How to create a cybersecurity strategy

In 2015, online crime cost UK firms large and small a total of £1 billion, and the World Economic Forum has ranked cyber-crime as one of the top five global threats over the coming years.

While you can never be entirely safe when trading online or using internet tools, think of a cybersecurity strategy as locking your door instead of leaving it wide open.

Forewarned is forearmed

The first step is to understand what data is being held, explains Stephen Ridley, senior cyber underwriter at Hiscox UK & Ireland.

“The number one thing that businesses must be aware of is what information they’re holding and where it’s stored,” he says. “If you’re storing data on certain devices, many have the ability to encrypt as standard – you just have to turn it on.”

Many businesses will collect reams of data, such as email addresses or customer details, and hang on to that information indefinitely. By deleting the data when it is no longer required, the size of breaches can be vastly reduced.

Passwords should be changed frequently and each staff member should have their own logins for systems and software, rather than there being a single one for all users. Government research recently showed that 27 per cent of people have shared their passwords, which dramatically increases the potential for a breach.

Cybersecurity is often the last thing that a business owner wants to think about, especially when their venture is small or growing fast. But security must be built in from the get-go.

“You have to nail this early otherwise it can be very complex to add security measures to legacy systems down the line,” Ridley warns. “And make sure you always download software updates to get the latest protections.”

Not all cybercrimes take place because of flaws in technology – sometimes people let in the hackers unwittingly. Staff should be trained to watch out for phishing attacks; financial information should never be given out without stringent checks.

Ridley says: “Ransomware may be deployed via a phishing email, so staff must be aware of the risks. Knowing not to click on email links will protect you from a lot of cyber-crime. As will taking care not to email information to the wrong people, as that is a data breach.”

How to deal with an attack

Taking some of these basic precautions could help reduce the pain that hackers can inflict on your business. But what should you do if hackers do manage to seize your data, or are holding your company to ransom? A good insurer will help fix a breach by providing access to experts as well as providing a financial limit of indemnity.

“Ideally you want someone lined up to call,” says Matt Webb, group head of cyber at Hiscox. “Make sure you think about who you need to contact. Is it your IT department, the police, the regulator, your lawyer? This needs to be worked out in advance.

“You also need to be able to get to the bottom of a breach quickly, which involves forensic IT, and you may also need some help from a PR company to manage your reputation following a hack.”

From 2018, the EU’s new General Data Protection Regulation will force companies to admit any breach of customer data. They may then be fined up to €20m or 4 per cent of their annual turnover. If your customers are in the US, you are obliged to reveal breaches already.

Accountancy firm KPMG says cyber-crime can have a devastating impact on small businesses’ ability to trade. Its research found that 89 per cent of breaches result in reputational damage. But, by creating a robust cybersecurity strategy, you can be prepared for the worst.

You may never need it, but you will be grateful if cyber-criminals come knocking.

Content on this page is paid for and provided by Hiscox, sponsor of the Adventures in Business hub on the Guardian Small Business Network.