What is Cyber Security?

Cyber security is about protecting the devices we all use and the services we access online – both at home and work – from theft or damage. It’s also about preventing unauthorised access to the vast amounts of personal information we store on these devices and online.

Why does Cyber Security matter?

An increasing number of businesses are being seriously impacted by cyber incidents. An incident is a breach of the security rules for a system or service, such as:

• Attempts to gain unauthorised access to a system and/or data
• Unauthorised use of systems for the processing or storing of data
• Changes to a systems firmware, software or hardware without the system owners’ consent
• Malicious disruption and/or denial of service For example, a phishing attack might attempt to steal money and passwords, or a ransomware attack might encrypt files preventing access. But why do attacks happen?
• Businesses hold plenty of sensitive information
• Cyber criminals want to make money
• Many cyber incidents are untargeted

The Department for Digital, Culture, Media and Sport produces an annual survey detailing business and charity action on cyber security, and the costs and impacts of cyber breaches and attacks. The 2021 survey found that four in ten businesses (39%) reported having cyber security breaches or attacks. Of those, around a quarter (27%) experienced them at least once a week, with the most common being phishing attacks (83%*). There are a number of direct and indirect costs when a breach happens; for example: loss of income, staff downtime or overtime and possible reputational damage. Where businesses have faced breaches with material outcomes, the average cost is estimated at £8,460*. If you would like to test how resilient your business is to a cyber attack and practise your response in a safe environment, check out the NCSC’s Exercise In A Box tool. It is completely free, and you don’t have to be an expert to use it. The tool provides exercises based around the main cyber threats. It includes everything you need for setting up the exercise, planning, delivery, and post-exercise activity, all in one place. If you are looking for more information on how to prepare for a cyber incident, from response through to recovery, check out its Response & Recovery guidance.

What are the top threats to businesses?

• Ransomware – Malicious software that makes data or systems unusable until the victim makes a payment.
• Phishing – Untargeted, mass emails sent to many people asking for sensitive information (such as bank details) or encouraging them to visit fake website. You can report suspicious emails directly to the NCSC’s Suspicious Email Reporting Service (SERS) using Office 365’s Report Phishing add-in for Outlook (available to corporate or business versions of O365). You can also report potential phishing messages or scam websites via SERS.
• Virus – Programs which can self-replicate and are designed to infect legitimate software programs or systems. A form of malware.
• Insider Risks – The potential for damage to be done maliciously or inadvertently by a legitimate user with privileged access to systems, networks or data

Who is behind cyber attacks?

• Online criminals – Criminals can be very good at identifying what can be monetised; for example, stealing and selling sensitive data, or holding systems and information to ransom.
• Hackers – Individuals with varying degrees of expertise, often acting in an untargeted way – perhaps to test their own skills or cause disruption for the sake of it.
• Malicious insiders – Use their access to an organisation’s data or networks to conduct malicious activity, such as stealing sensitive information to share with competitors.
• Honest Mistakes – Sometimes staff, with the best intentions just make a mistake; for example, by emailing something sensitive to the wrong email address.

What actions can your business take

Cyber security might seem like a daunting challenge for your business. To help you on your cyber security journey, the NCSC has produced a portfolio of products and guidance tailored for the SME community, that offer tips that are both practical to follow and affordable to implement. By following our advice and guidance, you can significantly reduce the chances of your business becoming a victim of a cyber crime. Find out how to stay secure online with our Cyber Aware Action Plan. Answer a few questions on topics like passwords and two-factor authentication and get a free personalised action plan that will help you improve your businesses’ online security. The six actions outlined in its Cyber Aware campaign are:

1. Use a strong and separate password for your email
2. Create strong passwords using 3 random words
3. Save your passwords in your browser
4. Turn on two-factor authentication (2FA)
5. Update your devices
6. Back up your data

Our Small Business Guide offers practical and affordable advice in five key areas where businesses should take action to boost their cyber defences, including how to back up data, patch devices and spot some of the more obvious signs of phishing. Consider using the NCSC’s free E-learning modules, which can be completed online or built into your own training platform. Top Tips for Staff is free to use and takes less than 30 minutes to complete. The training introduces why cyber security is important and how attacks happen. It covers four key topics:

1. defending yourself against phishing
2. using strong passwords
3. securing your devices
4. reporting incidents

Its Cyber Security for Small Organisations training guides businesses through the actions they should take in order to significantly reduce the risk of falling victim to the most common cyber attacks, such as ransomware and phishing. The Cyber Essentials scheme is a government-backed, industry-supported scheme to help businesses protect themselves against common cyber attacks. Having Cyber Essentials certification also provides reassurance to customers and suppliers. The Readiness Tool helps businesses prepare for certification. Businesses can stay up to date with the latest trends and topics in cyber by signing up to the NCSC’s monthly Small Organisations Newsletter. The newsletter aims to break down cyber related issues into bitesize pieces. Each edition covers a different topic and includes advice and links to further information.

*Statistics are taken from the DCMS Cyber Breaches Survey 2021 – https://www.gov.uk/government/ statistics/cyber-security-breaches-survey-2021

FURTHER INFORMATION

• NCSC Supply Chain Security guidance proposes a series of 12 principles, designed to help you establish effective control and oversight of your supply chain.
• NCSC Covid-19 guidance covers home working, video conferencing and moving your organisation from the physical to the digital
• Videos: Ransomware; Phishing; Security Culture
• SMEs Cards: NCSC have collated information about its free products and guidance into a handy guide (download at the bottom of the page).