Cyber security for businesses: Q&A with Espanaro

Published:
Updated:
Business technology
Man typing his log-in details onto a laptop

Cyber security is a key issue for all businesses, no matter the size or sector. From safeguarding your digital assets and complying with regulations, to preventing financial losses and building customer trust, having a strong commitment to cyber security is vital. 

We spoke to Espanaro, an engineering consultancy and service delivery partner in the UK, to answer some of the most important questions businesses have around cyber security. Espanaro specialise in systems engineering, software engineering, and systems integration within the Defence sector. 

If you want to learn how to spot a cyber attack, how your business should respond if you experience one, how much training you should be giving your employees, and more, then keep reading.

What are some of the most common cyber security threats to small and medium sized enterprises (SMEs)?

While the payoff of an attack may be much less than for a larger business, cybercriminals often view SMEs as an easier target with fewer controls in place to thwart an attack. 

The most common threats that SMEs face are:

  • Phishing attacks – where cybercriminals use deceptive emails or messages to trick employees into revealing sensitive information, such as login credentials or financial details. Phishing attacks can lead to unauthorised access and data breaches.
  • Ransomware -  this type of malware encrypts a company's data and demands a ransom for its release. SMEs may be particularly vulnerable because they might lack robust backup systems or dedicated cybersecurity measures.
  • Malware - malicious software can infect a system, causing damage or stealing sensitive information. SMEs may be targeted with various types of malwares, including spyware, adware, and trojans.
  • Insider threats - employees, either intentionally or unintentionally, can pose a significant threat to cybersecurity. This could involve sharing sensitive information, accidentally clicking on malicious links, or intentionally causing harm.
  • Incorrectly configured security – this may include security technology where default passwords, weak passwords, or insecure configurations are implemented.
  • Lack of training - insufficient cybersecurity awareness among employees increases the risk of falling victim to social engineering attacks and other security breaches.

     

What impacts can a cyber security attack have on my business?

Data breaches, ransom payments, and system downtime can result in significant financial losses for companies and can erode customer trust and damage reputation. Ransomware attacks and other cyber threats could disrupt business operations, leading to downtime and productivity losses. 

Businesses also need to be mindful of data protection regulations such as GDPR. Non-compliance with these can result in legal consequences and fines, adding to the financial burden. The loss of sensitive business or customer data can have long-term consequences, affecting competitiveness and customer relationships.

How can my business spot a cyber attack and how can it prevent them?  

There are various detection and prevention measures your business can take to protect itself, including:

Detection

  • Training - educate employees about the dangers of phishing emails. They should be cautious about clicking on links or downloading attachments from unknown sources.
  • Network security - implement firewalls, intrusion detection systems and SIEM tools to monitor and control network traffic, identifying and blocking suspicious activities.
  • Regular security audits - conduct regular penetration testing to identify vulnerabilities and weaknesses in your systems before attackers can exploit them.

Prevention

  • Software updates - keep all software, including operating systems and applications, up to date with the latest security patches. Many cyber attacks target vulnerabilities in outdated software.
  • Access control - limit user access to the minimum required for their job roles. This reduces the potential damage in the event of a security breach.
  • Strong authentication: Enforce the use of multi-factor authentication (MFA) to add an extra layer of security, requiring users to provide multiple forms of identification.
  • Encrypt sensitive data – encrypting it both in transit and at rest will protect it from being intercepted or accessed by unauthorised individuals.
  • Conduct regular security audits – this will identify vulnerabilities and weaknesses in the system. This can help in addressing potential issues before they are exploited.
  • Secure remote access – if you have remote employees, ensure that remote access is secure. This may involve using Virtual Private Networks (VPNs) and secure authentication methods.
  • Regular training - educate employees about the latest threats, phishing scams, and best practices for maintaining security.
  • Develop an incident response plan – this plan should include steps to identify, contain, eradicate, recover, and learn from security incidents.
  • Data backup - regularly back up critical data and ensure that you test the backup and recovery processes periodically.
  • Third-party risk assessment - assess and manage the security posture of third-party vendors who have access to your systems or handle your data.
  • Security policies - establish and enforce security policies across the organisation,
  • ensuring that employees are aware of and comply with security best practices.
  • Collaboration – consider working with cybersecurity experts to regularly assess and enhance your security measures.
  • Insurance - obtain cybersecurity insurance to mitigate financial losses in case of a successful cyber attack.

