Cyber security: is your investor website a liability?
Why did the computer sneeze? It had a virus, of course!
Today, Friday 30 November, is Cyber Security Day. Online security is an increasingly hot topic for any organisation that uses digital channels to communicate, but why is it so important and how do you protect against the unknown?
In the modern age, your investor relations or group website is the primary source of information for investors, employees, customers and wider stakeholders. However, investors are concerned that boards are not sufficiently prepared for technological challenges after recent high-profile hacks and data breaches.
Facebook saw a slowdown in user growth after the Cambridge Analytica data scandal in March 2018 (87 million users’ data improperly obtained) and was later hit with a substantial fine. Regulators, politicians and users are all questioning the social media giant to better understand the breach and how to mitigate against the issue in the future, seeking to increase regulation for social media platforms.
View the Facebook–Cambridge Analytica timeline here: www.reuters.com/article/facebook-cambridge-analytica/timeline-cambridge-analytica-lists-events-leading-to-facebook-data-row-idUSL3N1R45J1.
With the amount of data being created, processed, edited and deleted measuring in the zettabytes (that’s one trillion gigabytes!), there is an increased risk that companies and regulators cannot keep up with the pace of change, which increases the likelihood of bugs or unsecure processes being compromised.
"Give a man a fish and you feed him for a day. Teach a man to phish and he'll use your credit card to pay for dinner."
Cyber security is becoming a prominent feature at board level to ensure business practices, supply chains and third-party services can protect digital assets and monitor systems to accurately report on potential leaks or hack attempts. A key issue noted in recent data breaches is the time taken for hacks to be reported and publicised. For example, Dixons Carphone initially reported a breach of 1.2 million customer records in July 2017 but later discovered it was closer to 10 million details a year later.
Read more on this news story here: https://www.bbc.co.uk/news/business-44465331.
Doing nothing is not an option. Digital Account Director Tom Rogers and Senior Developer Andrew Gerber recently attended a cyber security event hosted by the Metropolitan Police to explore the different types of cybercrime and ways to mitigate against it.
“About 80% of known attacks would be defeated by embedding basic information security practices for your people, processes and technology,”
Sir Iain Lobban, Director, GCHQ, 2014
The different types of cybercrime include:
- Hacking – this occurs when a third party manages to gain unauthorised access to a computer system. This can be done through password attacks (phishing) or application attacks targeting weakness in computer systems or programmes.
- Distributed Denial of Service (DDoS) – this is where a website is flooded with so much traffic that it crashes the server and can cause reputational damage or loss of earnings whilst the website is restored to normal functionality. A subset of this is DDoS extortion, where a company can be held to ransom in order to stop an attack.
- Malware – this stands for malicious software and is designed to gain access to a computer or network and disrupt normal operation and gather information. There are various types of malware including spyware, ransomware, viruses and worms.
All of the above can be mitigated with the right processes in place and a strong culture around security. For more information on protecting your devices at work and home, visit the Cyber Aware website here: www.cyberaware.gov.uk/.
How to improve security on your investor website – six top tips
We’ve summarised six simple tasks to keep your investor relations website as secure as possible:
- Ensure security patches and upgrades are applied as soon as they’re stable – this may be one for your web design agency/developers.
- Enforce a strong password policy for your logins – use a password generator or password storage app to create long, strong passwords.
- Use SSL encryption throughout your site, especially on login pages and form submissions. Restrict access to login pages so only your office IPs can access them.
- Keep your website clean – delete any old or unused files and forms and user accounts of employees who have left the business.
- Review your analytics – see if there are any uncommon spikes in traffic or attempts to access from obscure countries/locations that may indicate a hack. Your development team can then follow up to check server logs for suspect IP addresses.
- Training – ensure your content managers and wider teams have adequate training about cyber security, best practices and how to spot potential attacks or fake emails.
If you’re keen to review your website security processes and website, please get in touch with firstname.lastname@example.org and we will be happy to discuss the options with you.