Cyber Security for Organisations
If you are a small or medium-sized enterprise (SME) then there’s around a 1 in 3 chance that you’ll experience a cyber security breach 1. For micro / small businesses, that could result in costs of around £1,400 1. For larger businesses this cost escalates rapidly. Charities, education and the public sector are all significant targets of cyber attacks.
DO NOT PRESUME YOU WILL NOT BE A TARGET BECAUSE OF THE SIZE OR NATURE OF YOUR ORGANISATION
The guidance provided by the National Cyber Security Centre can’t guarantee protection from all types of cyber attack, but it does show how easy it can be to protect your organisation’s data, assets, and reputation.
If a cyber incident is happening NOW, please go to our Reporting pages to find guidance on what to do.
Our Free Services
The South East Regional Organised Crime Unit (SEROCU) Cyber Protect team offer a number of FREE cyber security support services to organisations in our region – Surrey, Sussex, Hampshire or the Thames Valley (Berkshire, Buckinghamshire and Oxfordshire). We have Police Cyber Security Advisors who can help your organisation. As the Police, we are able to offer this under the National Cyber Security Strategy and we ask for nothing in return other than feedback (and a cup of tea!).
Find out more:
Understand the Threat
CYBER ATTACKS HAPPEN AGAINST ALL SIZES AND TYPES OF BUSINESS
- 32% of UK businesses and 22% of charities identified cyber security breaches or attacks in the last 12 months 1
- 19% had staff stopped from doing their daily work by the attack 1
- Only 33% had cyber security policies 1
- Phishing attacks against staff of all levels remain the most common form of attack 1
- Only around 20% of staff receive any kind of Cyber Security training 1
- 50% of businesses go bust within 6 months of a cyber attack if it takes a week or more to recover 2
- Micro and Small Businesses are less resilient to attack and therefore seen as easy targets by cyber criminals
- You may be targeted because of who you do business with – an attack on the supply chain!
Consequences of Cyber Attack
- Fines or action by regulators
- Loss of earnings
- Loss of productivity
- Reputational risk – this is headline news now!
- Data loss – putting customers and staff at risk
- Personal risk – exposure means credit risk
- Bankruptcy / closure
Follow Best Practice
The National Cyber Security Centre has created a wealth of information for businesses of all scales.
- SMEs and other Organisations (including much of the public sector, such as schools, colleges, parish and town councils) of a similar size should work through the Small Business Guide
- Small to Medium size Charities should work through the Small Charity Guide
- Larger Organisations should work through the Board Toolkit and work towards 10 Steps to Cyber Security
Getting engagement with staff is a critical part of creating a cyber security culture. That has to start at the top – Senior Leadership MUST demonstrate good practice and adherence to the same expectations as staff. This also includes attending the same mandatory training on cyber security and being seen to do so.
Staff deserve to be educated on cyber security. Nobody else is going to do this for them and many are intimidated by it. Pitch cyber security training as FOR THEM in THEIR PERSONAL LIVES and they are far more likely to buy-in to it. Once they are doing good things in their personal life they will bring the same behaviours to work. Ensure your policies allow them to implement what they learn – such as ensuring your password policies allow them to use strong passphrases, don’t require regular changes and think about password managers at work if they need multiple logins (or use Single Sign-On technology).
- Understand your risks
- Backing up your data
- Preventing malware damage
- Keeping devices safe
- Using passwords to protect data
- Avoiding phishing attacks
- Secure video conferencing
- Supply chain considerations
- Commit to the Cyber Essentials
- Monitor the Threat
- The importance of logging
- Response and recovery
1. Understand your risks
CYBER RISKS ARE BUSINESS RISKS
Every organisation has to make difficult decisions around how much time and money to spend protecting their technology and services; one of the main goals of risk management is to inform and improve these decisions. People have had to deal with dangers throughout history, but it’s only relatively recently that they’ve been able do so in a way that systematically anticipates and aspires to control risk.
Someone should have ownership of the risks arising from your digital world. These should feature on your risk register.
The best place to start is with NCSC’s basic risk management guidance, which is probably sufficient for most Sole Traders and SMEs:
2. Backing up your data
Think about how much you rely on your business-critical data, such as customer details, quotes, orders, and payment details. Now imagine how long you would be able to operate without them.
All businesses, regardless of size, should take regular backups of their important data, and make sure that these backups are recent and can be restored. By doing this, you’re ensuring your business can still function following the impact of flood, fire, physical damage or theft. Furthermore, if you have backups of your data that you can quickly recover, you can’t be blackmailed by ransomware attacks.
