At a Glance

• Discover why cyber crime needs to be on all businesses’ radars
• Learn how to increase your business’s cyber resilience
• Get ideas of actions you can implement straightaway

It’s a never-ending war of attrition. As fast as companies find ways to protect themselves from cyber attacks, malicious actors find new ways round the defences. So, what can you do to help protect your business from threat?

Around a third of UK companies know they have been attacked or been breached in the 12 months prior to the end January 2023, according to government figures.

Over the years there have been many high-profile cyber attacks. Some result in an organisation not being able to use its computers without paying a ransom – The Guardian newspaper, Greater Manchester Police, Royal Mail and NHS hospitals included. Others result in fraud, financial losses, theft of proprietary information, reputational damage, loss of customers, misinformation and other harms. The scale of the problem can seem insurmountable, particularly to smaller businesses with limited resources compared with multinationals with dedicated cyber security teams.

Cyber security strategy

In response to the growing threat the UK government introduced the National Cyber Strategy 2022. There are relevant elements of this strategy that it can be useful for companies to adopt – especially the principal of developing cyber resilience with its three key objectives:

• Objective 1: Understand cyber risk.
• Objective 2: Prevent and resist cyber-attacks.
• Objective 3: Prepare, respond and recover.

So, how can you turn these objectives into practical simple and straightforward things you can do to protect your business, to reduce risks and to build resilience? Especially as this all has to be done at the same time as running the business itself. Here are some practical suggestions to get started.

Become cyber aware

Embedding cyber security is essential as a core part of doing good business. Make everyone in the organisation realise that they are part of the risk and part of the solution and it’s not just down to the IT person. The simple act of an employee responding to an email could put a business at risk, if it’s a malicious email disguised as a helpful one.

Around two-thirds of the fraud victims (68%) in the Cyber security breaches survey 2023 said that a phishing attack led to the fraud.

What to do first

Get familiar with the National Cyber Security Centre (NCSC) website. Start by formulating your Cyber Action Plan. This will help you benchmark where you are at the moment and guide you to what you need to do to make yourself safer. You can also read the Small Business Guide to Cyber Security and find out how to spot scams.

It’s also worth signing up to the NCSC’s advisories. These will alert you to common and new threats to watch out for. There’s a monthly newsletter specially aimed at small organisations – or a more frequent Threats Reports.

Practice good cyber hygiene

You’ll see good cyber hygiene referred to on both the NCSC and GOV.UK. So, just as we all got used to washing our hands more frequently during the pandemic to keep us safe, practising good cyber hygiene will help you better protected against harm.

Good cyber hygiene includes things like:

• Using unique strong passwords – don’t make them easy for criminals to guess. This applies to things like email, chat and messenger systems, company servers or cloud servers, computers and other devices, bank accounts and social media accounts.
• Turning on multi-factor authentication – especially for email as it often gives access to other passwords through the “forgot password” mechanism. Two-step verification is where you are asked for a second piece of information to prove your identity. For example, you’ll be sent a special code to your mobile phone to type in.
• Restricting permissions, access and admin rights – give people the minimum access to systems that they need to do their job. For example, stopping users from downloading programs to their computer so it can be done only by someone with the admin password.

What to do first

Set up your system and your network so users can’t use simple passwords – for example set a minimum number of characters, include numbers or special characters. Make sure that people who leave no longer have access to the system straight away.

Train your team

People are your strongest asset and your biggest potential weakness. Make sure your team know what is expected of them. Cyber security is everyone’s responsibility. Set out policies for the kind of behaviour you expect – such as not writing down or sharing passwords. Help them learn how to recognise potential issues and threats and what to do if they spot something. With people working from home or working on the road you also need to ensure that everyone is working safely. Educate staff not to use unsecured public networks in a hotel or coffee shop or on a train. Here a hacker could possibly see confidential information you are sending across the network, like passwords and financial information. In some cases, cybercriminals could even be able to monitor your keystrokes or install malware over a public network.

What to do first

Include cyber security in your onboarding process for new members of staff. Share policies and include training where possible. Get them to take the NCSC’s short cyber security training course with a quiz to test what they’ve learned. Share examples of phishing emails or ways of spotting them so that people know what to look out for.

Keep up to date

Many criminals exploit weaknesses in software or hardware. If you’ve heard the term “zero day vulnerability” this is a flaw in the system that the developer or provider isn’t aware of. A zero day attack is where this vulnerability is exploited before the developer has the chance to mitigate or fix it. Use antivirus software on all your devices.

What to do first

Apply any updates to your apps and your device’s software as soon as they are available. Updates include protection from viruses and other kinds of malware, and will often include improvements and new features.

Back up your data

Imagine your business suffered a ransom attack or data was wiped maliciously, how would you be able to find customer records, staff records and more? Identify the data that needs to be protected and backed up – it can be anything from photos and calendars to documents and personal information. Back up your data, so that if an attack happens you have got a fallback position. Think about how frequently you want your data backed up – for example overnight, so you’ll only ever lose less than a day’s data?

What to do first

Decide whether you want to use Cloud or removable/portable storage such as an external hard drive or USB. Make sure data is backed up regularly and if you use a removable device that it is disconnected from the system when not being backed up to avoid that being contaminated too.

Prepare for an incident

With cyber attacks it’s not so much a situation of ‘if’ but ‘when’ you get targeted. But you should plan for a variety of potential issues such as what happens if someone’s work laptop is stolen, for example. Making sure your team understand what they need to do and who they need to tell as it’s important to help minimise damage. Some viruses can spread around a network in seconds or minutes if you click on the wrong thing. Have policies in place so that, for example, accounts staff get a call out the blue from someone you don’t know to tell them that one of your suppliers has a new bank. Here, for example, the staff member should ring the supplier and speak to a contact they know on a number they know to verify the information.

What to do first

Write appropriate cyber policies and share with staff. Install and turn on tracking applications for all available devices such as phones and laptops so you can find or delete data if necessary. Switch on automatic updates for software and apps. Work your way through ticking off the NCSC’s Cyber Security Small Business Guide Actions. Many of them are the straightforward things we’ve mentioned here. If you or your clients need cyber cover or just want to find out how we can support you at NIG, please contact your usual NIG contact or visit https://nig.com/products/cyber-cover/. There is also information and further advice on our risk management portal, NIG Risk Assist (nigbrokerriskassist.com).