Paul Fernandes explains why the flooring industry needs to understand the threats posed by cyber and data risks, and how you can protect your business against issues.
The financial impact of system interruption, privacy and cyber-crime events are now felt across all sectors.
The most common type of attack by far, is Phishing – staff receiving fraudulent emails or being directed to fraudulent websites. This is followed, to a much lesser extent, by others impersonating organisations in emails or online and then Viruses, Spyware or Malware.
Phishing attacks are commonly considered the most disruptive type of attack that organisations face.
A sizeable number of organisations that identify breaches, report a specific negative outcome or impact. On average, for those that do, the costs are substantial.
Temporary loss of access to files or networks, disruption to websites, applications and online services are the most commonly reported outcomes – although organisations can experience a wide array of outcomes. A permanent loss of data is much less common, which might be expected given that 88% of businesses back up their data in some way.
How to protect your business
There are steps you can take to help keep you and your business safe.
1 Cyber insurance policy
Purchase a comprehensive Cyber Insurance policy. 43% of businesses already have some form of Cyber insurance.
2 Risk assessments
You can undertake a Cyber Security Risk Assessment. 34% of businesses have performed one in the last 12 months.
3 Network & staff testing
Run regular network scans or penetration testing. Test staff through mock Phishing exercises.
4 Password manager
Always change passwords from the defaults and update regularly. Avoid using similar passwords across accounts.
5 Operating systems
Update operating systems regularly as the security patches help avoid breaches.
6 Government resources
Access government resources and consider a cyber security accreditation for your business.
7 Backup System
Ensure you have a suitable backup system in place which is archived.
Encrypt mobile computing devices and portable data devices (USB sticks) used by employees for business.
9 Two-step verification
Always use two-step verification when this is available.
10 Trusted sources
Do not open emails or files from unknown sources.
What is encryption?
Encryption is the process of encoding information so that only authorised parties can read it and is an important risk control measure. A breach of encrypted data is significantly less costly to deal with than a breach of unencrypted data.
Encryption is viewed more favourably by regulators, including the Information Commissioner’s Office (responsible for enforcing data regulations in the UK), and many of the fines levied have involved loss of unencrypted data by organisations.
What is Penetration testing?
Penetration testing, also called ‘Pen testing’, is a cyberattack simulation, an attempt to breach some or all of an organisations IT security systems, using the same tools and techniques that an adversary might.
A ‘Pen Test’ should be thought of in a similar way to a Financial Audit. Your Finance Team tracks expenditure and day to day income. An audit by an external group ensures that your internal team’s processes are sufficiently robust to protect your systems.
Penetration testing can help prevent extremely expensive and damaging breaches.
What is a backup system?
A backup is an additional copy of your data or data files stored in a separate system or medium. The Backup can be used to restore the original data and data files in the event that these files are lost, destroyed or corrupted. Backups provide a simple form of disaster recovery.
What is two-step verification?
Two-step Verification is a widespread security protocol, also known as ‘Two-factor Authentication and Two-step Authentication’.
It’s a security process that requires you to complete two separate methods of proving your identity before allowing you to login to an account.
Every time you sign into an untrusted device where Two-step Verification is enabled, you’ll receive a Security Code via email or text to your phone. The code acts as another security layer to verify it’s definitely you attempting to logon.
What is a password manager?
Password managers are computer programs / databases that allow users to store, generate, view and manage their passwords for use on local applications and online services.
They store your login information for all the websites you use and help you log into them automatically.
Password Managers encrypt your password database with a ‘Master’ password – the ‘Master’ password is then the only one you have to remember.
There are a range of insurance policies available in the market to help protect your business and get you back up and running fast.
Be wary of inferior products. A good quality policy can include protection against:
Financial crime and fraud
When cyber criminals use the internet to steal funds, impersonate your business or deceive employees into transferring money or goods. This cover is usually an optional extension we would recom-mend including.
If a hacker holds your systems or data to ransom, or threatens to publish information, insurers cover the ransom you may have to pay and the services of a leading risk consultancy firm, to help manage the situation.
Mistakes made by staff or suppliers that result in a data breach.
Where personal or commercial information (electronic or otherwise) is accessed without authorisation, cover can provide support with forensic investigations, legal advice, notifying customers or regu-lators and credit monitoring for affected customers.
In the event of a data breach, prompt, confident communication is vital to keeping a company’s reputation intact. PR and crisis management with a leading public relations firm will help; from developing communication strategies to running a 24/7 crisis press office.
The cost of getting your business back to normal and compensation for loss of income, including where it is caused by damage to your reputation. Some policies also include Key Person Cover; an extra pair of hands to help your business with any increased workload.
Covering the defence and settlement of claims made against you for failing to keep customers’ personal data secure, or for allegations of non-compliance with GDPR. Also covers costs associated with regulatory investigations and settling civil penalties levied by Regulators where allowed.
Personal cover for directors
Some policies can extend to offer protection to Directors at a personal