We know that backing up is not a very interesting thing to do (and there will always be more important tasks that you feel should take priority), but the majority of network or cloud storage solutions now allow you to make backups automatically. Using automated backups not only saves time, but also ensures that you have the latest version of your files should you need them. Read more:
3. Preventing malware damage
Malicious software (also known as ‘Malware’) is software or web content that can harm your organisation. The most well-known form of malware is viruses, which are self-copying programs that infect legitimate software.
A vast amount of malware can be avoided or prevented through simple steps. It is important to add the staff element by educating them about phishing, as a lot of malware arrives by staff clicking on the wrong things.
Another frequent and (in most cases) easily solvable cause of malware successfully infected systems is out of date software. Updating and patching hardware (the technology) and software is a crucial step, often overlooked. Small organisations can usually allow automatic updates on most systems (where available) without too much trouble. Larger organisations need a change management process to ensure updates do not stop functionality and productivity.
All firms need a roadmap for hardware AND software. End of Life for specific software is published WELL in advance, yet we continue to see people using Windows XP (died in 2014), Windows 7 and Windows Server 2008 R2 (both die in January 2020) with resulting malware infections from known vulnerabilities. Windows is far from the only problem – you need a register of ALL software and hardware you use with an record of the update process chosen and expected End of Life. Upgrade well in advance so there are no surprises.
Read more on Preventing malware damage:
4. Keeping devices safe
Mobile technology is now an essential part of modern business, with more of our data being stored on tablets and smartphones. What’s more, these devices are now as powerful as traditional computers, and because they often leave the safety of the office (and home), they need even more protection than ‘desktop’ equipment. There are 5 key steps:
- Switch on Password protection
- Make sure lost or stolen devices can be tracked, locked or wiped
- Keep your device up to date
- Keep your apps up to date
- Don’t connect to unknown Wi-Fi Hotspots
5. Using passwords to protect data
Passwords… a persistent problem! Everyone hates them. We all have too many of them. Yet they represent the keys to the kingdom!
Your laptops, computers, tablets and smartphones will contain a lot of your own business-critical data, the personal information of your customers, and also details of the online accounts that you access. It is essential that this data is available to you, but not available to unauthorised users.
Passwords – when implemented correctly – are a free, easy and effective way to prevent unauthorised users accessing your devices. Layered with Two-Factor Authentication (2FA) you make a massive increase to your cyber security.
Importantly – help your staff make good password decisions:
- Encourage good personal Cyber Security – they will then bring this into work
- Get them to read our guidance on creating STRONG PASSPHRASES
- Make sure your password policies allow them to create Strong Passphrases as per our guidance
- Stop making them change passwords for the sake of it – this only makes them use rubbish passwords with a number or letter changing each time. Even Microsoft has come round to this and removed the requirement
- Use Single Sign-On where possible to avoid password frustrations. Consider using a suitable Password Manager for businesses if not
Read more about the right approach to passwords:
6. Avoiding phishing attacks
Phishing remains the NUMBER ONE SOURCE of data breaches and the most common route for malware to make it into your company.
In a typical phishing attack, scammers send fake emails to thousands of people, asking for sensitive information (such as bank details), or containing links to bad websites. They might try to trick you into sending money, steal your details to sell on, or they may have political or ideological motives for accessing your organisation’s information.
Whatever your business, however big or small it is, you will receive phishing attacks at some point. Think about how you will help your staff understand the threat and how to spot phishing. As with other advice, give them the tools to defend against it in their personal lives and they will bring that behaviour back to work.
There are other important steps which mitigate the impact when the phishing succeeds. You will never stop it all. DO NOT BLAME staff when they get it wrong – they are only human. Read more about defending against phishing:
7. Secure video Conferencing
The use of video conferencing – particularly for remote working – has surged in recent months and years. While the capability brings significant benefits it also brings risks. Make sure that in implementing this technology a proper process is followed to ensure security. Find out more:
8. Supply chain considerations
It is a cliché, but the Supply Chain is only as strong as the weakest link.
One consideration is to ask what your suppliers are doing to demonstrate good cyber security practice. You might choose to insist on supplier accreditation in any procurement or contracting process – such as Cyber Essentials. Demonstrate you are a cyber secure contracting partner by getting accreditation. Read on for more on that…
9. Commit to the Cyber Essentials
Cyber Essentials, from the National Cyber Security Centre, helps you to guard against the most common cyber threats and demonstrate your commitment to cyber security. The scheme is ideal for SMEs or any other size of organisation. It was created in response to complaints about the cost of other accreditation programmes, some of which are too expensive or too complex for small businesses (though may be more appropriate for specialist sectors or those working with sensitive data).
