Anyone who has followed my posts this year will (hopefully) be acutely aware of the many issues facing organisations all over the world when it comes to cyber security.

Companies big and small are hit with devastating cyber attacks on a daily basis, causing untold misery for all involved.

The cost of a cyber attack is not measured entirely in financial terms, but in terms of stress for those involved in trying to stop and fix the damage caused by the attacks, in terms of the distress felt by those whose data has been compromised, in terms of the reputational damage to the company involved, but also to those second order victims in supply chains who may be impacted. The list goes on.

Large organisations should have the capacity to fund a robust cyber security regime and be able to employ trained staff whose responsibility it is to develop strong policies and to oversee their implementation across the business estate. Large organisations should be able to implement leading technologies to automate the process of detecting and responding to the signs of compromise, and then stand up a dedicated team of cyber security responders to combat any attacks from threat actors. In addition, large organisations should have the finances to support an education program to develop a high degree of cyber hygiene across their workforce.

But how do small to mid-sized companies cope with these factors?

In many cases, they simply cannot.

SMEs and the UK economy

In September, I posted about the devastating impact of ransomware, and in that post I included some statistics about Small to Mid-sized (SME) companies being the lifeblood of most countries economies

(27/09/23) Blog 270 – The devastating effect of ransomware

Data from the Office for National Statistics (June 2023) show that in the UK, SMEs (<500 staff) employ around 30.5 million people, contributing over £6B to the UK economy.

ONS analysis of count, employment, employees and, turnover of VAT and/or PAYE of UK SMEs

It’s been reported that SMEs have created over 2 million jobs in the past 5 years and were found to be especially important to the local economies of South West England, Wales and Northern Ireland; in these areas, SMEs account for 70% of jobs within the private sector.

Research undertaken by Vodaphone Business has found that:

  • Almost one in five (19%) of SMEs polled said that an average cyberattack costing £4,200 would destroy the business. That amounts to more than a million SMEs.
  • The majority of SMEs polled (54%) had experienced an attempted cyberattack in the past 12 months.
  • 18% said their business was not protected with cybersecurity software and a further 5 per cent did not know.
  • Only 28% were aware of the Government’s Cyber Essentials scheme – with more SMEs saying they had heard of a cybersecurity product that does not actually exist

Fundamental problems

There are a few factors behind the poor state of SME cyber security:

One is that “cyber” is simply not on the agenda for many SMEs – it simply is out of the scope for many small businesses to devote time to the world of IT/Cyber when many are struggling to just run their businesses as it is. They have neither the time, nor the resources to devote to the subject.

Another is that the financial cost of upgrading systems, paying for dedicated staff, educating staff, and implementing new regimes.

Help is available

The National Cyber Security Centre (NCSC) has produced a wide range of guidance documents aimed at SMEs to help them understand the problem of running a business in an ever complex world of cyber – this guidance is freely available on the NCSC website.

A starting point is the NCSC’s Small Business Guide which offers straight forward advice in 5 easy to follow steps to help companies boost their cyber security posture:

  • Step 1 – Backing up your data
  • Step 2 – Protecting from Malware
  • Step 3 – Keeping Smartphones (and tablets) safe
  • Step 4 – Using passwords to protect data
  • Step 5 – Avoiding phishing attacks

The guide also includes some simple steps to take to increase overall security of the business in a series of policy, technical, and staff awareness tips:

NCSC – Small Business Guide Actions

As a further step, the Small Business Guide has a set of resources to help businesses learn more about their cyber security issues. The resources include videos, e-learning, infographics, and a sign-post to the next stage in an SMEs cyber journey – Cyber Essentials.

What is Cyber Essentials?

Cyber Essentials is an effective, Government backed scheme that is designed to help business owners protect their organisation, whatever its size, against a whole range of the most common cyber attacks.

Whilst cyber attacks come in many shapes and sizes, the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. Cyber Essentials is designed to prevent these types of attacks.

There are two levels of certification an organisation can achieve:

Cyber Essentials

This is a self-assessment option which gives a business protection against a wide variety of the most common cyber attacks.

Cyber Essentials shows you how to address those basics and prevent the most common attacks.

Cyber Essentials Plus

Cyber Essentials Plus has the Cyber Essentials trademark simplicity of approach, and the protections you need to put in place are the same, but for Cyber Essentials Plus a hands-on technical verification is carried out.

In order to achieve Cyber Essentials, or Cyber Essentials Plus, and organisation must be in a position to verify that their cyber posture meets the defined levels, so to help companies get redy for certification, the NCSC offer a Cyber Essentials Readyness toolkit which is a series of questions designed to help companies think about cyber security and whether or not the organisation has implemented those controls necessary for the assessment.

The toolkit asks simple questions about a companies current IT / Cyber estate and if the respondent cannot answer a question, it points them to a helpful guide.

Cyber Advisors

Another initiative spearheaded by the NCSC is the creation of a network of cyber advisors – companies and individuals who have passed an assurance scheme backed by NCSC to allow them to act in advisory capacities to small businesses for cyber advice and guidance.

The NCSC assures Cyber Advisors as having technical competence (in this case, to implement the five Cyber Essentials Technical Controls), an understanding of the environment in which small organisations operate and their challenges, and the ability to communicate effectively.

Since the creation of the scheme just over 6 months ago, the scheme has:

  • Carried out 118 assessments in six locations
  • Onboarded 68 Cyber Advisor companies
  • Provided advice and practical support to around 440 customers
    • 80% of customers were small or micro organisations

A list of the current organisations authorised to act as Cyber Advisors can be found on the IASME website – IASME is the approved NCSC partner organisation which manages the Cyber Essentials Scheme and the Cyber Advisor Scheme on behalf of NCSC.

Related Articles

(02/12/23) Blog 336 – A new take on SIM swapping
365 days of blogs / November

(02/12/23) Blog 336 – A new take on SIM swapping

Mark
(07/11/23) Blog 311 – Looney Tunables – that’s not all folks
365 days of blogs / November

(07/11/23) Blog 311 – Looney Tunables – that’s not all folks

Mark
(25/10/23) Blog 298 – Spanish cybercrime gang busted
365 days of blogs / November

(25/10/23) Blog 298 – Spanish cybercrime gang busted

Mark
(12-03-23) Blog 71 – NetWire admin tool exposed as malware
365 days of blogs / November

(12-03-23) Blog 71 – NetWire admin tool exposed as malware

Mark
(04/12/23) Blog 338 – Hotels hacked to gain access to booking.com API
365 days of blogs / November

(04/12/23) Blog 338 – Hotels hacked to gain access to booking.com API

Mark