This year, Cyber Tec Security teamed up with partners, the Police Digital Security Centre, to deliver a webinar educating SMEs on the importance of cyber compliance and security standards. Below is a condensed transcript of the highlights from the panel's discussion.
Simon Newman (SN):
Good morning everyone. My name is Simon Newman, Head of Cyber and Business Services for police crime prevention initiatives. I'm delighted to be joined today by three experts in their fields.
First of all, Robin Phillips. Robin is Cyber Tec's Customer Experiences Manager who works with our reseller community. He has over 30 years' experience in the IT industry, is a Prince 2 Agile trained Project Manager and has worked with the likes of IBM, Microsoft and Circo in both public and private sectors.
I'm also joined by Clive Madders, Cyber Tec's CTO and Chief Assessor. He works directly with businesses as they go through the process of achieving Cyber Essentials, so very much understands where the common vulnerabilities lie for SMEs. With over 25 years' experience in the industry, he has built up an extensive repertoire delivering managed ICT services, cyber certifications and advanced security solutions to help improve the cyber security maturity of businesses across the UK.
And last but not least, Michelle Kradolfer from the Police Digital Security Centre. Michelle has been with PDSC for a number of years and supports our SME customers helping raise awareness and the importance of cybersecurity among their organisations. Welcome, Michelle.
Okay, straight into this morning's webinar. We hear lots of people talk about compliance, but what do we mean by it? What's your understanding of compliance in terms of cybersecurity?
Michelle Kradolfer (MK):
So the first thing I want to delve into is what do we actually mean by cyber security? In very simple terms, cyber security is looking at how organisations and individuals can reduce the vulnerability and risk of experiencing a cyber attack. It's about the application of technologies, processes and controls to protect people, networks, devices, and data from cyber attacks, and what steps need to be taken to achieve that.
Now, compliance is all about following rules and meeting requirements and that's not any different when we're looking at it from a cybersecurity perspective. Cyber Security compliance involves creating and putting in place various risk-based controls to protect the accessibility, confidentiality and security of information that is stored, processed and transferred.
And of course, it's important to understand that cyber security standards and regulations vary depending on the location and industry an organisation is in. For example, with GDPR, any organisation that has data belonging to EU citizens needs to comply with the regulations and put in place sufficient security protocols to protect and secure that information. If they fail to do so, they can face a very hefty fine, and that can be very devastating for some SMEs.
So while many organisations have invested resources and time into complying with GDPR regulations, there's still a lack of focus on implementing proper cyber security guidelines across the entire business to protect and prevent from such a breach or attack. The issue is that some organisations still underestimate the value of data they actually hold. Details about customers' contracts, even intellectual property, have value to cyber criminals.
Thanks to the COVID19 pandemic, cybercrime has increased by 600% and according to the Department for Digital Culture, Media and Sports' Cyber Breaches Survey, 38% of all SMEs have already experienced cyber attacks in the last 12 months, of which 82% were phishing attacks. So there's still SMEs currently lacking the appropriate resource sources necessary to defend against these attacks, which puts them at risk.
What they can do to reduce those chances of being a victim of cybercrime is benchmark security controls against an established standard, which is where Cyber Essentials and even our own Digitally Aware assessment scheme comes in very handy to help them get on that cybersecurity journey, and implement those very simple and easy controls that can protect them.
Obviously, to achieve compliance, the most important thing for SMEs is to remember that cyber security is not an issue that only needs to be addressed by their IT department. It's everyone within the organisation that needs to participate and comply with those controls in order to ensure that the whole system is secured. They need to understand their own digital risk, identify the types of digital data they hold, and where those vulnerabilities lie within the organisation so that they can look at what controls need to be put in place to help them be secure. Because the threat keeps evolving, cyber criminals are finding new ways to breach these networks, and it's important that businesses stay on top of that.
Thanks Michelle, a huge amount there. This is different to something like an MOT for a car where you go through a test once a year and it gives you a clean bill of health for the next 12 months. Cyber security and compliance is about continuously checking to make sure that your standards are being met and that you've implemented the right controls. It's not just about technology, but also about people as well, which is a really important part to get across.
Robin, perhaps a question that leads on from this: in simple terms, why should SMEs care about cyber security, and why should it be factored into their budgets? I often hear from SMEs who see cyber security as a cost as opposed to an investment, so really keen on your thoughts. What's your view on this?
Robin Phillips (RP):
Well, Simon, it's interesting that you draw the analogy for the MOT. Because the analogy onward from that would be to compare it to car insurance. For instance, nobody wants to shell out on the large premium, the add ons, etc. IT managers and business owners budget for things that are right in front of them which seem like an obvious benefit to the business.
But cyber security is very much like insurance. It's there to prevent the fallout of the inevitable happening. One of the things that the NCSC always say, is it's not if you have an attack, it's when. Last year 65,000 attacks per day were recorded in the SME community. It's inescapable; this is going to happen to you. So just like insurance, if you don't have it and the inevitable happens, you're going to be in difficulty.
