Cyber threats can be a worrying and confusing area, especially for small businesses. Richard Bach explains the steps that organisations can take to protect themselves.

Operating online can open up a wide range of business opportunities, and some organisations simply couldn’t trade without an online presence. The ability to reach a wide audience and potential customers, often with innovative products or services, would be hard or impossible to replicate without this form of access.

In people's personal lives, too, the ability to shop, bank, be creative and socialise bring overwhelmingly positive benefits. But with these positives, there are also risks, so it’s important for all organisations that conduct any of their business affairs online to understand why these risks exist, and what can be done to mitigate them.

What is cyber?

Cybernetics was a term first coined in 1948 to describe the interaction between machines and living beings. It's derived from a Greek word, meaning to steer or govern. In modern use, as a prefix, it refers broadly to a range of malicious activities on the internet, especially with respect to criminal activities and threats against legitimate online activities. These can lead to intrusions, which is someone gaining unauthorised access to your information, and cyber-attacks, which can result in physical damage. Cyber security covers the measures that can be taken to reduce the likelihood of these events happening.

A useful analogy for this concerns home security. Most homes have things of value in them and this is known to burglars. Some burglars are opportunists, while others are professionally organised. Either way, they will look for suitable homes to target. Then, depending on a number of additional factors  – such as, does there appear to be anyone home, is there a car outside, is there an alarm system, has a window been left open – they may try to gain entry. Once inside, they will look for things of value. This applies equally to life online, where computers are the homes and the information in them is the thing of value. 

For many people, understanding what cyber is, and why it matters, can be challenging: the computer seems to be working fine, and never needs maintenance, so presumably there is nothing wrong. However, this isn’t a given, and without some expertise (or in some cases, luck), it can be hard to detect when things have gone wrong. It’s only when viewing the next bank statement that we see that someone else has been helping themselves to our money, or in business, that our customers find that their personal details have been widely shared online.  

Why does it matter?

Conducting business online presents amazing opportunities. According to the Office of National Statistics, in 2015, online sales by UK businesses outside the financial services sector totalled £550 billion – over 20 per cent of all sales for the period.

But there is a flip-side. In a broadly similar period, approximately £1 billion was lost by UK businesses to online crime. However, this figure only covers direct monetary loss. When breaches occur it can lead to significant business impacts, including websites being unavailable, loss of access to company data (for example, ransomware encrypts files and will only decrypt them once a payment has been made), leading to business interruption, and theft of data including intellectual property, all of which take effort to resolve.

According to the government’s annual Cyber Security Breaches Survey, the average cost of a breach ranges from a few thousand pounds to around £20,000, depending on the nature of the breach. But addressing the fallout from these bigger impacts means that the cost goes up. Taking account of the loss of staff time, repair costs, lost business, legal costs and so on, the figure can be much higher – considerably so for large companies.

The same government report states that nearly half of all businesses identified cyber security breaches in the past year, in spite of two thirds of companies spending money on cyber security. Sadly, it is likely that many more will be unaware that a breach has occurred: estimates of the average time to detect a breach range from 99 days to more than 200 days, with some remaining undiscovered for years.

Is cyber security different from data protection and privacy?

Although they are different in a number of ways, there is a large area of overlap between cyber security and data protection/privacy. While cyber tends to be about protecting our own information, data protection tends to be about protecting information provided by other people, for example, so that a service can be delivered to them. One important difference to note is the legal position for data protection, and this will soon be changing significantly.

In May 2018, the European Union’s General Data Protection Regulation (GDPR) comes into effect. This will replace the UK’s existing arrangements and will apply to all businesses. A particular aspect which has been widely commented on is the harsh punitive regime, compared with the UK’s current arrangements. In addition, there is a requirement to notify the relevant authority if and when a breach happens and personal information is compromised.

It is therefore important to put the right protections in place – this should start with the same simple measures described below, and the advice from the Information Commissioner's Office (ICO) – and ideally over time, for companies to establish a history of reassessment to ensure that their implemented measures are adequate. Finally, it should be noted that the provisions of GDPR will continue to apply, in spite of Brexit.

Why do breaches and intrusions happen?

Unfortunately, many businesses are not aware of how to manage the risks to their information and systems, or even what simple steps they can take to make a material improvement in how they and their customers are protected.

Often this is because either the level of the threat is not understood, or because they are inundated with advice: a simple online search for cyber security guidance yields millions of results, but there is little way of discerning the good from bad. At the end of this article is a list of known, reliable resources, covering the basics through to information for mature cyber security practitioners.

Furthermore, cyber security is often seen purely as a cost to the business (and therefore unwelcome) to prevent or reduce harmful events. However, when properly directed, spending on cyber security is not only a way of protecting existing information assets, it is an investment, enabling businesses to conduct their business online with confidence, to innovate with confidence, and to grow as a result.

What practical steps should companies take?

Especially for small businesses, the vital starting point is getting the basics right, and the government’s Cyber Essentials Scheme is a good starting place. This includes five measures, such as the appropriate use of passwords and firewalls, and keeping your software up to date.

These measures are also reflected in the ICO's guidance on data protection. Continuing the home analogy, these steps are the same as closing and locking the windows, ensuring the doors have the correct locks and that they’re correctly used, and so on. For companies who have done this and need something more sophisticated as well, the government’s 10 Steps to Cyber Security provides the necessary pointers.

Against this backdrop of risks and initial practical steps, where should you go for further advice? In the UK, we are fortunate to have a number of excellent (and free) online resources from a range of sources including the government, the police, and not-for-profits, funded jointly by the public and private sectors. Depending on your need, the go-to sites are:

• Cyber Aware: the government's main site for basic cyber security advice for organisations. It includes links to Cyber Essentials, free training for staff, Action Fraud (see below) and advice for small businesses. It also references data protection/privacy.
• Get Safe Online: a not-for-profit, which provides businesses and members of the public with a wide range of free expert advice, including a section on safeguarding children, the use of social media, and a tool for asking questions about online security. 
• The National Cyber Security Centre: the government's comprehensive resource for advice and guidance for businesses of all sizes. 
• Action Fraud: the UK's national centre for reporting fraud and cyber crime.
• Cifas: primarily for fraud prevention, provides advice on identity protection.
• Information Commissioner's Office: the UK's independent authority on data protection. Has a section specifically for SMEs and on GDPR.

About the author

Richard Bach is a Director at XQ Cyber, a company formed in 2014 by members of the UK’s defence and security community, and accredited by the NCSC.

XQ develops innovative solutions to solve difficult issues, such as the recently launched CyberScore.com, which enables automated security testing and cyber risk rating. The company also provides assurance to clients in the areas of cyber due diligence and ‘red teaming’ – assessing the whole security posture of an organisation. You can follow Richard @BachCES and XQ @XQCyber.