Inspector Gavin Mayes, who manages the North Yorkshire Police Cybercrime & Digital Forensic Units, looks at some of the cyber challenges facing SMEs and microbusinesses, highlighting free tools and resources that can help target harden your business.
Considering the recent well-publicised incident involving a global cybersecurity provider and the subsequent impact caused to millions of Microsoft Windows Servers, this really focuses the mind on the importance of cyber business resilience within your organisation and casts the net wide in terms of your considerations around risk, not only from internal and external threats, but also from day to day deployment of patches from trusted sources and what to do when it all goes wrong.
The 2023 Government cyber security breach survey highlighted the fact that the most common cyber threats were relatively unsophisticated. Worryingly over the last three years that survey identified a consistent decline in cyber hygiene among businesses, specifically:
· use of password policies (79% in 2021 vs. 70% in 2023)
· use of network firewalls (78% in 2021 vs. 66% in 2023)
· restricting admin rights (75% in 2021 vs. 67% in 2023)
Having worked in policing, with a specific remit on cybercrime for almost ten years, I have seen hundreds of successful cyber-attacks from a broad and varied spectrum of attack vectors. There are some very capable people out there who can find and exploit both hardware and software vulnerabilities for the purposes of criminal gains. However, in my experience the weakest link in your cyber security architecture is nearly always the human element.
Broadly speaking I mean user error, such as inadvertently creating exploitable access points through poorly configured networks/firewalls, failure to patch known vulnerabilities or a simple a lack of process controls, such as network administrators failing to manage permissions, access levels and enforcement of password management. In addition to that,
employees often fall foul of phishing emails, social engineering and having credentials compromised, all of which brings risk to your organisation. That coupled with an often-seen mentality of “it will never happen to us” and complete lack of preparedness in the form of business continuity plans makes for the perfect storm of business disruption, monetary losses, and impact on customer confidence, especially in the context of any resulting data breaches.
The Impact & Reality of Cybercrime
Unfortunately, I have on more than one occasion witnessed a microbusiness forced into insolvency and countless other SMEs in a state of turmoil, left dealing with the cleanup and operational recovery from a cyber-attack. In many instances these attacks could have been avoided by implementation of a robust cyber security risk management framework and business / disaster recovery plans.
In one such instance my team successfully charged and prosecuted a disgruntled ex-employee, who after resigning several months earlier, was able to log back into a cloud storage platform and delete over five thousand of the company’s files. This led to financial losses of over £100,000 as the company employed IT professionals to try restoring its data, but ultimately ended in job losses and insolvency. Clearly ex-employees can pose a serious risk to a business due to the familiarity with the company’s IT infrastructure and internal procedures, and in this instance, the failure to remove the ex-employees account permissions was enough to bring the whole business down. Simple stuff, but I emphasize this case to demonstrate it doesn’t take nation state hackers or organised crime groups to bring down your business.
Free Resources Available to Your Business Right Now
Use the Yorkshire Ready Together conversational tool to help find out how your business can become more cyber resilient.
Cybersecurity does not have to cost the world and you can start taking those first steps towards target hardening your business against the most common vulnerabilities right now. I often struggle to understand why businesses fail to tap into the wealth of free resources that the National Cyber Security Centre (NCSC) provides, which if utilised could significantly reduce the chances of businesses becoming a victim of cybercrime. One of those resources is Cyber Aware, which provides you with a free ‘Cyber Action Plan’ which takes about 3-5 minutes to complete. This will provide you with a free personalised action plan on what you can do right now to protect against cyber-attacks.
NCSC also provide material on how to plan and prepare for a cyber-attack and how businesses can respond and recover should the worst happen. This should be at the heart of your business continuity plans. Within the Yorkshire & Humber Region you can receive free ‘Exercise in a Box’ training to help your organisation test and practise your response to a
cyber-attack. Your local police force also offers free ‘Cyber Escape Room’ training in the form of a team-based tabletop exercise, pitched at your non-IT staff to help them understand the importance of cyber security at both home and work.
Looking wider towards other free resources and services, businesses should consider taking advantage of ‘Police Cyber Alarm’ which is an award-winning free tool, provided by your local police forces and funded by the Home Office, to help your business or organisation monitor and report the suspicious cyber activity it faces. Police CyberAlarm can scan your website and external facing IP addresses for known vulnerabilities, providing you with regular reports detailing any detected suspicious activity on your network, enabling you to take action and better protect your business. Since its launch it has already identified over a billion suspicious events resulting in reports and advice being given to members, enabling them to take action to prevent a successful attack.
SMEs should also consider taking advantage of the free core membership offered by the North East Business Resilience Centre (NEBRC) which provides a wealth of support and guidance to businesses to help you on your journey towards becoming Cyber Essentials Certified. This will help demonstrate your commitment to cybersecurity, reassuring customers that you take cyber-security serious and are committed to protecting their data.
For some organisations, cyber resilience may seem unattainable or incredibly challenging to create and maintain, but most companies I speak are yet to even take those first steps of exploring basic NCSC guidance and tap into free resources and services that could assist them on their journey. In summing up, cyber-resilience can no longer be ‘tomorrows priority’ and I would implore all businesses to take these first steps in ensuring cyber defence is at the core of their business continuity plans.
Author: Gavin Mayes
Inspector Gavin Mayes
Gavin Mayes has worked in law enforcement for over 22yrs and is currently responsible for managing the North Yorkshire Police Cybercrime & Digital Forensic Units. He is a trained ISO27001 Implementation Practitioner (CIIP) and GCHQ-Certified Cyber Incident Planning & Response officer, with a wealth of practitioner knowledge in the field of cyber and digital forensic investigations.