Outside of compliance and responsible corporate citizenship, the risk of reputational harm is one of the biggest drivers for a comprehensive cyber strategy, according to Cyber Security and GDPR Consultant Paul Rolison ACA .

“I’ve seen cases where a ransomware attack has occurred, the company pays to get its data back, then it gets only a partial result and spends months trying to rebuild the information. In the meantime, disillusioned clients say: ‘Enough is enough,’ and walk away."

Following a cyber attack, he explains, PR typically takes one of two paths: either the business immediately tells customers that they are impacted, or it waits until a further deterioration provokes it to do so. The outcome is almost always messy, Rolison notes.

“Let’s say a small Chartered Accountancy of, say, 4 partners and 20 staff gets hit. The partners have probably got pensions and other personal finance arrangements tied up in the business, and are borrowing mortgages against it. Suddenly, someone lets in an attack. The firm goes haywire, client relations plummet, business evaporates, the partners panic and managers have to find new jobs. The repercussions are seismic."

One impact of cyber attacks that Rolison believes is gravely under-discussed is the emotional harm done to those who unwittingly open the door to malware. He says: “Professionals who deal in forensic depth with these matters tell me that, once they’re identified, employees who’ve been gateways for attacks don’t stay in the business for long. Not because they’re dismissed – but because they’re crushed by the guilt and shame of being linked to the damage. Their devastation can be enormous.”

Firm grounding

Rolison has reassuring words for business leaders who are starting from scratch on assembling a cyber strategy, and others who are worried that their companies may be falling short of best practice. “The wheel’s already been invented,” he says. “There are high-quality standards available that will provide you with a firm grounding in how to equip your business with a structured approach.”

Those standards include Cyber Essentials and Cyber Essentials Plus, a government-backed, assessed certification initiative, which is independently verified. Plus goes further than the basic Cyber Essentials and involves a structured testing programme devised by the National Cyber Security Centre (NCSC).

Firms can also go further with the ISO 27001 global security standard, or Cyber Assurance, provided by Information Assurance for Small and Medium Enterprises (IASME).

Importance of data protection

A structured approach to data protection is the most vital component of any credible cyber strategy, according to Rolison. Indeed, among its stipulations, GDPR requires entities to use appropriate technical and organisational measures to protect their data – and to understand how those methods work.

At the same time, Rolison notes, banks, insurers, regulators and other businesses in the supply chain are more often expecting the companies they deal with to have a formal cyber strategy in place – and will ask detailed questions if they suspect any implementation gaps. “Without that structured approach,” he says, “you’ll be behind the game in many ways.”

Best practice cyber security measures

In tandem with adopting the right standard for your organisation, Rolison recommends the following best-practice measures for building an effective cyber strategy.

Get a proactive managed services provider (MSP) 

When SMEs come to me to do Cyber Essentials, they often know very little about their own systems,” Rolison says. “Typically, they’ll employ an MSP to oversee their IT setup, but the contract won’t necessarily include full support for cyber security. In fact, from my experience, the vast majority of MSPs are reactive: they just sit there waiting for the phone to ring.”

With that in mind, Rolison urges businesses to ensure that their MSPs deal with patch management and provide security coverage for systems that are about to go into end-of-support states. Plus, MSPs should take responsibility for vulnerability scanning. “Across 10 to 20 devices, you could have something between 300 and 400 vulnerabilities,” Rolison says. “And they’re just the serious ones.”

Understand which technologies your business is using

Don’t assume your MSP knows everything about your IT systems. Map them out proactively. Keep a critical eye on legacy systems, which most likely will not have multifactor authentication as a feature, and importantly, will no longer be receiving security updates. Don’t dump large amounts of organisational data on free cloud platforms.

Create a risk register

A particularly useful step after you have done Cyber Essentials: document which threats could get you, and how. Consider risks around devices, software, cloud services, building access and people.

Include cyber as a regular agenda item in board meetings

Which emerging risks do you need to factor into the register? “Liaise with your MSP to get a monthly list of newer threats that are appearing on the radar,” Rolison says. “Other sources of this type of information include the National Cyber Resilience Centre Group, which issues a weekly threat-analysis email written with non-tech people in mind.”

Never allow staff to work in admin mode

This would be like leaving your house with all your doors and windows open at once and rolling out the red carpet.

Harmonise your antivirus and endpoint protection

Many businesses run a handful of packages concurrently, with different levels of effectiveness and varying expiry dates. This is dangerous.

Make cyber a key part of staff training

Publish a quarterly newsletter of the business’s cyber training activities. Run regular malware and/or social engineering simulations. Be sensitive about how you manage people who have fallen for those tests. Offer them further training without publicising it too much. Avoid stigmatising them.