How to defend yourself against cyber attacks

It's your company's most valuable asset: a technological breakthrough, a unique database, a list of important clients, a project under development. Whatever it may be, it has taken years or decades of work and investment. Yet it can be taken in a moment by cyber criminals.

Commercial cyber crime is growing at an exponential rate around the world. In the UK, the combined loss to businesses of intellectual property the and industrial espionage alone is £9.2bn a year, although “the real impact of cyber crime is likely to be much greater”, says a government-commissioned study by Detica.

Commercially useful ideas, designs, methodologies and trade secrets are all on cyber criminals’ hit list. “If a product is attractive to somebody on the outside, it’s under threat,” says Stuart Poole-Robb, chief executive of risk specialist KCS Group.

No business with saleable intellectual property is safe, says Will Thomson, director of Cardiff -based 4Secure. “Companies ask ‘why would anybody come a er us?’” he says. “I tell them to look at what they’ve got that somebody else might want.”

The utilities, medical, pharmaceutical, media, so ware, fi nancial, electronics and telecommunications sectors are particularly at risk. But the fact is that, any intellectual property-rich organisation where transaction volumes are high may be considered a target for highly professional, IT-savvy cyber criminals working from anywhere in the world.

And although industry professionals say there’s no single solution – “all organisations are different” points out Thomson – there are several simple measures that can and should be taken.

1 VALUE YOUR ASSETS

Start by conducting an audit of all the company’s intellectual property and assessing its external value. Massimo Cotrozzi, managing director of KCS Group, says: “Many companies have no idea what their level of risk is.”

Typically, even those that do attempt to put a price on intellectual assets they think are at risk from cyber crime often make the mistake of undervaluing those they may not consider important, but which other fi rms will for different reasons.

2 DRAW UP A BUDGET

Draw up a protection budget that bears a sensible relationship to the value of the property. “Many companies have ridiculously low budgets that are not comparable with the importance of the business involved,” says Cotrozzi. “Obviously it makes no sense to protect a £1bn formula with a £100 bit of so ware.”

3 GET TECH SAVVY

Don’t think the company is safe just because it’s got all the latest firewalls and other so ware.

“Anti-virus so ware can’t defend itself against viruses it doesn’t know about,” explains Poole-Robb. “The best gateway into a company is an email address.”

The big danger may not be inward traffi c anyway. As Thomson says, “companies focus too much on what’s coming in instead of on what’s going out.”

4 ERASE SENSITIVE DATA

Recovery specialist Kroll Ontrack says more than half of all fi rms leave commercially useful information on old computers and hard drives. Typically, a single data breach costs £4.2m to fix, according to Detica.

5 PROTECT YOUR DATA

Push data protection disciplines throughout the company, for instance, by forbidding employees from using obvious passwords because hackers always work their way through a disciplined system based on our human foibles. And don’t leave passwords in obvious places.

6 STICK TO THE CODE

Too few companies have strict codes of online conduct backed up by effective enforcement, says 4Secure’s Thomson. “Employees always try to circumvent the system,” he says.

Much cyber stealing can start from Hotmail, Gmail, fl ash fi les and other stuff downloaded onto the desktop.

7 CHECK YOUR STAFF

Run short-term or contract staff through a security check. It’s not uncommon for a cyber criminal to get through the door as a replacement cleaner or employee. “Checks on short-term workers are usually inadequate,” says Poole-Robb.

8 NEED-TO-KNOW

Throw a “security perimeter” around the fi rm. Intellectual property should be assigned levels of importance according to its external value and made available on a need-to-know basis. Thus only designated employees should take designated data into an unsecured wider perimeter.

9 MOBILE PROTECTION

Develop a mobile phone policy. Mobiles o en contain important data, but are o en badly protected.

10 TREAT DATA WITH CARE

The most sensitive data should be treated like it’s pure gold. The biggest private equity firms only release details about a major investment in a fully protected room where nothing can be downloaded, copied or removed.