Why ignoring the cyber security basics is putting businesses at risk

A huge number of businesses are falling victim to cyber attacks every year – and many are doing so because they simply are not doing the basics to protect themselves. The Government’s most recent Cyber Security Breaches Survey found that in the past 12 months, 43% of UK businesses had identified at least one cyber security breach. And while there is a lot of discussion around geopolitics, hostile states, organised crime and global instability, the sophistication of attackers is not the root cause of many of these incidents. Instead, we see weak controls, poor awareness, patchy back-ups and inconsistent governance leaving organisations exposed.

Cyber security and resilience
Many organisations have a digital security plan, which will include protecting passwords and websites, but cyber security involves additional work: ensuring all systems, devices, networks, applications and data are protected from unauthorised access, damage or theft. And to become cyber resilient, businesses must prevent as many attacks as feasible, but also ensure that should one happen, they can anticipate, withstand and recover from it. Rather than assuming they can prevent every attack, leaders should be asking themselves crucial questions around whether they can keep operating should something go wrong, recover quickly, protect critical services, restore data, and continue serving customers. 

The small business risk
SMEs and individuals may think they are too small to be targeted, but in reality, this makes them easier to compromise – with everything from phishing emails and fake invoices to malware and ransomware having the potential to cause serious financial and operational damage. Indeed, research by Vodafone Business found SMEs were losing £3.4 billion a year due to inadequate cyber security measures. In other words, you do not need to be a global bank or a Government department to be at risk. You just need to be exposed, underprepared, or trusted by customers.

Getting the basics right
The National Cyber Security Centre (NCSC) states Cyber Essentials certification is the minimum standard of security recommended by the Government for organisations of all sizes. It focuses on five control areas: firewalls, secure configuration, security update management, user access control, and malware protection. While it is not a ‘one-stop’ solution which will prevent every attack, it is useful because it ensures businesses have got the fundamentals right, strengthening basic controls – and hopefully encouraging leaders to think about what more they can do to protect their company, once they have achieved the certification.

One of these considerations must be the implementation of a cyber security strategy, which includes all the practical foundations such as risk assessment, disaster recovery, regular patching, staff awareness and secure back-ups. And while it may seem obvious to state that all of these should be put into practice, there is a notable gap between the conversations businesses are having around cyber strategy and the operational boundaries they have in place. And what use is talking about policies, frameworks and intentions without actually enforcing stronger controls, challenging poor habits and getting the basics right consistently?

That is the crux of the issue: a business does not become secure because it says the right things. Cyber security and, ultimately, cyber resilience are a result of putting controls in place, testing and enforcing them, and continually improving them. Outside of the wider conversations around the digital world, and outside of the work being done as part of the Cyber Essentials certification, the basic work needs to take place 24/7/365.  Cyber security is no longer optional. It is part of modern business strategy, modern operations and modern trust.