Cyber security essentials
What is cyber security?
Whilst the internet and new technology have opened up different ways of working for businesses, they have also raised new threats. In particular, the risk that a cyber attack could result in unauthorised access to, theft or destruction of IT systems and data.
Examples of cyber attacks include:
- Malware – ‘malicious’ software programs (including viruses) designed to attack IT systems.
- Ransomware, which encrypts files and blocks access to computer systems unless a payment is made. Recent high profile cases in 2017 include the WannaCry attack which affected the NHS and the Petya attack on the Ukraine.
- Remote attacks on websites or IT systems, for example (Distributed) Denial of Service (DDoS) attacks which prevent websites operating.
- Phishing – the use of bogus emails and websites to trick individuals into supplying confidential information. Example: Emails purporting to be from HMRC which promise a tax refund, but are really an attempt to get people to hand over confidential information.
- The theft of IT hardware or data.
Cyber security focuses on the practical measures which can be taken to protect IT systems and data from these kinds of cyber attacks and breaches.
Why is it important?
Cyber attacks are becoming widespread and can be very costly. The Government’s Cyber Security Breaches Survey shows that 24% of businesses experienced a breach in 2016, with an estimated average cost for the year as a result of those attacks of £3,480.
Cyber security is not just a concern for large businesses. Small businesses can also be targets, especially as their limited resources mean they will often not have the same security defences. This is reflected in the Cyber Security Breaches Survey, which indicates that 33% of small companies experienced a breach in 2016 (higher than the 24% seen across the general population).
A successful cyber attack can lead to large financial losses as a result of disruption to the business, bad publicity and the costs of restoring systems and services. If personal data is lost or compromised then there may also implications under data protection laws, including enhanced fines and notification requirements under the new General Data Protection Regulation (GDPR).
Significantly, tax advisers and accountants are a particularly popular target for cyber attacks – they use online services to connect with HMRC and their clients, and are likely to hold valuable personal data such as taxpayer references, National Insurance numbers, bank account details, income and asset details.
As the tax system becomes increasingly reliant on digitalisation, cyber security has become even more important. This was highlighted by the Petya attack in the Ukraine, which was spread via compromised automatic updates of a widely used tax filing software.
What can be done to improve cyber security?
Many online attacks can be prevented or detected before they cause damage if the right cyber security measures are in place.
Businesses should take a risk management approach to cyber security:
- Understand the risks – What data is held? Where are the weaknesses? Are they likely to be targeted?
- Set up a regime to manage that risk in the same way as for legal risks, regulatory risks etc.
- Have a plan in place for if there were to be a successful attack. Who needs to be notified or contacted for help? What needs to be done to keep the business running?
Small and medium sized businesses may not be able to afford the services of cyber security consultants, or expensive security software and hardware. However, there are a number of simple practical steps which can make a real difference:
- Install anti-virus software on all computers, tablets and smart phones used in the business.
- Download software updates as soon as they appear – these often contain vital security patches.
- Use strong passwords using upper and lower case letters, numbers and symbols.
- Delete suspicious emails, and never open attachments from unknown sources.
- Protect computers and networks by installing a firewall (software or hardware which examines all communications in and out of the computer and decides whether it is safe to let them through).
- Keep an inventory of all IT equipment and software.
- Control employee access to computers and documents. Staff can be given individual user accounts, with access restricted as appropriate to their role.
- Educate staff so that they can spot cybersecurity threats and know how to avoid them. The Government offers a range of online free courses which may be helpful in this (see below).
- Restrict the use of removable media (e.g. DVDs, USB sticks) as they can be easily stolen or lost. Control access to them, ensure that only those supplied by the business are used, and scan for malware before uploading to central systems.
- Put provisions in place for home and remote workers, who can be a higher risk. For example, requiring the use of personal IT equipment to be pre-approved and ensuring that laptops, mobiles and tablets all have anti-virus software and are password protected.
What further support is available?
There are several Government backed initiatives which provide further support for businesses, including:
- Cyber Aware – a cross government initiative aimed at promoting secure online behaviours for small businesses and individuals.
- Free online training courses for businesses and their staff.
- The new National Cyber Security Centre offers a wide range of guides on all areas of cyber security.
- Cyber Essentials – a government backed and industry supported scheme. Businesses can self-assess their position using free to download guides and checklists. There is also the opportunity to apply for a Cyber Essentials badge, which enables businesses to advertise the fact that they adhere to the Government endorsed standards.