Mike Hudson, cyber security manager for safety expert Arco, shares some key insights and tips for businesses looking to keep their digital information secure.
‘All businesses are digital’ might sound like an odd statement. However, the reality in this day and age is that, if you run a business, technology and digital data play a key role in daily operations.
Accounting, contact information, websites, social media, virtual meetings, the list is endless. We take these for granted as elements of modern business, but cyber security must not be forgotten. According to the Government’s Cyber Security Breaches Survey for 2022, 39% of businesses have reported cyber-attacks in the past 12 months. This October is Cyber Security Awareness Month and provides an ideal opportunity to highlight potential pitfalls, risks and proactive approaches we should all take to protect our data at work.
Good working practices and education go a long way to reduce threats. As the workplace takes on a hybrid model, these best practices are more important than ever. As laptops and phones pass between networks and the home and office, vigilance is vital to keep security tight.
Strong passwords
It might seem obvious, but your first pet’s name and the year you were born is no longer an advisable approach to creating a strong password. Avoid personal information, four-digit dates and sequential keyboard patterns (e.g., 1234). A more robust alternative employs a mixture of lower-case and upper-case letters interspersed with numbers and symbols.
For example, instead of the word ‘pamphlet’, use ‘pAMPh$3let’, or combine four or more random words, which can be easier to remember and much harder to crack. The longer, the better when it comes to password security. If possible, a longer passphrase or secure password manager is preferable.
You can use the service at haveibeenpwned to check if passwords you currently use have been exposed in previous data leaks.
Multi-factor authentication
In addition to a strong password, multi-factor authentication provides an additional layer of protection. This ensures that in the unlikely event a password is cracked or leaked, your information cannot be accessed. It’s easy to set up with an email address or mobile number for most business applications. It takes a quick approval through a supplied number or pop-up to help guarantee your security.
Up-to-date software
Ensure your work computer and mobile software are regularly updated. This can be assessed with a brief manual check and guaranteed by approving auto updates in your settings. Out-of-date software can leave devices vulnerable to attack or exploitation.
Training and education
Cyber security is heavily reliant on education. Business users must be equipped with the tools to identify threats, such as phishing emails, spam pop-up notifications and fraudulent websites.
A sufficient education prevents the majority of security concerns before they even become an issue. Any business should have protocols and training programmes for new employees and regular refreshers. A business is responsible for ensuring its staff are up-to-date with any potential threats.
Data breaches
What about when it all goes wrong?
Any business can fall victim to a data breach, despite the most stringent security measures. A high-profile case in the news recently was Uber, who suffered its third data breach in the last decade. This resulted in unrestricted access across many levels of the business, including customer and employee details.
Uber’s breach is a sharp reminder that even large digital-oriented businesses can fall victim to breaches. So, what can we do? A plan of action and certain processes must be followed in the event of a breach. And these plans need to focus on transparency and speed. They also need to follow several key legal steps, including:
- Contact customers – Firstly, contact all affected customers. A statement across your website, social media and direct emails increases the chance that this message is seen. Be clear, succinct and honest. Explain how the situation may affect customers’ digital data and business operations. Communication should be as swift as possible, don’t delay in alerting customers to the issue. Preparation for this scenario is advisable. Prepared messaging, such as email templates, clear protocols and defined tasks for employees, will ensure this communication is handled quickly and effectively, helping to reassure customers and minimise any reputational damage.
- Report to the ICO – UK businesses must contact the Information Commissioner’s Office (ICO) as soon as possible, no later than 72 hours from discovery. Such reports should provide clear information on the timeline of events, possible leaked data and as much detail as possible. Failure to report a breach could result in fines and, in some instances, legal action. For example, in October 2020, the ICO fined British Airways £20 million following a data breach affecting more than 400,000 customers. This is an extreme example but an important reminder that it is the legal responsibility of all businesses to comply with the ICO’s data protection and reporting rules.
In summary, it is our collective responsibility to remain vigilant as individuals and organisations to minimise risks. More importantly, businesses must remain compliant, honest and transparent in their approach to cyber security. They must both educate and provide for employees and update and reassure customers if the worst happens.
At Arco, we specialise in health and safety, and many lessons carry over well to cyber security. Appropriate protection, training and compliance are potent tools to secure and safe a workplace.
