As the New Year gets under way, it’s a good time to review your information security arrangements. In what is now an essential part of business risk management procedure, the costs alone of not keeping on top of cyber security should be enough to encourage at least an annual review: small businesses’ worst security breach in 2013 had an average disruption cost of £40k to £60k, wasted 12 to 24 days responding to the incident and cost up to £8k in damage to reputation.
We’ve revisited the UK government’s Information Security Breaches Survey 2014 to pick out some themes which would be a good place to start your reviews. All statistics in this article are taken from the survey, which looks at breaches from 2013.
Information security policy
According to the survey, 60% of small businesses have a formally documented information security policy. This means that 40% need to create one. The policy needs to cover acceptable use of all systems relevant to the various staff roles. If you already have a policy, ensure it’s up-to-date. Provide regular training to staff and make sure the policy is understandable – 70% of companies where security policy was poorly understood had staff-related breaches, versus 41% where the policy was well understood.
Review who in your company has access to which file stores, services, portals, etc. Appropriate user management privileges could go a long way to minimising malicious, and indeed accidental, damage. 20% of the worst security breaches were due to deliberate misuse of systems by staff, while 31% were caused by inadvertent human error.
Remote data storage
Cast a critical eye over the types of data you’re storing in remote internet services and cloud systems. According to the survey, for small businesses the proportion of remotely stored data classified as “highly confidential” was 24% in 2013, up from 20% in 2012. Conduct a critical study of the storage options, local and remote, to compare the risks and benefits. If your sensitive information really does need to be stored remotely, make sure you thoroughly investigate the host. Here are some of the steps taken by survey respondents to obtain comfort over the external provider’s security:
· Ensured contract included provisions for security
· Ensured all data held is encrypted
· Ensured the provider is certified as ISO27001 compliant
· Have a contingency plan in case the provider ceases operation or the business wishes to exit
If you’re in the half of small businesses that already has an incident response plan, then review it to make sure it’s up-to-date – and test it regularly. For those who need to create a plan, build it with clear roles and responsibilities, and provide specialist training where necessary to ensure that incident response and disaster recovery can be effective.
For more guidance on cyber risk management, take a look the government’s 10 Steps to Cyber Security publications: https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility
The Information Security Breaches Survey can be found here: https://www.gov.uk/government/publications/information-security-breaches-survey-2014