
Rob from ramsac explains further, “Management needs to buy into security and understand that security is a business objective rather than an IT issue. Companies need to have a clear cyber security strategy and a budget to support this. The strategy should cover training for every stakeholder and both technical and procedural security to protect the company against cyber attacks.
Some of these security measures include: file and email security, multi-factor authentication, encryption, security awareness and training, enhanced password schemes, regular air-gapped backups, enterprise grade anti-malware protection and firewall protection to name just a few.”
Cyber security is a multi-layered, continuously evolving element to your business. Typically, people are the weak link in cyber security and so thinking about how you and your team can be more cyber aware in your own company can prove vital to its survival.
How cyber secure is your business?