Combatting the cyber threat

“Cyber security is now a matter of business survival and national resilience”
“Hesitation is a vulnerability”
National Cyber Security Centre (NCSC)

The NCSC’s Annual Review contains stark warnings, revealing the UK is experiencing four “nationally significant” cyber-attacks every week. But big business and critical national services aren’t the only targets. Hackers increasingly have their eyes on small to medium sized organisations including smaller charities, schools, law firms and local businesses. The NCSC says 1 in 2 UK small businesses identified a cyber-attack last year.

Often small businesses or other smaller organisations don’t have the budget for specialist internal cyber/information security teams or even one dedicated specialist security role. Many rely on outsourced IT specialists to manage their systems and keep them secure.

Who’s behind the attacks?

A substantial proportion of all incidents handled by the NCSC last year were linked to Advanced Persistent Threat (APT) actors – either nation-state actors or highly capable criminal groups. The finger’s often pointed at Russia and China, but there’s also been an increase in teenage hacking gangs from English-speaking countries. This year alone seven teenagers have been arrested in the UK during investigations into major cyber-attacks.

What action to take

Cybersecurity is a challenging, occasionally intimidating, subject. Which means it’s often tricky for smaller organisations to know where to start, or what extra measures should be taken. Here, then, are a few helpful resources and tips.

Cyber Action Toolkit

This new free Government service has been launched specifically to help small organisations implement foundational controls. It’s been designed to be simple and easy to follow, even if you’re new to cyber security. Using the toolkit will give you:

■ A list of personalised actions
■ A step-by-step approach – “starting with low-effort, high-impact actions”
■ The ability to build layers of protection around your business which prevent common threats such as email hacking and ransomware.

Cyber Essentials

Alongside the new toolkit, businesses are urged to implement Cyber Essentials. This helps protect your operations from the most common types of cyber-attack. Here at DPN we’re a micro business: we went through the steps to become Cyber Essentials certified. We’d encourage you to do the same, it’s worth the effort to give you peace of mind.

The certification scheme includes automatic cyber liability insurance for any UK organisation who (a) certifies their whole organisation and (b) has less than £20m annual turnover.

Physical copies of your cyber-attack plans

Following high-profile cyber incidents and the rising threat, the Government has written to the chief executives and chairs of all FTSE350 companies, stressing the importance of ensuring cyber resilience is a board-level responsibility. This includes some sound advice – organisations should have physical copies of their plans. A cyber-attack could leave you unable to access you systems, so an electronic copy of your cyber incident plan may be useless.

This is wise advise for any size of business! This should include all contingency plans, including how teams will communicate until normalcy is restored.

If anyone’s seen the TV series ‘Billions’, there’s a brilliant episode where Axe Capital’s computer systems are temporarily unavailable. The old schoolers dust off their Filofaxes and ancient Nokia dumb-phones to continue trading.

This isn’t doomsday or zombie apocalypse stuff – it’s becoming as common as burglary. Businesses need to be prepared for operating without business critical electronic systems.

Another option, is to have a ‘shrink-wrapped’ isolated, non-networked laptop, unconnected to any of your systems, on which you store critical plans.

11 more security tips

1. Backups – make sure you have regular off-site backups of business-critical data, enabling speedier recovery from an attack. Make sure these backups can be restored quickly.
2. Business continuity plan – make sure this is up to date (and keep a physical copy!)
3. Multi Factor Authentication – this is a ‘must have’ wherever possible to protect personal or any other sensitive data, from your website to your CRM and crucially on financial or administrative accounts.
4. Firewalls – deploy firewalls to protect your network from threats.
5. VPNs – use a Virtual Private Network for employees accessing your network externally.
6. Secure Wi-Fi – use strong encryption and a complex password for your wi-fi network. Don’t just use the default password provided.
7. Protect against malware – use up-to-date anti-virus and anti-malware software on all business devices.
8. Update software – promptly install security patches and updates for all devices and software, including router firmware. Where possible enable automatic updates.
9. Access controls – make sure there are robust access controls – an extra layer of protection may be a hurdle some cyber-criminals might be unable to penetrate.
10. Strong passwords – implement the use of strong passwords for all accounts. If you aren’t already, consider using a password manager.
11. Grow your knowledge – some smaller organisations may have an outsourced IT provider or be doing it all in house – you need to know enough to ask the right questions – assign at least one person to be the internal ‘specialist’.

It’s worth checking out the ICO ransomware and compliance guidance which provides information on how to best protect systems.

As the NCSC says ‘hesitation is a vulnerability’ – don’t put this off. Don’t get bogged down in meetings deciding on the best course of action. Make a start today. Now.