Small Business Security can Never be Considered ‘Done’

Last updated: 16 May 2016

UK Government cyber security schemes have been coming thick Cybersecurityand fast over the past couple of months. At the end of June UK.gov launched its Cyber Essentials self-assessment scheme for small businesses. It costs £300 quid but certified companies automatically qualify for free insurance.

You can download the questions for free from one of the certifying organisations, IASME. Certification criteria are based on “the five most important technical security controls, …identified by the government as those that… would have stopped the majority of the successful cyber attacks over the last few years,” according to the site.

Last month we also saw the government open a cyber security centre where security products and services could be showcased, and offer £5K grants for businesses to get access to security expertise aimed at achieving Cyber Essentials certification, managed by public technology funding body Innovate UK.

The security expertise and support now available to UK small businesses is great, but it would be a mistake for any small company to think that certification is the end game. Of course it is important to address older issues such as viruses, identity theft and so on — these problems have not gone away.

However the security threat landscape is constantly changing — as we use technology in new ways, such as using our own kit rather than company-issued IT equipment, we create new risks. In addition threats are like water — they just seek the points of least resistance, so if you patch up one set of holes you just make others more obvious.

As I have written before, even if protections are in place, bad things can still happen. Computer malware, a bit like human maladies, will never be fully eradicated so all businesses, large and small, need to look at addressing consequences and providing recovery strategies.

As a consequence I would advise businesses to look at the process aspects of security, as well as just treating current threats. This can start with having someone responsible for security within the business, then extend to ensuring risks are reviewed on an ongoing basis and that procedures are in place, for example for on- and off-boarding staff.

Such topics were incorporated in the UK government’s “Cyber Street Wise” initiative of a year or so ago, which may now be defunct judging by the absence of web site but the advice is still worth a read. The bottom line is, security is never ‘done’ so don’t lull yourself into a false sense of security.

For more information about securing your organisation, read our white paper: Protect Your Sensitive Data

Leave a Reply

Your email address will not be published. Required fields are marked *