Mo Ahddoud, Interim CISO / Security Consultant / Board Advisor
If you run business in the UK and use any kind of technology, you are at risk from a cyber-attack. This is a fact. I’m not scare mongering and there is lots of supporting evidence to support my statement. One of which is the recent report from Hiscox the insurer that found 55% of UK business had faced an attack in 2019, up 40% from last year. Hiscox also said a lot of businesses “incorrectly felt that they weren’t at risk”. And this for me lies at the crux of why UK companies continue to be targeted every day.
I find a disconnect between business owners understanding the importance of cyber security threats and their appetite to invest in measures to protect against them. I think it’s understandable from the perspective that these measures have a financial impact on the business and as such need a level of due diligence. But I think cyber security controls should be an intrinsic part of your business operating model and the good news is you don’t have to do a lot to minimise the impact from some of the most common techniques used by hackers.
Everyday UK companies continue to be targeted and the loss to the UK economy is significant. So much so that the National Cyber Security Centre (NCSC) the government department established to protect UK PLC from cyber-attacks developed a cyber certification for business. The certification called Cyber Essentials is designed to be low cost, low impact and help companies protect themselves from the most common attack techniques. Cyber essentials is also mandatory for organisation working within the government supply chain. Primarily as we have seen hackers move across the supply chain to reach their primary target such as recently with Airbus (Link). So, if you think your not at risk, consider who in your supply chain maybe. Cyber essentials is a great starting point for any company especially small and medium companies which is its primary audience. But adoption remains slow and I’m unclear why?
On its own, the submission is £300 for your company to become certified. You can do this yourself, it’s a self-submission process and within a few days you can have a certificate and logo to share with your current and future customers. If you’re not confident to complete the submission and need advice. The analogy I use hear is like writing a will. Anybody can write their own will, but it is not my area of expertise and the impact if I misinterpret something could be significant. Typically, depending on your organisation this can cost vary between £600 to £1500 per organisation.
It is really important to note, the objective of cyber essentials is that you understand the risks to your business and have documented and treated those risks within your company’s risk appetite. Cyber security is not all about investing in technology it’s also about people and processes in equal measures. An example is training your staff to recognise the signs of fraudulent emails and having a process that ensures any invoices are validated before being paid is a good example of how this does not require technology. Another example is setting some time to work through a cyber response plan. The NCSC website provides some great free material that walks you through how to develop, run and document your cyber response plan. This can significantly reduce the impact on you from a cyber attack and again can be done at a low cost.
Mo Ahddoud is the managing director of MA Consulting Ltd a cyber security consultancy focussed on helping companies protect themselves against cyber threats.
He is a security expert who last served as the Chief Information Security Officer at SGN, which manages and operates over 74,000 km of gas mains and services in Scotland and the south of England. Prior to coming to SGN, Mo acted as the International IT Security Lead at NBC Universal. His professional history also includes leading companies like IBM, BAE Systems, and a ten-year tenure as an officer in the British Army. His depth and variety of experience across public and private sectors gives him a unique insight into all angles of cybersecurity