The cyber attack that hit TalkTalk last week will likely turn out to be very costly indeed. Though the telco’s share price has rebounded after police arrested a teenager suspected of carrying out the attack, it will certainly give customers tempted by its cut-price contracts pause for thought in the future. Other businesses should sit up and take note.
Don’t be complacent
Cyber attacks aren’t just a problem for big companies like TalkTalk. According to a survey conducted by the Government’s Cyber Streetwise Campaign, one third of small businesses were affected by an external cyber attack at some point in the past year.
‘It’s a mistake to think you’re not going to be a target just because you’re not large enough,’ says Greg Aligiannis, senior director of security at encryption software company Echoworx.
‘There are criminal organisations who have got remote controlled clouds of bots and all they’re doing is scanning from one IP address to another with a known list of vulnerabilities looking for a victim.’ Any unprotected computer that’s connected to the internet could be breached within three minutes, he says.
Get the basics right
Making sure all of your kit has a firewall and antivirus software installed on them is crucial. As are strong passwords - never use relatives' or pets' names, important dates or anything else that would be easy to guess. This kind of thing might seem obvious to you, but you need to make sure everybody on your team knows it too.
Stop ignoring updates
Messages saying your computer needs to restart to install updates can be a massive pain, especially when you're in the middle of some important work. But those updates will ensure that your computer’s defences are as up-to-date as possible.
‘When the operating system you use, the phone software you use, the application software you use, when those guys publish a security update, make sure that you consume it,’ says Paul Ducklin, senior security advisor at Sophos. The same goes for any mobile devices your employees are using to connect with your systems.
Get your staff on side
All the technology in the world is useless if your staff don’t know how to use it, or don’t feel like they need to. ‘Every company should have an acceptable use and password policy, because sometimes it will be employees who make the situation vulnerable,’ says Dr Peter Chadha, CEO and founder of the IT consultancy DrPete Technology Experts.
Ensuring policies translate into practice isn't always straightforward. Handing staff a long-winded document to read alongside reams and reams of HR policies, expenses policies, travel policies and branding policies on their first day is a surefire way to make sure it will be ignored. You have to communicate the importance of being security conscious in a clear and concise way.
A strong relationship between your tech guys and the rest of the workforce is also important. ‘You need to try and build a culture where it’s ok for people to ask for help or for a second opinion if they are suspicious about anything,’ says Ducklin. If people do give out their password to a cold caller claiming to be from Microsoft or click on a dodgy email link, it’s best that you know about it as soon as possible.
Be careful with data
Cyber thieves aren’t just looking for credit card info. Customer names, addresses, passwords and lifestyle information can all be of use to criminals, and you have a responsibility to protect that information.
‘Understanding what data you need to protect and its value to the business is crucial in allocating security resources effectively,’ says George Anderson, a director at internet security firm Webroot. ‘Why would you have your most valuable data accessible and connected to the internet?’
For particularly important data it might be worth using encryption software, which makes it harder for hackers to access the contents of a file.
Prepare for the worst
Even the most technologically proficient organisation can’t totally eliminate the chance of being attacked, so it’s worth spending some time thinking about what you will do if one does occur. Who will take charge of the clear up, how will you communicate the problem to customers and what will you be able to do to minimise the damage? (More on how to clear up a data leak here).
TalkTalk and all the other cyber attacks that have graced the headlines of late should serve as a wakeup call to all businesses, large and small, about the importance of keeping your systems secure. Don’t let a simple error mean you’re the next target.