For a logistics firm, time is money, meaning the costs of a cyber-attack extend far beyond the financial impacts of repairing and restoring systems. A successful breach by criminals can leave companies out of action whilst the problem is investigated, causing massive disruption to the day-to-day operation of the business, and incurring unknown additional costs. On top of this, for a business whose success relies on delivering an efficient and reliable service, the reputational losses caused by a cyber-attack seek to further damage your company and its assets, potentially beyond repair.
Last year 32% of SMEs were the victim of an attack or security breach, proving that being a small company does not exempt you from the radar of cybercriminals. If anything, being an SME signposts you as a target that is less likely to have invested in thorough cyber security. This is evidenced in the statistics, which show that the most common cyber threats are relatively unsophisticated. Many of these relate to cyber hygiene measures that are quite simple to administer across your business, such as the use of strong password policies, network firewalls and ensuring that software security updates are administered as a matter of urgency.
Cyber Security vs Cyber Resilience
All the above demonstrates the importance of cyber resilience, a multi-faceted approach that goes beyond just improving your physical defences. To effectively tackle cyber-crime, it is important to first understand the threat landscape, to know how and why most cyber-attacks occur. This understanding will assist you in knowing what to do next and highlight the importance of enforcing strong policy amongst employees.
Whilst some criminals attack the vulnerabilities of your infrastructure, many are in fact targeting the vulnerabilities of you and your employees. Clever social engineering, often through forms of phishing, is used to take advantage of your human nature, using conviction, authority and urgency to convince you to click a malicious link or attachment. This human threat requires a human response; everybody in your organisation should be educated on common phishing characteristics, encouraged to question suspicious requests, and aware of what they should and should not be expected to share over emails. Without taking time to understand the threat landscape, there is a chance that whilst your physical cybersecurity may be strong, you risk leaving yourself wide open if there is not the continually enforced policy to go alongside it.
The final strand of resilience is the ability of your organisation to respond and recover. It is important to recognise that no amount of preparation can totally mitigate the chances of becoming a victim. Having an incident response plan is a valuable investment that means if the worst does happen, you will not find yourself clueless on who to contact, or how to control damage and disruption to your business.
How does a vulnerability assessment fit into this?
Now that you understand the importance of approaching cyber-crime from a holistic and resilient perspective, you will want to be sure that your internal systems are not currently acting as a way in for cyber criminals.
The idea that ‘time is money’ for a logistics company is only amplified when you are an SME. Just as a cyber-attack can eat up huge amounts of money, so can investing in copious amounts of cybersecurity. For many smaller and growing organisations this is simply not an option available to them. However, if you are looking to ensure that your systems are secured and protected against an attack, choosing a vulnerability assessment can be an affordable option to highlight areas of your systems that may be easy to infiltrate. Alongside the other steps to building cyber resilience, this will help you on your way with strengthening your online assets.
The ECRC offers several vulnerability assessments, alongside other affordable services. These are provided by students, who are employed on the Cyber PATH talent pipeline. They are mentored and monitored by senior ethical hackers, who facilitate hands-on training for those who may become the future leaders in the fight against cyber-crime. This not only makes their services much more affordable than those provided by commercial companies, but by utilizing their skills you are supporting the next generation of cyber talent.
Types of Vulnerability Assessment:
Web Application Vulnerability and Threat Assessment:
This service assesses your website and web services against the top 10 security risks, looking for weaknesses and vulnerabilities. These assessments are supported with back-out and recovery plans to minimise the risk of outages. Service reporting will then outline the weaknesses in plain language, explaining what it means and the risk to your business, as well as guidance on how to fix this.
Remote Cyber Vulnerability & Threat Assessment:
This involves reviewing your business’s internet connection remotely, in the same way an attacker would. These are not penetration tests with the goal of complete system compromise and control, rather tests focused on identifying weaknesses that could be used by attackers to achieve those ends. Service reporting is then provided in plain language to explain the findings.
Internal Cyber Security Audit, Vulnerability & Threat Assessment:
This requires access to your internal network to simulate somebody who has gained illegitimate access. It will scan and review your internal networks and systems for elements including poorly maintained or designed systems, insecure Wi-Fi networks, insecure access controls, or opportunities to access sensitive data. Again, service reporting will describe what each weakness means, the risks associated, and guidance on how to fix them.
If you receive a troubling service report and decide to take remedial action, you are more than welcome to look at the cyber security companies we work with, who can help you in mitigating the risks. Some of these companies are Cyber Essentials Partners and some are Community Ambassadors.
So, what should you do now?
Firstly, signing up as a free member of the ECRC allows you to receive the benefits of our Little Steps Programme, to help you and your business understand simple things you can do to build cyber resilience.
This will take you as far as the Cyber Essentials accreditation process. When a company is operating under Cyber Essentials, it is 99% protected either fully or partially from today’s common cyber-attacks.
If you then decide you would like to go through with receiving the official accreditation of Cyber Essentials, you can choose to do this through one of our trusted Cyber Essentials Partners, who are all regionally based.
Finally, you can book a chat with us here, to discuss the next steps for your company and how we can help you.
Reporting a live cyber-attack 24/7:
If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.
Reporting a cyber-attack which isn’t ongoing:
Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.
Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)