How to find the right cyber security package for a small business

In this guest article, Bleddyn-Aled Wyke, Cyber Operations Executive at PureCyber, provides a useful guide to small businesses in search of a cyber security package for their company.

Cyber security has become a hot topic over the last few years, ousted from dusty IT offices and server rooms into the limelight, for better or for worse. Awareness of the prevalence of threat actors (hackers to you and me) continues to grow, as companies large and small bear the brunt of cyber-attacks costing into the millions, bringing businesses and infrastructure to a sharp standstill.

However, cyber-attacks are not always initiated by hooded figures in dark rooms, or alienated employees exfiltrating and hocking off your valuable data onto the highest bidder on dark corners of the internet. Sometimes, it can be purely accidental: a lost laptop or flash drive on a crowded train picked up by the wrong person, leaving valuable company data or Personal Identifiable Information (PII) regarding employees or customers open for the wrong eyes to see.

A loss of PII can bring the wrath of governing bodies such as the Information Commissioner’s Office (ICO) with eye-watering fines being issued if due care and diligence have not been taken to prevent such issues. In 2018, Heathrow Airport was issued a £120,000 fine by the ICO due to a member of staff losing one USB stick containing PII. This device was not secured or encrypted, affording unrestricted access to over 1,000 private files. Whilst this is by no means an insubstantial amount, penalties can greatly exceed this, with fines into the millions being issued by the ICO alone.

How to find the right cyber security package

Large multinational organisations with the resources to install dedicated teams in-house actively monitoring and defending against threats can still fall victim to cyber-attacks, so where does a smaller team start?

Regardless of knowledge on the subject, an audit of existing processes and systems in place can be a fantastic initial step, providing an analysis of where you are and where you need to be, from which you can prioritise where you need to start. There are multiple schemes and frameworks put into place by government and international standardisation bodies to help both prepare and educate organisations, regardless of size, against cyber-attacks. These often scale up in stringency as you progress through and it is up to a business to decide how far you wish to go, dependent on factors such as potential growth, and the value of data processed.

An example framework would be the NCSC-backed Cyber Essentials scheme, which offers a starting point for businesses both small and large looking to assess their cyber literacy. This starts with the self-assessed Cyber Essentials certification, probing into both technical and process-based questions which are later externally verified, helping in promoting awareness against common issues and vulnerabilities.

From here a business can move onto Cyber Essentials Plus, which pushes this further with the addition of a technical audit, verifying the previously established Cyber Essentials controls are in place and working effectively. With the completion of these, a business can move onto more advanced certifications or frameworks, such as IASME and ISO 27001. These delve into the previously touched on subjects, as well as also discussing aspects of governance, such as the management of risk, and business continuity. It is up to the business to decide how deep they wish to go.

Eliminating the threat of cyber-attacks is no small feat, new exploits are constantly being discovered, and new attacks and threat actors are popping up all the time. However, with the right policies and procedures, you can bring appropriate security measures and knowledge to your business, helping to curtail the threat faced by businesses today of all shapes and sizes.