Five technical controls that you can put in place today:
- Secure your Internet connection
- Secure your devices and software
- Control access to your data and services
- Protect from viruses and other malware
- Keep your devices and software up to date
You can self-assess to verify your posture, or gain accreditation to demonstrate your compliance. Accreditation at the basic level costs £300. Consider requiring that your supply chain are Cyber Essentials accredited where there is an exchange of data.
Find out more:
10. Monitor the threat
It is important to maintain an understanding of the threats facing organisations and you may wish to have a set process for creating internal threat reports. Those organisations who may be more likely to be attacked due to the nature of their business or function should consider having a designated person. They would have a remit to monitor threat intelligence and perform Open Source Intelligence (‘OSINT’) research around your organisation and what people are saying about it, or what they may do to it.
There are a number of public feeds for cyber threat information from the UK Government and UK Police cyber community. This includes:
Network Defenders – join CiSP!
UK organisations should consider having the person with responsibility for cyber security join CiSP – the Cyber security Information Sharing Partnership. If you outsource this function ask them if they are CiSP members.
CiSP is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK business. Network Defenders, UK Government, the National Cyber Security Centre, ROCU Protect Network and Law Enforcement can share information promptly and securely on the platform.
To become a registered CiSP member you must be:
- A UK registered company or other legal entity which is responsible for the administration of an electronic communications network (internal or otherwise) in the UK
- Sponsored by either a UK Government department, existing CiSP member or a regional Cyber PROTECT police officer or industry champion.
If you are an eligible organisation in the South-East region (Thames Valley, Hampshire and the Isle of Wight, Surrey or Sussex Police areas), we may be able to sponsor you to join CiSP. Please make contact with the Cyber Protect team (firstname.lastname@example.org) before applying on the CiSP platform to discuss whether it is appropriate for us to be your sponsor. Please be aware we make personal contact with all applicants to verify status and suitability. If anybody in your organisation is already a CiSP member we cannot act as your sponsor. The application process may take a number of days.
Once you have a sponsor, you can apply here:
In the meantime, if you are on Linkedin and Twitter, it’s worth connecting with SEROCU Cyber Protect to assist in this process.
11. The importance of logging
Logging is the foundation on which security monitoring and situational awareness are built. Effective log-keeping can help you understand:
- What has happened?
- What is the impact?
- What should we do next?
- Has any post-incident remediation been effective?
- Are our security controls working?
Logs will help you monitor and improve your cyber defences as well as respond to and recover more quickly from a cyber incident.
It doesn’t have to cost the earth…
In fact, the National Cyber Security Centre have created a project called Logging Made Easy (LME) which is a curated collection of free, open-source applications with simple guidance of how to set things up. This project is suitable for a Windows network.
They have produced this for organisations that:
- Don’t have a SOC, SIEM, or any monitoring in place at the moment
- Lack the budget, time or understanding to set up their own logging system, or buy a professional solution
- Recognise the need to begin gathering logs and monitoring their IT
12. Response and recovery
Unforeseen events, both malicious and accidental, can occur in many ways. So it is impractical to develop detailed step-by-step instructions to manage every type of incident, as the list could be endless. Instead you should prepare your business for the most common threats you face by developing plans to handle those incidents most likely to occur.
Being prepared can significantly reduce the time it takes to recover, the cost of recovery and the overall impact on your business. It may change a major cyber incident into a minor one. It may impact on the need to report incidents to a regulator or reduce the public relations impact.
The National Cyber Security Centre has created a partner to the Small Business Guide in the Response & Recovery Guide. This guides you how to:
- Prepare for incidents
- Identify what’s happening
- Resolve the incident
- Report the incident to wider stakeholders
- Learn from the incident
Reporting a Cyber Incident
If you are an organisation under live cyber attack, you can seek specialist help over the telephone from Action Fraud’s 24/7 cyber incident helpline. Read more:
There is no point in having planned for a cyber incident without testing your plan. This is a concept all organisations are familiar with in the world of fire drills (and we do not wish to belittle the importance of these) – yet a cyber attack is now far more likely than a fire in most organisations.
Cyber Drills or Exercises are something that for a long time was costly and generally involved having to bring in a third-party specialist. There is merit in this depending on the nature of your organisation, but in response to these issues the National Cyber Security Centre has created ‘Exercise in a Box’ – a set of tabletop exercises (and one technical threat-hunting exercise) which your organisation can run through for FREE.
To find out more and sign up: