Cyber Resilience Toolkit

A changing world

Hacking is a commercial enterprise. Large businesses are more likely to be attacked by nation states and professional criminal groups, whereas SMEs are more likely to be indiscriminately targeted.

The realistic approach

A motivated attacker with significant resources will eventually succeed. The good news is that SMEs are unlikely to be attacked by nation states and they can protect themselves against background noise and most focused hacking attempts. The simple suggestions in this booklet can help stop more than 80% of these attacks.

The media reports on security breaches at large companies and movies dramatise cyber criminals. This leads to misconceptions about cyber security, as shown by the following security myths.

• Being cyber resilient is too expensive.
  
  Getting the basics right goes a long way to making a business safe. The basics are often free or simply require changes in behaviour. Getting them right prevents disruption and lets owners focus on the main business.
• There is no point trying to protect my business when the government and larger companies cannot protect themselves.
  
  A motivated and resourced attacker can eventually breach any security system. Resilience is about finding a balance and having security that is proportionate to the risks faced by the business.
• It is cheaper to fix problems when they occur rather than prepare for everything.
  
  Security incidents are expensive. They impact reputation and revenue. There may also be fines for losing personal data. Good security wins business by showing customers you care.
• My business is not a target because my data is not valuable.
  
  Websites and any computer connected to the internet are targets. Hackers are opportunistic and use software to search for easy victims. Getting the basics right reduces the chance of being attacked.
• I have a firewall and antivirus so my business is secure.
  
  These are important but good security has many layers of defence. Behaviour and processes are just as important as technology.

A recent survey conducted with small and medium sized businesses in Scotland by the University of Glasgow shines light on some of the challenges faced when thinking about cyber resilience. The survey showed a clear desire for consistent and simple advice.

1. Companies struggle to know where to go for advice. There are too many sources of conflicting information.
2. Small businesses are concerned about security but many underestimate the level of risk they face.
3. Despite concern about security nearly 40% spend nothing on IT security and half are unsure they could detect an attack.
4. More than half of SME manage their own IT.
5. Most companies say information technology is very important to their business but that they are not worried about the security of their information.
6. Many companies recognise the need for basic controls to protect their business, but a quarter say controls such as antivirus and regular backups of data are unimportant.

Small businesses are often reluctant to report security breaches but the following figures give an indication of the scale and nature of the problem in Scotland.

83%

Consumers are concerned about how companies hold their data. In addition, 94% of procurement managers consider security when
awarding contracts.

60%

The majority of small businesses had a security breach in the last year. The figure is much higher when data losses are included.

55%

Most people use the same passwords for their personal and business accounts.

69%

When businesses are compromised most find out later from a third party such as a supplier, customer or law enforcement.

The Scottish Government has a vision for Scotland being a world leader in cyber resilience. This is a future where we make the most of digital technology and manage the risks in order to create a global reputation for being a secure place to invest in business. Consumer confidence drives business growth.

Cyber resilience makes sense for Scotland but also locally for small businesses. Prevention is cost effective and being resilient is an opportunity to create value and differentiate a business from its competitors.

Value Protection

Reduce risk and future costs

• Loss of reputation
• Costs to restore data and repair systems
• Restitution to customers and suppliers whose details have been stolen and used to commit fraud
• Data loss from computer infections or from failure to backup key business information
• Revenue loss from having designs and intellectual property stolen
• Fines from the Information Commissioner for failing to protect customer data

Value Creation

Differentiate your business as a leader

• Enhance your reputation
• Show customers you take their information seriously
• Show suppliers you take confidentiality seriously
• Gain ‘Cyber Essentials’ certification and advertise commitment to best practice
• Bid for government contracts
• Take advantage of government funding schemes

Cyber resilience is a journey and every business will be at a different stage of maturity.

The Journey

Starting the journey

• Risk and Response
  
  Recognise that online crime is a risk to business. More than 60%1 of SMEs had a security breach last year but 65% still think they are not a target and nearly 40%2 spend nothing on security. The media report breaches at large companies and this contributes to a false sense of security among small businesses. Think of cyber security like physical security: passwords are locks, firewalls are fences, anti malware is the alarm system and backing up data is contents insurance.

Becoming Cyber Resilient

• Sensible Security
  
  Small businesses do not need the same security system as a bank because the threats are not the same. Security is about understanding the risk to the business and taking the proportionate steps. For many small businesses this can be achieved using free or low cost tools, educating employees and applying Cyber Essentials. Preventing attacks is one part of resilience, the other part is being able to recover from attacks with minimal disruption to the business.

Staying Cyber Resilient

• Good Behaviour
  
  Cyber resilience is about behaviour and not just technical defences. Educating employees about good practice regarding passwords, backing up data and keeping software up to date are equally important. As a business grows the threats it faces will change. It is important to regularly review security practices and to inform employees of change.

Cyber Essentials is about helping businesses get the basics of security right. The government scheme was introduced in 2014 and simplifies security requirements into five key steps. Certification is required to bid for government contracts.

The Essentials form a key line of defence against cyber crime. Additional detail on the tools mentioned here can be found in the Easy Wins glossary at the end of this document.

Boundary controls

Protect the online doors and windows of the business.

Secure configuration

Using applications as they come ‘out of the box’ can be unsafe.

Access control

Restrict access to valuable data and systems.

Anti malware

Anti malware scans computers looking for malicious files and program behaviour.

Patching

Hackers target old and vulnerable systems. Stay safe by keeping systems up to date.

Cyber Essentials helps businesses implement technical defences against cybercrime. Security though is not just a technical challenge, it is about changing behaviour. Employee education is your first and last line of defence.

Employee Education

Are you confident staff will recognise suspicious emails? Do they open links and attachments only if they recognise the sender? Will they change customer and supplier details only if the request comes from existing contact details?

Employee education should extend to cover the importance of having strong passwords and making sure that devices holding data are password protected. It should also include basic security measures such as locking computer screens when leaving desks and the risks of conducting business over public Wi-Fi.

Phishing

Hacking can be hard work. It is much easier to send emails and trick employees into clicking links or opening attachments. This is known as phishing.

Ransomware

Malware that locks the files on a computer and demands a ransom is increasingly common. It is important to regularly backup data to reduce this threat. Paying criminals is risky and there is no guarantee they will unlock files.

Read the full guide here