Listen to the article (0min)
Cyber security is often seen as complex and specialist. Many people therefore think it comes with a premium price tag attached. Unless you need to commit to the spend – perhaps because of the demands of a cyber insurer, strategic customer, or regulator – you may invest only in the most obvious, basic defence measures, like anti-virus and a firewall.
It’s tempting to think, IT have got this; worse still, we’re not a target, so it won’t happen to us. But these days, that simply isn’t the case. As of 2023, 32% of UK SMEs reported having a breach; the figure was 59% for medium-sized companies (UK Government – Cyber Security Breaches Survey 2023).
Many companies don’t report it. Some may not know that it’s happened – cyber criminals typically spend many weeks inside a company’s network, ensuring they have the data, and the target has no recourse to recover it – before they pounce.
Of the companies that fell victim, most were targeted because they were vulnerable. The vast majority were unprepared for the attack. It can be a deeply traumatic experience for leadership and staff. Speak to anyone who’s been through it, and they will say that they never want to experience the like again.
Thankfully, while implementing strong cyber security measures is something you need to do, it’s not just about avoiding the potential horrors. Robust security can drive better outcomes for business: making staff feel more invested in the mission of the company. Customers and suppliers will feel more confident about you as an organisation. In turn this should support growth and ensure that you remain competitive. And if you’re a business leader, it’ll help you sleep better at night, knowing that you’re doing all the right things to keep your business safe.
Where to start?
Managing cyber risk requires building a culture of cyber readiness. It should be weaved into the fabric of the company and applied to all aspects of the business and its operations: starting with the leadership team, through staff, systems, data, access, the supply chain, customers, and your ability to handle a crisis should the worst happen.
Creating an effective cyber programme doesn’t require technical expertise (though that can be sought), but it does require an awareness of cyber security basics and a desire to make cyber security a priority in the business.
It won’t happen overnight, but as with many things, the hardest part is starting. One of the best ways to do that is to start asking questions:
- To what extent are your business operations dependent on IT? How would a period of downtime affect your business? What would be catastrophic to your operations?
- How long would it take to restore operations in the event of an attack? Have you ever tested it?
- How would an information leak (data breach) impact employees, customers, and suppliers? What might be the consequences – fines or lost earnings, damage to the business’ reputation and loss of customers’ trust.
- Do you know where all your data assets are and who has access to them?
- Are suppliers or customers asking about your security? The NIS2 Directive update, covering EU (and UK by extension sometime in 2024), will require proof of several, more stringent cyber security measures, and risk assessments for companies above a certain size, across many sectors, including their supply chain. This may affect you directly. Even if it doesn’t, if you’re a smaller business supplying a larger one, they’ll start to ask questions of you. They’ll need evidence that you have security in hand; or are at least doing your reasonable best and can demonstrate it.
- Would you know what to do in case of a breach or data leak? How would you work with authorities, customers, and the media to manage the situation? What if it were to happen out of hours? Do you have a response plan for dealing with relatively common scenarios, such as a ransomware attack?
- Are you bound by regulations? If so, it will be incumbent on you to ensure the business is compliant. It may be industry specific or related to GDPR. Are you fully aware of your obligations? Can you demonstrate you are complying?
What to do?
Even if not required by regulation, a good start is a cyber risk assessment, focussing discussions and investigations around ‘what-if’ scenarios.
- Cyber criminals will focus their efforts on targeting your most valuable data assets. Make sure you understand what you have, who has access to it and implement good protections with appropriate levels of spend and mitigation for the most valuable assets.
- If you haven’t done so already, invest in cyber security basics. Making the business less vulnerable through checks and changes in settings and configurations can prevent common exposures. Make small investments in technology and services to maintain this and improve awareness of cyber risk through regular staff training.
- Going beyond the basics, you may need to create policies and procedures to ensure that good practice is standardised and embedded, testing these so that you are recognising problems with a process before you face a real scenario.
- You’ll likely need more in-depth testing of systems to identify vulnerabilities and misconfigurations. Furthermore, if you undertake a review of your cyber defences, you may decide that you need to employ the services of a third-party specialist to support this and plug any obvious gaps.
- Your business may lack a comprehensive incident response plan or may struggle with timely and effective incident response. External services can enhance your readiness, and third-party consultants can help produce effective plans which you can test to ensure everything works as expected, and everyone knows what their role is when an incident occurs.
Keep in mind that cybersecurity is an ongoing process, and staying vigilant is key to maintaining a secure environment for your business and customers.
Ask for help.
It can seem like a lot to take on. And it may be to start with.
The UK government created the National Centre for Cyber Security (NCSC) in 2016. Their website contains many useful guides and information, starting with the Ten Steps to Cyber Security. It is designed for security professionals and technical staff as a summary of NCSC advice for medium to large organisations but can be equally applied to smaller companies.
That said, it would make sense to use an experienced person to help you understand these areas, especially if you are a smaller business. They can support you, ensuring you apply appropriate good practice principles to the context of your own company.