Wednesday, 10 February 2021
Keeping cyber security simple: Air IT CTO explains how businesses can protect themselves on a budget
Life in the fast lane of the digital age means we’re also in the midst of spiralling cyber crime, constantly looking in the wing mirror at the latest online threats. One of the main speakers at the Chamber’s Cyber Week event, Air IT chief technology officer Lee Johnson, gives a high-level overview of the trends in this space and explains how businesses can protect themselves on a budget
From VPNs and DDoS to cryptojacking and trojan horses, the world of cyber security is fraught with its own terminology that could be enough to put off the average business owner from wanting to explore any further.
The types of cyber-attacks are far, wide and growing in number every day – as are the defences and, inevitably, the cyber dictionary.
For Lee Johnson, though, it doesn’t have to be as complex as it sounds. “Some of the simplest security implementations can often provide some of the most effective methods of protection, such as multi-factor authentication,” says Air IT’s CTO and head of its specialist cyber security division Air Sec.
“Implementing user awareness training programmes, with videos showing employees what to look out for and how to spot a phishing email, handling credit card data and spotting CEO fraud attacks are good examples.
Cyber-crime stats show threats are rising
Regardless of the route businesses take or the methods used, the need for online protection is clear.
Cyber crime is on the rise. The UK Government reported 46% of businesses were breached or attacked in 2019/2020, with the proportion of those experiencing issues at least once a week increasing from 22% in 2017 to 32% in 2020.
The largest loss from a single cyber-attack in 2020, according to Hiscox, was $15.8m but, while SMEs may be tempted to view it as a problem for the big firms that can afford such payouts, they shouldn’t be fooled.
Breaking down its findings into different business sizes, Hiscox’s Cyber Readiness Report 2020 found the median average cost of cyber incidents over a 12-month period were $4,359 for companies with one to nine employees, $9,225 for those with 10 to 49 staff and $58,750 for firms with a headcount between 50 and 249 people.
Its cyber risk score puts the smallest of those cohorts at the top by some distance.
“SMEs are often the primary target for quite a few reasons,” says Lee. “Many don’t have a specific cyber security budget to protect their organisation, which puts them especially at risk when their entire workforce is operating remotely.”
Just like the most effective defences are the simplest, so are the attacks – despite an ever-growing glossary that includes terms like formjacking, cryptojacking, drive-by downloads, RATs (remote-access trojans)
Phishing attacks, in which emails are designed to trick receivers into divulging sensitive personal data such as passwords or bank account details, remain the most common, with Microsoft reporting they accounted for more than a billion of 13 billion malicious or suspicious emails blocked in 2019.
Hackers often mimic messages from real websites such as Amazon or PayPal, but the pandemic has enabled more opportunities for improving sophistication.
Lee explains: “We are commonly seeing attacks that are using the pandemic to their advantage by sending carefully-crafted phishing emails with a Covid theme.
“For example, towards the end of last year a lot of organisations were beginning to plan a phased return to the office before the second wave, so the cyber criminals used this to their advantage and sent emails featuring ‘return to work information’ or ‘essential Covid-19 policy updates’, with links that actually redirect users to a malicious website.
“These types of ideas increase the likelihood of their attacks being successful and have been profound during the pandemic.”
Remote working increases cyber security risks for businesses
The unplanned shift to homeworking has amplified the risks that had already existed. Whereas employees in many professional organisations would previously have been within four walls and on a single server, each individual now has their own internet network – opening more doors to hackers.
“In some organisations, IT infrastructures are now being used in ways they weren’t originally architected for, with corporate data being accessed from personal devices that may have not have had the correct safeguards in place,” says Lee.
“This creates problems for businesses. It’s safe to say the trend line on cyber-attacks is only going one way – and that’s up.”
Allied to the risk of personal networks is that of personal smartphones and tablets – an evolving trend within flexible working practices known as bring your own device, or BYOD.
While companies can use virtual private networks (VPNs) to ensure employees only access corporate documents and data via a secure remote server, cyber specialists remain wary.
Lee explains: “Even with a VPN, if you connect your own device from an unknown network, we’re effectively allowing unknown machines on to corporate networks.
“Using personal devices isn’t necessarily a bad thing, as long as the right systems and safeguards are in place, but particularly in the SME space there are systems being used by organisations in ways they weren’t planned for – and therefore haven’t got the right technologies or procedures in place to enable a secure BYOD culture.”
To mitigate this, Air IT endorses defences such as mobile device management, in which software is installed on the personal device to give IT administrators remote control of separate contained work profiles to secure company data, but not personal information. Companies can also offer corporate network access to employees on condition of a set of security measures, such as enforcing passcodes, two-factor authentication and malware protection.
Implementing cyber security protection on a budget
Such tools are all well and good but for many small business owners, the question is simply about where to begin.
The Cyber Essential scheme is considered by the National Cyber Security Centre to be the best first step and protects against 80% of the most basic cyber security breaches, while allowing organisations to showcase their credentials as trustworthy and secure.
Certification is based on a focused set of five controls – firewalls, secure configuration, user access control, malware protection and patch management – and costs £300 to obtain.
“Having that framework is a very good place to start for any business,” says Lee. “It’s mandatory to have if you’re working with Government bodies and many other organisations.
“But it’s also a good way of winning business. If you’re in a tender process and it’s neck and neck, something like Cyber Essentials can be a real differentiator and shows you’re taking security seriously.”
That’s the carrot, but there’s also the stick. Lee is keen to point out hackers aren’t necessarily always carrying out their attacks with manual human effort these days and there’s often nothing personal about automated bots that scour the web for vulnerabilities finding their way into a system, and wreaking havoc.
Cyber-attacks cost UK businesses £34bn, according to a 2015 report by the Centre for Economic and Business Research (CEBR), but the reputational price can be greater.
“Unfortunately, it’s a question of when, and not if, organisations are going to be targeted,” adds Lee.
“The cost of taking those steps to make sure you’re protected are always going to be significantly less than if you were to suffer a cyber breach.
“It’s relatable to installing an alarm system on your property – it’s always better to install preventative measures ahead of time, instead of reacting after the event once the damage is done.”
This article appears in the February 2021 issue of the Chamber's Business Network magazine. To read the online edition, click here.Back