Talking about the ominous threat of cyber-attacks these days has a whiff of closing-the-stable-door-after-the-horse-has-bolted about it.
Cybercrime is out there and it’s happening right now to organisations of all sizes, in all sectors, all over the world.
Hacks are more sophisticated, viruses are more widespread and systems are more vulnerable than ever. If the great and good (and wealthy) of the business world can’t stop it, what chance does the average startup have?
Exactly. So is there any point discussing threats and how to reduce cyber risk?
Yes, but the frequency and indiscriminate nature of cyber-attacks mean the likelihood of your business being a victim, in whatever form, is high enough to be almost inevitable.
With that in mind, it makes sense to talk about and plan for how to minimise the effects of a security failure, as well as planning for how to avoid being hit by a cyber attack. Prepare for recovery now and make sure you can still do business later.
That means taking an objective look at your business as a whole and not simply focusing on the technology.
The costs of a cyber security failure
Now, it’s safe to assume most businesses have two basic concerns: making money and saving money.
The problem is, a cyber-attack puts paid to both these things. A systems hack or data breach can stop you trading – hopefully only temporarily – and dealing with the aftermath or paying a ransom demand costs money.
Putting aside a war chest to cover these costs makes a lot of sense. The only problem is knowing how much to put aside and what you need to budget for.
Cybercrime is a problem brought about by technology, sure, but its consequences reach far beyond IT. The inconvenience factor is significant, as is the potential for client disruption.
Prepare to suffer a cyber-attack
Without the benefit of a crystal ball, no one can definitively say how much damage cyber-attacks cause or how much they cost. Not ideal, since no business likes unknown quantities – especially those that don’t have the time and/or money for unexpected disasters.
And really, that’s the point. Effective preparation calls for pragmatism and careful consideration of worst-case scenario. Ask yourself;
- What, exactly, will be the consequences of cybercrime on your business?
- Can you survive without the internet, email, your database and your software?
- Will your clients be affected?
- Can you still trade?
- Who do you go to for help?
There’s a lot to think about. You need a list. Ideally of, say, five things you probably haven’t considered when it comes to dealing with a cyber-attack.
1. Hacker damage
Despite the assertion that cybercrime isn’t *just* about IT, the two things are inextricably linked. However large or small your business, the 21st century demands it’s connected and that means spending a significant amount of money on hardware, software, a website, hosting, maintenance … the list goes on.
Connected, however, also means vulnerable.
A hack, data breach or crippling virus can cause untold damage to these things. Fixing, restoring and replacing your tech is a specialist, time-consuming and expensive job.
It starts with a computer forensics expert investigating what’s gone wrong, and usually ends with a bill from your IT supplier and several cardboard boxes labelled ‘handle with care’.
If you think your business is too small for cyber criminals to bother with, think again. OK you might not hold the vast amount of financial or personal information that’s so valuable on the dark web, but any business is a potential cash cow.
Locking down your website, network or customer data and holding it to ransom is an easy win. The amount to release it might only be a few thousand pounds, but even that can scupper a new business. And if you pay up, what guarantee do you have you’ll actually get back what’s yours?
Aside from the ransom demand, costs can escalate from not being able to do business to asking a specialist consultant to help with the negotiations. Often, the only victim here is your time and money.
3. Business interruption
It’s true, you should. But even that might not be enough to keep your business going if it’s hamstrung by a cyber-attack.
How long will it take to get your data back or replace a virus-riddled website? A day? A week? Longer? What impact will it have on the work you do? How will you earn money and look after your customers?
If you don’t have a significant amount of cash put away to tide you over while your business gets back on its feet, you’ll feel the financial impact more or less straightaway.
4. Data breach
Personal data is worth a lot on the dark web.
So much so that the Information Commissioner’s Office (ICO) takes a very dim view of any organisation that lets it slip.
If a breach means the personal data you hold (of customers or staff) is out in the open, you’re liable for it. That means the data owners can sue you for not keeping their information secure.
As well as the obvious costs associated with a solicitor defending you, you’ll also have to prep for a regulatory investigation by the ICO and find the money for the subsequent, almost-inevitable fine.
5. Crisis containment
What’s your name worth?
A good reputation takes years to build and, potentially, just a few hours to destroy. Can you afford to go without the trust and confidence you’ve earned and grafted for?
Probably not. But keeping a lid on bad news these days is harder than ever. The wonders of social media, for example, mean the latest hacks and data breach stories are all over the news before you’ve had your first coffee of the day.
Controlling the message is key. A specialist PR agency will know how to manage the fallout with your customers and those who’ve not heard your business name before (but won’t forget it in a hurry). Hopefully an expert comms team such as this can do enough to make sure your name stays out the mud.
Even then it’s a full-time job. If you don’t go with an expert, you’ll save money but you’ll waste time firefighting when you should be rebuilding your business.
So there we go. There really is a lot to think about.
Don’t despair though because help is out there. The government’s Cyber Essentials scheme is designed as a box-ticking exercise to get businesses up to speed with cybercrime. It’s invaluable. You’ll also find useful help in these ByteStart guides;
If you can’t stop an attack, cyber insurance helps by lending badly needed expertise and financial support to deal with the fallout. Previously considered ‘big company’ insurance, prices have come down and cover has increased to the point where every business should consider it.
Cybercrime might take place in a virtual world but its consequences are very real indeed. Be prepared and you won’t have to find out the hard way.
About the author
This guide has been written exclusively for ByteStart by Sarah Adams, Cyber Security Expert at PolicyBee.