This week, Barclays Bank announced that it had launched an internal investigation after a whistleblower alerted the bank to the theft of sensitive personal data of over 25,000 customers.
The information included customer bank details, passport and national insurance numbers as well as their attitude to risk. The incentive for those involved in the theft was clear, with unscrupulous investment brokers prepared to pay £50 for details on each customer.
It would appear that Barclays' internal risk management systems did not deter or detect the theft and the bank now faces the possibility of a maximum fine of £500,000, as well as the reputational damage such revelations inflict.
It is now generally accepted that larger companies, especially those involved in infrastructure projects or those that hold large quantities of sensitive data, are under attack from cyber criminals on an unprecedented scale. A startling statistic from the Information Security Breaches Survey, published in 2013, shows that 93% of large companies have been targeted, suffering on average 113 breaches each. The loss suffered by some of these companies ran into the hundreds of millions.
A key message, however, for the Northern Ireland marketplace is that cyber crime is not restricted to larger companies. The same survey recorded that 87% of SMEs were being targeted, with the worst breaches costing businesses as much as £65,000.
Doing business online has considerable advantages for SMEs, however, any computer that has access to email and the internet, as well as access to sensitive customer and commercial information, represents a potential opportunity to cyber criminals looking to gain access to this potentially valuable information, not to mention the temptation it presents to employees.
A business' cyber security is only as strong as its weakest link. In June 2012, a FTSE350 company with strong risk management controls suffered an online security breach that cost £800m in stolen Intellectual Property. Access to this information came via a small business, with weak network controls, that the company had recently acquired.
The Government is therefore rightly concerned of the risk cyber crime poses to SMEs and in response has introduced a package of support for SMEs. This includes a voucher scheme that runs until the end of April 2014 offering £5,000 towards improving cyber security and the Department for Business, Innovations and Skills issued guidelines for SMEs – What you need to know about cyber security.
The Information Security Breaches Survey concluded that 80% of breaches reported were preventable by businesses doing the basics properly, and it is worthwhile highlighting easy steps to help your business:
* Protect your computers and networks by installing a firewall that will repel external attacks, as well as limiting employees' internet activity; Ensure this software is automatically updated; Control employee access to commercially sensitive information through the use of password protection; Extend security to include employee devices.
* Many employees now use their own devices to access the business' network remotely. Such devices should contain firewall and virus protection and your network should retain password protection of sensitive files, as well as blocking protocols that prevent the transfer of possibly malicious files on to your network.
Restrict the use of removable discs and portable memory devices such as USB sticks. Providing employees with remote access to the network will deter the need to carry information around on a disc or memory stick that is easily lost or stolen.
* Also, your anti-virus software should scan and log any memory device that is inserted into one of your computers.
Educate your employees. Provide training in cyber security and have a documented cyber security policy as well as an action plan should things go wrong.
* Keep security records and test your cyber security systems on a regular basis.
* Irrespective of size, this is an area in which all companies must be increasingly and constantly vigilant.