We've been living in a very unusual business and social environment for the past 12 months. But that aside, there's never been more online transactions for both business and on a personal basis. And looking at the massive amount of home workers that are out there, I think this will continue for a very long time. It will create a trend where people realise that a distributed workforce is a good way of operating. But in doing so that means there are more threats.
We're used to having our laptops and mobile devices to access work, we're used to being able to dial in and see what's in our inbox. We're used to being able to interact and react on some applications with businesses, but we're also used to booking our gym space or booking our coffee - the list is literally immeasurable and it's going to continue like that.
Therefore, cyber security is about threat mitigation. Hackers are online so the risk to your business is online, and so to secure that, the right controls need to be put in place. You mentioned the word budget. The question is: What is the risk if it's not in the budget?
Thank you, Robin, that's really helpful. As you say there are a number of threats and challenges that are out there and it's important that SMEs do take the opportunity to review the level of security they've got and the information they hold as Michelle said.
Clive, Robin highlighted there the impact of COVID-19 and the fact that we've seen many businesses move to a much more online-focused approach. Really keen for your thoughts about how the past year has impacted the need for security improvements and risk mitigation Clive?
Clive Madders (CM):
Yes, I think it's quite an interesting one. In the last 12-14 months or so, we were forced into a worldwide proof of concept of home working, and businesses who felt that they'd never be able to work from home were forced to do so. Subsequently what we have realised is that this is something that can be achieved. Staff are now considering: do I really want to go back to the office full time do I want to stay at home, do two or three days a week?
So over the last year, we've seen a number of risks and issues, especially for businesses who've never considered home working. Now there's equipment at home that they don't have full control over, they don't control the network that their devices are connected to because it's now in a home office or at home. There might be lots of other technologies on that same network, the children's or your partner's devices and all these kinds of things. So the risk is really around how you know what's connecting to your system.
In the early days of COVID, we actually had a shortage of IT equipment, so I think lots of businesses decided the only way to work was to allow their users to work from home using whatever device they happen to have at home. But we don't know what it is. Are we patching it? Is it up to date? What software is installed on it? Are there any vulnerabilities? Where you used to, say, get a phishing email in the office and you weren't sure about it, you might turn to a colleague to have a look at it. Now at home, you might be more inclined to click it.
So this is all about understanding how we control the environment that is now a bigger risk because our network has increased perhaps from one or two locations to potentially hundreds of locations, as our staff have all moved.
Crikey, it just goes to show how a sudden change can result in opportunities for criminals. I think I read somewhere that phishing attacks have gone up by some in the region of 400% over the past 12 months, as you say because people are now working more online and are expecting emails and let their guard down a little bit due to the uncertainty of the situation they found themselves in.
So certainly some really important things there. Robin, we talked about compliance and standards and you used the analogy of car insurance. I mean, why are certifications and standards so important and what are the benefits to an SME? We want them to get to a certain level and we want them to achieve certification. Why? What are those benefits?
The benefits are many, I'd like to just sort of hit on some of the key ones.
Why do we need certification? Quite often, it'll be: 'well, we don't need certification because we've got this product, we've got that product, we've got somebody looking at a screen checking our infrastructure' and such like. All of that is great and part of the certification is to have these things in place.
I think the key thing with certification, though, is that it's a benchmark; it's a standard. Without standards, we can't measure. Certification, essentially, outlines a set of practices. It gives your stakeholders, shareholders, employees, potential customers, and supply chain, a common, understood standard that is dependable and proven. It's been ratified to the highest level by innumerable people and adopted across multiple areas.
There's a number of certificates, whether it's NCSC, IASME, PDSC, BSI or the ISO programme, all of which have value. It depends very much on what the risk is to your business. What sort of data do you hold? What clients do you have? What sector do you operate in? What level of integrity should you apply to data?
So what does the SME get for certification? Well, people say it's just a badge of honour, If I do this, I'll get this badge and then we can all forget about it. Well, no, you can't forget about it. Because cyber security is something you look at every single day.
Certification tells your customers and everyone that you engage with that you have attained that standard. In the public sector, I know certainly the MOD and the NHS have always encouraged all their suppliers to take cybersecurity certification. Because you can have the strongest chain, but if one link is weak, that puts everything else at risk. So certification comes back to almost a duty of care, to your own business, but also to everybody that you do business with.
That's brilliant. Thank you, Rob. One thing you said there which really hits home is this point about a duty of care to customers, to staff, to suppliers. It really is so important.
Clive, a question I wanted to bring you in on here, particularly as your role of a CTO and a chief assessor. One of the things I hear a lot from SMEs is that they've outsourced a lot of their cybersecurity to a managed service provider, and some of the large ones may have their own IT departments who deal with all of this.
So if someone else takes care of this, why should it bother the SME? How do you deal with that question?
I think that's a very good question, and we hear that quite a lot as well. I mean, the first thing is you can't really completely outsource your involvement in your IT security. You need to have ownership of that and many of the standards will be requiring you as well to do checks against your suppliers to make sure that things are in place.
