In last edition of Gibraltar Insights CSS Platinum explored ‘Why and How Cyber Criminals Target Businesses and Individuals.’ In this edition they explain what the Gibraltarian business community should do to be #hardtohack.
What should you do?
Cyber criminality is here to stay and will evolve as those that seek to counter cyber threats evolve. Effective cyber risk mitigation and becoming #hardtohack requires a comprehensive and resourced cyber-security programme, designed to track and evolve to meet with the cyber threats of today and the future. This takes consideration, planning and investment.
There are a number of cyber security management frameworks available to assist with the implementation of a cyber risk governance; however, to keep things clear, simple, manageable and non-geeky it is suggested that you focus on addressing the following areas:
• Cyber risk governance:
What gets planned gets done. All business should undertake a cyber assurance and maturity assessment to understand their cyber resilience and where their risk and vulnerabilities lie. These can then be prioritised and addressed in accordance with the greatest risk.
“It is only when you know where you are, that you can plot a course to where you want to go.”
• Secure your team:
Your team are your biggest strength but also an area of great vulnerability. Your team will have multiple devices in their possession that have trusted access to your digital networks. You need to protect against their errors, accidents and sadly occasionally their malicious acts. This is mitigated by selecting the right team in the first place and training them how to recognise threats, attacks and how to use their electronic devices appropriately. Consider a service like Crew Check to carry out deep and thorough background checks and the Cyber Licence to ensure a consistent level of cyber security awareness training.
• Secure the supply chain:
It is easy to assume that every one of your suppliers takes its cyber security seriously, but do they it? How do you know? How do they know? Do they know what good actually is? 92% of cyber-attacks are delivered by email. Suppliers have trusted access to your inboxes and can be used as a proxy to access your networks. It is good to trust, but better to check. You should insist on conducting supplier due diligence as a condition of entering into any contract. This is fast becoming the norm across all sectors and a requirement of the UK’s GDPR.
• Secure against technical attack:
Mutating-viruses, worms, trojans, ransomware, spyware, DDOS attack. Frightening, technical geeky digital tools and weapons that the majority of us do not understand or have the faintest clue how to combat. Thankfully there are many digital technical controls that can be implemented to meet the cyber challenges of today. Although, traditional anti-virus is not the modern-day solution. Artificial intelligence threat detection and quarantine systems are the minimum standard. Cyber criminals use artificial intelligence to reconnoitre and find your vulnerabilities. To defend against and beat artificial intelligence you need artificial intelligence – we humans simply cannot keep up anymore.
• Be prepared to respond.
No security programme is infallible. If a cyber-criminal is committed to their goal, they will find a way. The trick is being #hardtohack. Cyber criminals will seek easier prey when faced with a comprehensive and coherent cyber security resilience. If an attack is successful, halting it as quickly as possible is your primary concern to ensure you can minimise its scope and scale. What will you do? Who will you call? Do you have a plan? Have you rehearsed it?
• Mitigate against unanticipated costs (Insurance).
Should a cyber-attack cripple your business you could be facing some hefty costs. These could include system repair costs (cyber forensic specialists can charge thousands per day), business interruption costs, delay to schedule, knock-on impact to other clients, adverse media coverage, financial damages claims etc. This can be mitigated by good cyber insurance, but only if the right insurance is purchased with realistic cover and service levels and having met the minimum cyber security standards for the policy to be valid.
Who should the Gibraltarian community trust to support them?
Find a cyber security company that knows your industry/sector and is a trusted commentator and thought leader. Seek advice from business associations and the police for trusted suppliers. CSS Platinum can help to…
Regretfully, for most it is not a case of if a cyber-attack will occur, but rather when. Addressing cyber security can be an intimidating prospect, but when vulnerabilities are prioritised and addressed proportionately and coherently and then governed effectively the end result is that individuals, their businesses and the Gibraltarian community will be #hardtohack.
Michael Wills is co-founder and chief data officer for CSS Platinum.
For further information on the company and the services it provides to Gibraltar businesses and the international yachting industry,
please visit https://cssplatinum.com or email email@example.com.