Protecting your business shouldn't be hard
In this article, Simon Newman, the head of Cyber and Business Services at the Police Digital Security Centre, shares his top tips for SMEs to review and adopt simple digital security practices for their business
According to recent figures published by the Department for Digital, Culture, Media and Sport (DCMS), 32 per cent of small and medium-sized enterprises (SMEs) suffered at least one cyber attack or breach in the past 12 months. With an average cost of £4,180 for each incident, the impact on SMEs can be catastrophic, yet the overwhelming majority of cyber crime can be prevented by implementing basic controls. So why are businesses still falling victim to it and what should they be doing to reduce their vulnerability?
One of the biggest challenges we see among SMEs is that they don’t believe they will fall victim. They often fail to understand how cyber criminals see the value of the information they hold or that they are vulnerable to random attacks. Furthermore, many businesses we speak to see cyber security as an IT issue rather than something that should be dealt with as part of their normal risk management regime, much in the same way they would deal with a flood or fire. Many businesses also find cyber security confusing. It’s a rapidly developing area with new threats being discovered all the time as criminals find ways to exploit vulnerabilities, making it difficult for SMEs to keep up. This is particularly true with the more sophisticated attacker – nation state actors and organised crime groups now specifically target SMEs as a way of gaining access to larger companies. Focusing on weaker links within the supply chain poses a significant threat to both SMEs and larger companies.
Finally, what can often be difficult for SMEs is their ability to find a cyber security provider who can meet their needs. The cyber security industry has grown massively in the past few years. Finding someone they can trust and who will implement a solution that is right for them is becoming harder.
Together, these challenges mean that cyber security can become a secondary consideration for SMEs with many of them ignoring the threat until they fall victim, by which stage, it may be too late. Lost revenue, reputational damage and huge recovery costs await those SMEs who fail to act. Therefore, it is imperative for SMEs to have a sense of awareness regarding their existing controls. This allows them to analyse and locate where the weaknesses lie within their systems and subsequently implement appropriate security measures.
SMEs can adopt a variety of security assessments provided by third-party services. For example, carrying out a vulnerability scan is a good start. This is a tool designed to create an inventory of the complete system, which enables the identification of any known weaknesses on computers, networks or applications that the SME has. For a more extensive approach, some third-party service providers can perform a penetration test of the system. Vulnerability scans are included, but ‘pen testers’ apply more intrusive methods which a potential hacker could use to access their systems.
However, while carrying out penetration testing can help expose vulnerabilities, the information in reports is often complex, containing significant technical information that needs to be interpreted by an expert. It also doesn’t help the business understand what they need to do to overcome specific vulnerabilities.
The importance of awareness
Using technical tools to protect SMEs like the ones described above can help them understand where and how they are vulnerable to a cyber attack. However, the importance of education and awareness in preventing cyber crime mustn’t be underestimated. Building an organisational culture that encourages and rewards staff to report suspicious emails, links or websites is a positive step that all SMEs should consider doing as part of their overall approach to security. We know that telling people to take action isn’t always effective. Instead, we need to focus on helping SMEs understand how cyber crime can impact them and why taking active steps to maintain good cyber security is beneficial for their business. We need to demonstrate that it can help them innovate, win contracts in new markets and build confidence with their customers.
At PDSC, we are firm believers that businesses who spend time to understand their exposure to cyber risks, and put in place controls to reduce their vulnerability to the most common types of cyber crime, should be recognised. That’s why we have recently introduced a new certification scheme to help SMEs demonstrate to their customers and staff that they take cyber security seriously.
Our Digitally Aware award is based on the National Cyber Security Centre’s (NCSC) Small Business Guide and has been developed in collaboration with the British Standards Institution (BSI). It is the very first step for SMEs on their cyber security journey and is aimed at those with a low risk to cyber crime. Applicants can download practical advice, guidance and checklists that they can use to implement basic security controls.
For businesses with a higher exposure to risk, we have introduced a new award called Digitally Resilient. This is about having the appropriate controls in place to match their level of risk. Both certificates are designed to increase demand for the Government’s flagship Cyber Essentials scheme.
Our top ten tips for any business looking to achieve a basic level of security are:
1. Update software to fix vulnerabilities. Your devices can be set to download and install updates automatically to ensure crucial fixes are not missed.
2. Install and activate anti-virus to identify and remove threats from systems.
3. Back up data regularly and test it often, to be confident the information saved will restore when it is needed the most. In the event of an attack it will support efficient business continuity and speed up recovery.
4. Configure a firewall to monitor connections to the internet and block any that are unauthorised.
5. Use strong passwords to prevent unauthorised access to information and systems. Default passwords must be changed upon initial installation, as they are easy to obtain online. A passphrase of three random words is recommended because it is virtually unbreakable.
6. Use two factor authentication where possible to add an extra hurdle before accessing data. This can be in the form of a onetime numeric code sent to a phone or produced by an app, which is required in addition to the standard username and password during the authentication process.
7. Restrict who has access to sensitive information to only those who need it for their job role. If too many staff have access, information can become easily lost or stolen.
8. Train staff to identify suspicious activity and report it to prevent others from falling victim.
9. Develop an incident response plan to outline actions in the event of a breach.
10. Develop technical security policies to enforce requirements, behaviours and responsibilities of staff when working online.
The threat to businesses is constantly changing as criminals find new ways to exploit weaknesses. Regularly reviewing your security posture, implementing appropriate technical controls and improving awareness among staff and customers will always be the most effective way of improving security, making SMEs a less attractive target for criminals.