Cybercrime is on the rise, with startups potentially posing easy targets for data thieves, hackers and fraudsters. We explore what businesses can do to stay safe
According to a cybercrime report by Cybersecurity Ventures, the direct cost of damages from cybercrime is due to exceed £4 trillion by the year 2021.
So far, established international players have been the chief target for hackers looking to steal and ransom data, directly steal funds, or disrupt operations for political reasons. However, with the rise of disruptive new businesses and forward-thinking SMEs radically altering the market in most industries, it’s likely that today’s startups will be tomorrow’s cybercrime victims.
This May, London hosted the annual Cyber Security Summit, an industry-leading conference that explored “the latest developments, strategies and technologies available to successfully defend organisations online”. In anticipation of the conference, we looked at some key cybersecurity tips for startups, so that you can keep your business ahead of the pack and grow without the fear of an attack.
Formulate a plan
The first step in the fight against cybercrime is to put in place a coherent, well thought-out cybersecurity strategy.
This should, as a starting point, focus on device and computer security, including antivirus subscriptions and firewalls.
The next step is employee education; all employees should be clearly briefed on company policies regarding external devices, social media, personal emails and off-site network access. You don’t have to ban these things, but make employees aware of the dangers they pose and have a policy in place so everyone knows what is and isn’t permitted. That way you can isolate the cause of a threat if one should arise.
If you’re not sure where to begin when putting together your cybersecurity plan, there are a range of online tools that can help. The US Federal Communications Commission allows you to use its free Cyberplanner tool, which is designed to help small businesses draw up a policy. It takes you through the key considerations, category by category, allowing you to customise the plan to suit your organisation.
Be wary of inside threats
A high proportion of cybercrime incidents in the business world involve insiders.
Instinctively, this might make you want to scrutinise your employees, but this approach will cause alienation (potentially increasing the risk of an insider attack) and is not very effective – cyberattacks are usually not visible to the untrained eye.
A more logical approach would be to categorise data and users within the organisation. Give each employee access only to the data they need for their job, based on a security clearance level. The most trusted employees – known as privileged users – will be those who have access to sensitive financial, client and security information. Make sure to limit the number of privileged users, and also to keep track of them. If any privileged users should leave the company, be sure to change any shared passwords they had access to and deactivate their usernames/profiles to prevent unauthorised access to sensitive data.
Finally, focus on employee satisfaction. Keeping employees happy has innumerable benefits, but the relevant one here is that disgruntled employees are more likely to be involved in cybercrime. Address issues with respect and help staff to feel valued to avoid alienation. Most importantly, be aware of departing staff; an exit interview is a good policy, both in terms of learning about any undisclosed issues and reminding departing employees of their legal and contractual obligations in terms of proprietary or sensitive data.
Don’t forget the basics
In writing your cybersecurity policy and clarifying employee access, it’s easy to forget the simplest elements of IT security.
Passwords, for example, are too often written down on paper in big offices and are too rarely changed. You should change important passwords regularly, and keep them complex. This means using a range of letters, numbers and symbols to deter human guesses, but also a long length to deter machine guesses.
What’s more, it’s tempting to get too involved – planning and preparation can make you feel like you’ve got everything covered, but this is rarely the case when it comes to cybercrime. It’s still best, once you’ve taken care of the basics, to trust the experts. Hire a cybersecurity consultant or take out a plan with an external security agency; they’ll be much faster than you in identifying threats and limiting damage.
At the end of the day, when it comes to cybersecurity for digital enterprises, the opposite of the old saying applies: the best offence is a good defence. Actively seeking out threats is a time-consuming, costly endeavour; the best approach is a practical one, aimed at ensuring your business is not an easy target. Cybercrime is not going to go away, so always be prepared.