There seem to be a growing number of data backup services advertising themselves as ‘cyber security’. This seems a little like claiming that your contents insurance is your home security system.
Yes, you’ll get similar items back (eventually), but someone still has your great aunt’s wedding ring, your holiday photos from Tenerife, and your last 5 years’ payslips.
No one would disagree that backing up your data is essential to protect your business from catastrophic data loss. Not only from a cyber attack, but from all sorts of natural disasters, systems failures; even disgruntled employees!
Breaches do happen, to businesses of all sizes. Some are more impactful than others. Many now see them as an inevitability. What is not inevitable is the level of impact on your business.
The consequences of a successful cyber attack fall into three categories: Theft and Fraud, Reputational Damage, and Legal Consequences. Data backup protects you from none of these.
Theft and Fraud
Substantial financial loss can arise from the theft of corporate information. This can be as large and complex as trade secrets unique to your company, negating decades of hard work, and huge investments in research and development. It could be as simple as a cherished list of your customers and what they buy, that could be sold to a competitor.
Financial information, such as payment card details, bank account numbers (both those of your business and your customers), can be compromised and used by attackers themselves to make purchases, or sold on the dark web.
Attackers do not even have to gain access to finance systems to be able to scam money out of a company. They could simply compromise the email server, identify customers on the verge of transferring money, and send an email from a genuine company email account requesting that money be sent to a different set of bank details.
The disruption to trade while your systems are, for example, crypto-locked, could be minimal. Your backup and restore solution might be excellent. That’s still downtime, though. Especially if you are a high-transaction business, a few hours could mean thousands of unhappy customers unable to order, and never coming back again.
Particularly important for more established ‘brand’, the damage from a data breach can be monumental. A loss of customers, a reduction in sales, slashed profits. Investors and partners can lose confidence. It’s no small issue for consumer confidence and market share in an increasingly competitive landscape, as the fallout from the recent Zoom and Easyjet data breaches has shown.
Trust is the number one quality of a successful business relationship. People buy from trusted people, and people buy from businesses who can be trusted to handle and protect their personal data from theft.
Data protection and privacy laws are only getting stronger and more robust. The General Data Protection Regulations (GDPR) require you manage the security of all personal data you hold, whether on your staff or your customers.
If this data is accidentally or deliberately compromised, your business has failed to deploy appropriate security measures, and you may face fines and regulatory sanctions. Fines for breaches of GDPR are up to 20 million Euros, or 4% of yearly revenue, whichever is greater.
For regulated industries, this is in addition to the fines and sanctions handed down by industry specific bodies.
Minimising the impact: risk, severity, budget
Few organisations are water-tight when it comes to security, and sadly, users are most often the weakest point. Blowing thousands of pounds on a next-generation firewall is unlikely to prevent Tim in accounts clicking a phishing email.
Your defences in terms of social engineering, infrastructure, and application vulnerabilities, need to be tested by friendly agents, mimicking the activities an attacker would use. Only by exposing the gaps are you able to remediate and get Infront of your vulnerabilities. To do that you need regular, credible insight, intelligence, and advice.
The greatest protection for businesses against the constantly-evolving set of cyber attacks is an integrated, proactive programme of testing, scanning and assessment. Only with continuous vigilance can the risks be reduced to their lowest.
Discovering your vulnerabilities also allows you to make smarter budget decisions. Knowing where your greatest weaknesses are allows you to allocate more of the available resources to that area. If we use the example of an identified phishing susceptibility in your workforce; internal cyber security training would be a good place to allocate more budget.
Giving security teams visibility of their threats in one clear lens, a single pane of glass into which all the different threat intelligence, advice and insight can be fed, allows for easier prioritisation of threats and remediation action to be taken. This is the purpose of the forthcoming Rootshell Security Platform.