What security protection do I need for my creative business?

We get asked this question regularly and there are several factors to consider.

Is my creative business really vulnerable or is it just hype?

Risk: What should we be protecting?

How do we know if the data is really safe?

Will any of this security protection interfere with your workflows and existing practices?

Are we vulnerable or is this snake oil?

This is a fair question to ask. There are regular items in the news about the latest high-profile hack: big corporations like British Airways and even local authorities (Hackney Council in London) have had high profile cyber-attacks. Do they target smaller organisations and if they do, would they go after a creative business? 

We must get into the mind of the attacker. What they see you as, primarily, is a TARGET. Whether you do re-designs for the latest Doctor Who series or an advertisement for a new eco-coffee pod – what the bad guy wants to know is: “can I hack your system with my automated tools and if I can, what can I steal or encrypt for a ransom or can I sell this on to someone else”.

Methods of attack include phishing (where a malicious email is masquerading as a legitimate one with the goal of stealing credentials) and exploiting loopholes in your Mac or PC’s system (yes, Macs do get attacked!) to gain access and delete, steal or extort.

As each year goes by, the knowledge and expertise of hackers grows. Their methods of attacks have become more sophisticated making them harder to detect and the damage that their malicious apps and scripts create is getting worse. There are some seriously alarming stats out there which make it crystal clear that having such an attack can be devastating to the point of business failure and creative businesses are no exception.

What is less reported in the media (or even not reported at all) are the smaller businesses. There is reputational and financial damage that can be done to a small business that gets hacked. Under the Data Protection Act 2018 (red GDPR), a breached company MUST inform its clients of the event as well as reporting the incident to the Information Commissioners Office (ICO). Telling your clients of a cyber-attack affects your reputation. Telling the ICO can lead to serious fines.

Risk: What should we be protecting?

In essence, security protection for your creative business is there to protect your physical and information assets from being infiltrated by a “bad actor”.

Unless you can, with confidence, identify all your information and any device where that data could reside, how can you protect it?

I will say that again. Because the bad guy could try to attack any device in your business where work data may reside unless you KNOW where this data is, how can you know what to put in place to prevent such an attack?

Creatives have a wide range of data, stored across many types of media. For example, Macs, servers, tablets, iCloud, Google Drive, SharePoint. Each one of these has a discreet security model for users who can and cannot access data on these devices. Who, in your organisation manages this access and control? Is the process documented? When people join or leave the company, is this data reviewed and updated?

Then there is the data itself. This is the businesses’ intellectual property – possibly the most valuable asset your company has. Imagine someone has got through whatever security protection you have and got their hands on it. Does it bring you out in a cold sweat (it does for me!)? The invasion of privacy – the fear of what they may do with it. Can I get it back? I like to consider this from time to time. No, not because I am a masochist (!) but because I want to hold on to that moment of potential fear and remember how I felt. I want to respond to this emotion by reviewing my company’s cybersecurity policy. It is the presence of such a security policy and genuinely creating it, implementing it, testing that it is effective and regularly reviewing it that assuages my fear. Worrying about it does not help. Action does.

How do we know if the data is really safe?

If you have read this far, I am hopeful that you are taking this seriously and are on the cybersecurity journey for your creative business.

So far, we have looked at what data you have and on what device. Based on this you can begin to decide who should see what, who should not see what and how to control changes in personnel and data access. A good start. But we need to look at this from the bad guy’s perspective. It costs them very little to try to (programmatically) send apps and script attacks to your company devices and networks. They respond to the results that flag a weakness and work from there, trying to exploit you. What if you could make this approach really expensive? Could you put significant deterrents in place to make you less attractive?

“Cybersecurity assault course”: there are many ways of testing whether your systems are secure. 

These may include testing that a non-managerial team member is not able to see data that you believe has been denied access to them.

You may contract a cybersecurity company to try to hack you (safely) by way of vulnerability scanning or a penetration test.

If you think something like an antivirus app is there to protect you on the inside stopping bad things from getting in, an external attack/test is coming at this from the other way and looking at your business and its data from the outside in.

Will any of this security protection interfere with your workflows and existing practices?

One of the challenges with IT security is getting the balance of protecting the business from cyberattack whilst preserving efficient working. Making the system so secure that you cannot deliver creative projects on time because the procedures are now so convoluted is clearly not workable. Equally, preserving the status quo whilst making the system open to attack defeats the whole purpose of having a cybersecurity policy in the first place.

To get the balance right needs ongoing discussions with those responsible for project delivery and those responsible for security. Analysing workflows with security protection in place and how this affects timelines and your delivery process should consider some proof-of-concept testing. This will give all parties an opportunity to understand each other’s perspective and find the correct mix of controls and flow. Again, this process should be seen as an ongoing task. As cyberattacks become more sophisticated and defence techniques evolve, so should your cyber security policies.

Remember, cybersecurity is not a one-off job, it is a journey.