 

How much training should I be giving my employees and where should we start?

As a start, your business should provide employees with an introduction of how to spot and report events. This is a vital element to encourage users to take an active part in protecting your business.

Regular training is key. This can be in the form of online videos or similar training media. Simulated attacks, such as spoof phishing emails, can be beneficial but may also lead to false positives where employees are willing to click the link to ‘see what happens’. This requires the business’s security controller to understand their staff and which methods are most suitable for different groups, for example shop floor, managerial, directors.

This regular training should also be accompanied by updates/notifications, informed through threat intelligence and analysis to identify threats specific to the business.

How should my business respond if we are breached or experience a cyber attack?

It’s important to have a pre-planned and rehearsed plan in place, providing users and security staff with a clear roadmap of how to react to specific forms of attack. You should plan this in conjunction with both the business IT team and IT providers where services are outsourced.

These plans should include:

  • Immediate actions, for example disconnecting the system from the wider network.
  • Activate incident response plan and notify relevant team members, such as security controller, legal departments, HR, IT team/provider 
  • Clearly defined role responsibilities 
  • Forensics plan for individual types of attack; this should follow a documented process to ensure evidence is gathered in a rigorous fashion and that the full effects/reach of the incident can be identified
  • Reporting process – this may be to legal authorities, contractual obligations the business may have, and the wider business. 
  • As part of this reporting process and the allocated role, information should be provided in timely and transparent fashion to stakeholders and where necessary the wider public.
  • Cyber-insurance requirements – making sure processes adhere to these requirements to minimise delay in payouts.

Remediate/recovery plan 

  • A plan to recover in the short and long term should be developed and tested. This can be part of your business’s disaster recovery plan, but needs to be documented providing all stakeholders with a clear path forward, minimising damage and ultimately expense to the business.
  • This plan may include a process of how to review events/incidents and develop future mitigation strategies to prevent a repeat occurrence, such as training, technology configuration or purchases.
  • Cyber-insurance – once all the documentation and evidence has been gathered, supply this information to the insurance party to expedite payments.

     

How can I make sure my employees use strong passwords?

Enforcing complicated passwords requirements can have the negative impact of forcing staff to write down passwords on post-it notes or reuse passwords across devices. Instead, consider using the three-word approach. This encourages users to create more memorable passwords using three distinct words, for example “LargeGiraffeApple” is far easier to remember that “L!nKlN82FhQp3@”, but provides a similar level of complexity that would protect it from attack.

You could also think about encouraging and educating staff to use secure password managers or other secure storage methods. This also benefits the employees by raising awareness that translates to their personal lives improving their own cyber security resilience.

Additionally, you should ensure passwords are stored securely within their internal systems, for example through the appropriate use of salting and hashing, thereby reducing the use of potentially exposed passwords to malicious actors.

What support is available to businesses?

The UK’s NCSC offers advice and guidance to SMEs – you can read their small business guide here

Frameworks such as NIST Cybersecurity Framework or ISO/IEC 27001 provide a structured approach to managing cybersecurity risk. Implementing these frameworks can help businesses establish, implement, and improve their cybersecurity practices.

Industry-specific standards and associations often offer guidelines and support. For instance, the Payment Card Industry Data Security Standard (PCI DSS) is relevant for businesses handling payment card information. Joining industry associations can provide networking opportunities and access to shared cybersecurity resources.

Cybersecurity consulting firms can aid in producing risk assessments, identifying vulnerabilities, and providing tailored solutions. These experts can offer valuable insights and recommendations based on the specific needs of your business.

Finally, consider cybersecurity insurance to mitigate financial losses in the event of a security breach. However, it's important to note that insurance should complement, not replace, strong cybersecurity measures.

 

What's next?

If you have any questions about cyber security or need other support for your business, please get in touch with your Portfolio Executive.