How management can organise their business to avoid cyberattacks
Cyberattacks keep on increasing, and we see more and more news about businesses that have been affected. It can be hard to avoid being targeted, but there are many things you can do to limit the damages and keep operations running. In this blog post, we have listed a few things to consider to be able to avoid being affected by cyberattacks!
Cyberattacks can have serious consequences
Being exposed to a cyberattack can have serious consequences for the affected company/organisation:
- Large productivity losses as the attack can lead to interruptions and even longer production stops. The attack can also result in a more lasting deterioration in productivity.
- Leakage or even loss of personal information about customers. Intellectual property rights are also at risk of being stolen.
- The trust and reputation of the company can be severely damaged, which can lead to difficulties in gaining new customers in the future and difficulties in obtaining financing.
- Large costs can arise in connection to the attack, among other things to pay external service providers to solve the problems, but also for extra work internally to solve the situation. It can also entail costs if you as a company do not meet the various requirements placed on the business.
- There is a risk that the company will be forced to close its entire business, at least temporarily. For businesses that are constantly running, this is a serious threat.
The first step of beginning to work with cybersecurity is to realise that all in the list above can happen to you. And, that it can be avoided with the right cybersecurity solutions.
Laws and directives
In organising yourself against cyberattacks, there are regulations that can guide you in what you can do. The NIS Directive (The Directive on security of network and information systems) is a EU directive, meaning that it is translated into each member state’s national legislation. This means that there may be differences in application. The NIS Directive aims to promote security measures and boost EU member states’ level of protection of critical infrastructure. In other words, it improves information security of operators in sectors that provide essential services to our society and economy.
Learn more about the NIS Directive!
Another regulation that might be important for your organisation is the Protective Security Act. It clarifies the obligations for companies with security-sensitive activities and the importance of the operators performing security protection analyses for their operations. In Sweden, the Protective Security Act (2018: 585) contains requirements for measures aimed at protecting information that is of importance for Sweden's security or which is to be protected according to an international commitment for security protection. The protection of other security-sensitive activities, such as important information systems, is also being strengthened.
Read more about the Protective Security Act!
Informing your organisation of these regulations and stating how they are not only vital for your operations, but something you must follow, is a step to get started with cybersecurity. Large fines and lost reputation is something that thereby can be avoided.
Teach your company board why you must invest in cybersecurity
Many big and important decisions are made along with the company board. If you want to organise your cybersecurity work, it is time to present to the board what such an investment could result in. To a board, cybersecurity can be seen just as a cost – but it is actually an investment that could save the company money in the long run.
One way of presenting what your cybersecurity investment should be, is to do a Cyber Risk Quantification (CRQ). The risk cost is the probability of a certain consequence times the cost that consequence has. So, for a consequence that would cost the company or organisation 1 MSEK and has a probability of once every ten years, the risk cost is 100 000 SEK/year. The protection for this particular risk should then not be more than that amount.
Also, it is important to stress that a cyberattack can reflect negatively on the company long-term in the shape of bad press, lost trust and so on. Thus, investing in cybersecurity is never a bad choice.
Educate your employees
One step in preparing your organisation to be able to resist cyberattacks, is to implement knowledge and behaviour with all employees. If everyone is aware of the risks that exist and how to meet them, it will be easier to both avoid attacks and handle them correctly when they do happen.
Cybersecurity today is not only a technical challenge but also a human challenge – it is a matter of security culture. Criminals do not always use just technical shortcomings, but often rely on people to access sensitive data. Therefore, the human factor is the main cause of the most serious security breaches. To become better at security culture, attitudes and behaviours need to change. The organisation needs to see cybersecurity and security culture as a critical activity for the whole company and not as an isolated IT issue.
Read more about how to create a security culture!
Secure these areas to avoid cyber risks
When you have integrated a security culture within your company, there are more practical areas that you can tend to.
Digitalisation means that IT and OT systems need to be connected, and often the same type of technology is used in IT and OT. The different needs in IT and OT easily lead to technical conflicts that can be challenging to handle. With secure solutions, you can maintain accessibility and at the same time increase security.
Read more about how you can securely integrate IT and OT!
Traceability and logging
Most IT systems generate logs that enable troubleshooting and traceability. Logging benefits from having one shared system for all zones/subsystems, but a shared system also increases the risk of attacks. To reduce the risks, a solution is required that protects both log information and all connected systems.
Read more about traceability and logging!
Transmission of SCADA information
For many years, companies using SCADA systems have been gradually automated. But transferring critical information, for example from a SCADA system to an administrative office network, involves potential security risks. Here, secure solutions are needed that take care of security issues and at the same time enable an exchange of information.
Learn more about solutions for SCADA systems!
Conducting updates is something that in itself can pose a security risk if not done properly. The integrity and availability of the systems must be maintained, and most system updates are normally not sufficiently evaluated in the environment in which they are used, or in combination with the applications running. To avoid the risks and to maintain the integrity and availability of the systems and be able to make secure updates, special solutions are required.
Learn how to conduct secure updates!
Even though cyberattacks are increasing, there is a lot that you can do to prepare yourself, your organisation, systems and colleagues. Read more about how we can help you get there!