But I think the biggest thing I find is that the mindset is different. An IT person who is a Support Professional will be looking to provide you with easy access to your data to make your working life nice and easy.
The security professional, however, is not wanting to prevent you from working effectively, but is thinking more about not only your access to that data but somebody else's access, should you be compromised. And how do we protect that? What can we do to systems to ensure that they are safe and secure?
So it's the different mindsets between the two types of professional, whether it's IT support, or security professionals. I think that's the main thing. From a security perspective, it's about restricting access, making sure it's safe and secure. And from an IT perspective, it's about providing access and making things easy to use. That's the key difference.
Fabulous, really helpful, Clive.
We're starting to see some countries, perhaps the US for example, take a more favourable look towards greater regulatory control of certain standards around cybersecurity. Michelle, do you think that these standards will become mandatory for every organisation in the UK to follow? And secondly, how can SMEs actually start their cybersecurity journey? Where do they turn to achieve their cyber certifications?
I think that we will definitely reach a point that it will become mandatory because it's important that we do. cyber security should be an integral part of every business, so whether they're micro, small, medium or large, everyone needs to participate and be cyber compliant so that we can better protect everyone. Robin very clearly said we have a duty of care to do that.
However, businesses shouldn't really wait until it's mandatory to follow those regulations. As a matter of fact, businesses can start now on their cyber security, no matter what sector, what size or even how technically savvy they are. What we've done at the PDSC in collaboration with BSI is developed a new assessment scheme, called Digitally Aware and Digitally Resilient which helps SMEs start their cybersecurity journey to help them reduce their vulnerability to cybercrime. It's an entry-level certificate that is all about taking that first step within their cyber security journey and it allows organisations to build a strong cyber security foundation from within and encourages really good cyber practice throughout the business.
The beauty of it is that the assessment is based on the National Cyber Security Centre's small business guide. So for some SMEs, this will be a stepping stone in their cyber security journey, which will lead and prepare them to go on to achieve higher levels of cyber certification such as Cyber Essentials, Cyber Essentials Plus, or Digitally Resilient. No matter where you are within that journey, they are assessment certifications out there that can help businesses and it's a way to become more secured and help them reduce their own type of risk.
Brilliant. Thank you, Michelle. I think the key thing I take away from that is that every organisation needs to have those basic building blocks in place around security, irrespective of their size. But certainly, for those micro and small businesses, they really need to think about some of those simple steps that will help them reduce their vulnerability to the overwhelming majority of cybercrime that we see.
Same question again, Clive, you know about the cyber security journey and standards, what are your thoughts around the journey and who can they turn to to get those certifications?
I tend to say to clients all the time when I'm talking about cybersecurity, that they should "do something; don't do nothing". The key thing is you've got to think about your cyber security and consider your risks. These standards, as Michelle rightly says, are available. For me, it's about starting with the basics, working your way through. As you improve your cybersecurity, you increase the certifications as you go and there are many organisations out there to help with that kind of journey. Aligning to the standards means you are at least aligning what you're doing to a best practice that's been approved somewhere. So do something, not nothing.
I like that: do something rather than do nothing. Robin last word on this?
Unless you measure you cannot improve. I completely agree with Clive's approach. It's about building blocks, not a Big Bang approach. Start at the very beginning and start ensuring that the controls that are there for the different certifications.
Have a look at the risk. What does your business do? Who do you work with? What does it mean to you? Do you hold data? What is the worst thing that can happen? Well, you can have a data breach, or fined by the UK Government. You could have massive reputational damage and financial damage. These are all the things that sound a bit scary, but cyber threat is not about if it can happen. It's about when it will happen and being prepared for when it will happen.
Thank you, Robin. So just rounding off today's webinar, I'd be really interested if there's one line or one key takeaway from each of you that you'd like to share with the audience today in terms of compliance and broader cyber security issues. So back to Michelle, your key takeaway from today's session?
I think what we've learned today is that compliance really affects everyone within an organisation and everyone needs to take that step to make sure everyone's secure but to also not wait until it's mandatory to follow certain standards and certifications. They're available for them to do that now and it's better to act now.
The cyber threat is here. It's time to do something today. But you don't have to do it on your own. There are organisations out there like PDSC and Cyber Tec who can help you at whatever level your business is at.
Last but not least, Clive the last word from you.
Well, I think I'm back to what I said before, Simon, which is 'do something, don't do nothing'. You can start small. It's a nice, easy journey to take. Do something, don't do nothing.
I couldn't agree more with that.
For everyone watching today, I'd just like to say a huge thank you once again to Michelle, Robin, and Clive for their expert views, opinions and thoughts on what is really quite a pressing issue. As we see a growing problem for many SMEs to face, we look at the importance of just building those basic blocks in terms of reducing your vulnerability to some of those common types of cybercrime.
To learn more about Cyber Essentials and starting your cyber security journey, download our Ultimate Guide: