UK businesses face unprecedented technology changes, the consequences of which are mounting IT security challenges as they rely more and more on technology to carry out their day to day business. Plus, the use of mobile devices in the workplace, increase in remote working, and the proliferation of cloud services have exacerbated an already high level of cybersecurity threats.
And, at the same time, companies have become far more vulnerable to cyber attacks because they have failed to adequately educate employees, tighten IT security processes and employ robust technology to protect data and the IT network.
In common with many other sectors, the cyber threat level for the UK’s small business sector is significant and the number of reported incidents continues to grow substantially. And the extent to which criminals are looking to exploit digital technology to commit offences is increasing, with the goal to disrupt businesses, breach IT security and steal sensitive data and money.
Small businesses (SMBs) in the UK are the target of an estimated 65,000 attempted cyber-attacks every day, according to figures from a study from Hiscox, a specialist insurer.
The majority (66%) of those SMB’s that suffered an attack, admit to making no changes to their policies or systems subsequent to a breach. This is perhaps one of the key reasons why over half (56%) of those who’ve suffered a breach, are the victim of multiple attacks.
For the cyber criminal, cyber crime is high volume and low risk and can potentially deliver huge payoffs. In today’s connected world, the variety and scale of cyber-attacks will continue to be a major concern for any business.
Cyber attackers know from experience that SMB’s are likely to have less money and fewer resources to cover IT security. The majority of cyber attacks are automated and indiscriminate, exploiting vulnerabilities within IT systems and with careless users.
Cyber attacks cost businesses thousands of pounds in unproductive work days, lost revenue, stolen data, reputational damage and potentially significant fines associated with GDPR and any data breaches.
Accenture underline how important it is to keep pace with how cyber attacks on businesses are evolving to keep on top of the risks:
- Information theft is the fastest rising consequence of cybercrime, but disrupting businesses is the focus
- A new wave of cyberattacks sees data no longer just being copied and stolen but being destroyed, attacking data integrity
- Cyber criminals are adapting their attack methods to focus on human fallibility, deploying tactics such as ransomware, phishing and social engineering as a path to gain entry into systems
As an SMB, the UK Government is helping businesses to prepare by providing a range of standards and guidelines, the most useful of which for SMBs is Cyber Essentials.
What is Cyber Essentials?
Cyber Essentials is the UK Government backed scheme administered through the National Cyber Security Center (NCSC) that aims to ensure organisations can protect themselves and prevent the most common cyber attacks.
The NCSC claims Cyber Essentials can help eliminate the risk of 80% of cyber attacks such as WannaCry. The WannaCry ransomware attack was a May 2017 worldwide cyber attack by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in Bitcoin cryptocurrency. The NHS was one of the bigger victims of WannaCry in the UK.
It’s important all companies take action to protect themselves, ensuring they have at least adequate protection in place. Cyber Essentials can be seen as the first step in putting those essential IT security controls and processes in place.
Organisations that achieve Cyber Essentials demonstrate that they have considered and committed to boosting their own security defences and have reduced the vulnerability of their business or organisation by meeting an accredited government standard.
The primary aim of the scheme is to encourage and guide organisations to adopt and implement information security best practices.
Not every organisation has the time or resources that are needed to develop a full-on approach to cybersecurity. So the Cyber Essentials scheme has been designed to fit with the appropriate level of commitment an organisation is able to sustain.
The simplest way is to start to familiarise yourself with cybersecurity terminology and learn more about how to adopt a more secure IT posture. If as an organisation you need more certainty on how you apply cybersecurity, you can obtain basic or entry level Cyber Essentials.
To get ready for your Cyber Essentials journey we have suggested some points below to help you in your preparations and considerations around Cyber Essentials:
1. Will your business benefit from being Cyber Essentials certified?
Unless you have already done your research and are fully prepared with an active cybersecurity defence strategy in place, with adequate resources allocated to secure your network and infrastructure, you will certainly benefit from the certification process.
Undertaking certification will flag what are your current threats and prepare the business for the majority of known cyber attacks going forward.
IT security practices are as important as locking your doors after you have left the office or putting expensive equipment away. These are obvious actions to take, but need to adopt these best practices as habits
To make sure you get the basics right try to do the following:
- Adopt safe best practices to doing business online to reduce risks of an attack
- Keep on top of software updates, download them immediately as they may contain important security upgrades and patches for known weaknesses
- Adopt strong password hygiene, don 't share passwords or use the same password for access to multiple applications
- If the email looks suspicious, trust your instincts and delete it
- Install anti-virus software on your computers, tablets and smartphones to protect against the transfer of viruses or malware and to protect your use of the internet
- Educate and train your staff on how to identify potential risks and best practices
- Keep your team up to date on the latest threats, but manage the sense of urgency so that staff are not permanently on edge
2. Cyber Essentials Plus
For those organisations who need to take their cybersecurity to a higher level, you can go for Cyber Essentials Plus certification.
Cyber Essentials Plus has exactly the same requirements as Cyber Essentials with a critical difference that Cyber Essentials Plus requires an independent assessment of your security controls.
You’ll need to conduct a vulnerability scan, a verification of your cybersecurity carried out independently by your appointed Certification Body to report on the state of your network security as a part of the certification process. With an assessment of your policies, processes and current effectiveness of your IT security defences.
The information gathered will guide any remedial actions needed and ensure your company can demonstrate that it meets all the necessary requirements.
Taking an in-depth look at your security provides a framework and road map to follow to improve your cybersecurity strategy. With the introduction of GDPR in 2018, as a business you must know where and what data you have stored, it’s source and that you are lawfully complying with the regulations on how to keep and process it.
So knowing your vulnerabilities is also an essential step in making sure you are set for the General Data Protection Regulation compliance (GDPR) obligations.
3. Self-help for Cyber Essentials
The Cyber Essentials self-assessment option gives you protection against a wide variety of the most common cyber attacks.
There are five basic technical controls that you can put in place today that will enhance your approach to cybersecurity:
- Secure your Internet connection
- Secure your devices and software
- Control access to your data and services
- Protect from viruses and other malware
- Keep your devices and software up to date
Once you have implemented these five basic controls you’ll place your organisation on the path to improved cybersecurity. Cyber Essentials Certification would then be the next target. And to check your status, and how ready you are to move on to the next stage there is a handy checklist that you can work through.
4. Display your certification badge
Cyber Essentials, and in particular Cyber Essentials Plus compliance has now become a recognised badge of confidence that can help you establish trust, that you have made a promise to take your cybersecurity responsibilities seriously.
Certification allows your business to be listed on the Directory of organisations awarded Cyber Essentials and can help to attract new business with the promise you have cybersecurity measures in place.
5. Business economics
By properly implementing cybersecurity controls, you will also drive business efficiency throughout the organisation, plus the fact that you have a Cyber Essentials certification may also reduce insurance premiums.
Also, if you want to apply for government contracts, you’ll need Cyber Essentials certification too. The UK Government now requires “suppliers of most contracts and services to hold a Cyber Essentials certificate.”
Cyber Essentials is just one step of the journey towards securing your organisation against cyber attacks. As an outside provider Worktools can do initial security assessments and ensure that everything is secure, both locally and through remote access.
We can also help create your cybersecurity plan so you know how to prepare and if necessary respond to an incident.
Image source: www.freepik.com