Does Your Business Need A Cyber Health Check?

Does Your Business Need A Cyber Health Check?

Cyber-attacks against global companies get the headlines, but small to medium-sized businesses are just as likely to be targeted by criminals.

The Australian Cyber Security Centre recently reported that half the large businesses SMEs in its 2015 cyber survey had experienced at least one cyber-attack during the year that had compromised confidentiality, integrity or network availability.

“If you are online you are at risk,” says Accenture Managing Director Jean-Marie Abi-Ghanem, who leads the firm’s Asia Pacific Security Practice.

“It is not related to the size of the organisation. An SME has valuable information online, whether it is personal or client information.”

Business owners can ensure their business is adequately protected from cyber threats by taking the following precautions.

Determining which assets need protecting

This is not always financial information.

Just about everything has value on the international black market, where criminals can sell names, addresses, Medicare numbers, and other personal information. Other valuable business assets include client data, work on new product development and intellectual property.

Identifying assets also enables the business owner to work with their broker on choosing appropriate insurance cover. Cyber insurance is more widely available these days, enabling businesses to be more selective when looking for a product.

It is important that your cyber insurer can provide expert help round the clock, will respond quickly to any attack, and offers adequate cover for a range of financial losses, such as damage to systems, business interruption, or legal action for breach of privacy.

Knowing where critical assets are

Know how securely your data is stored. Are laptops password protected? What would happen if one were left on a plane? Are USB sticks protected by encryption? You are vulnerable if people share data on USBs that are not encrypted and a stick falls out of someone’s bag or pocket.

There is also the often overlooked risk of physical theft: criminals have broken into businesses and stolen servers.

Who has access?

It makes sense for people to have varying levels of access based on need, rather than complete access to the database. Many businesses value the convenience of cloud storage or email systems, but that means they must have the sufficient security and encryption.

Cyber security is a team effort, so everyone in the company needs to understand that security is taken seriously.

“They might need some training if they don’t know the value of the data. One of the weakest links is people because people handle information all the time,” says Mr Abi-Ghanem.

Nobody wants to lose business because another firm rates their security poorly. He is seeing more firms commission due diligence on the IT infrastructure of a potential client or supplier because they want to avoid cyber criminals exploiting a third party’s weakness to gain “back door” access to their systems.

They will ask for a site survey to check how their data is handled, whether there is a privacy policy in place, the type of payment system, whether employees share passwords, and how often are passwords changed.

Mr Abi-Ghanem says cybercriminals are constantly finding new ways to hack systems, so business owners need to test their systems regularly to ensure there are no holes. The best protection is prevention and that starts with identifying what is important to your business.