There are some key steps that smaller firms can take to reduce their exposure to cybercrime, writes SCOTT MONCUR
Cyber risk is one of the most significant threats facing UK organisations, affecting nearly every sector and type of organisation. According to data from the National Cyber Security Centre, (NCSC), part of GCHQ, the UK experienced 204 “nationally significant” cyber incidents in the 12 months to August this year, of which 18 were classed as “highly significant”. This was a 50% year-on-year increase.
In response to a series of high-profile cyberattacks this year, the UK Government last month introduced the Cyber Security and Resilience (Network and Information Systems) Bill, aimed at strengthening cyber defences across the UK’s critical sectors.
The Bill singles out those service providers which are so essential that their disruption affects business and personal lives. Regulatory focus will be expanded beyond transport, energy and the NHS, to include data centres, managed service providers, large load controllers (the ones that look after our smart devices), and designated critical suppliers.
This legislation is welcome, but for SMEs there is a more immediate need to reduce risk and financial exposure, protect customers, and to win work by demonstrating compliance and security across systems. “Resilience by design” becomes both a key watchword and a call to action for these businesses.
SMEs should look to embed resilience by design across the organisation, in product and service development, operating models, back-office functions, people, infrastructure, IT networks, and training programmes. And to implement practical controls to reduce cyber risk such as:
- Immutable backups that cannot be modified, deleted, or overwritten.
- Defined retention and protection so backups remain secure for the required period.
- Data integrity measures to detect and prevent corruption or tampering.
- Operational and training alignment so staff, processes, and technology work together to prevent, detect, and recover from incidents.
Up to date information is vital for the effective and efficient running of a business, from the perspective of the business itself and its customers, and if the business’s operational cycle is measured in seconds, so too must be the back-up and recovery plans.
Any business which is on top of these issues will test disaster recovery plans, strengthen technical controls, and prepare for AI threats.
If your business is looking for a summary action plan, the following discussion and action points should be on the agenda for your next board meeting (and if your business is not looking for a summary action plan – it really should be):
- Assess your risk: when did you last look at your cyber assessment framework to identify your specific risks and implement appropriate cybersecurity measures?
- Assess management information: is it sufficient to demonstrate how monitoring activity prevents cybersecurity events, and to evidence the range of any near misses and the speed at which those are brought to the management teams’ attention? The ideal time frame being within 24 hours of first becoming aware that an incident has occurred/is occurring, with a full report required within 72 hours.
- Create an incident response action plan: define roles, reporting timelines, and communication protocols.
- Train your team: include regular phishing simulations and awareness sessions.
- Engage with your supply chain: ensure partners meet minimum security standards.
As the NCSC has noted, cybersecurity must be embedded in governance; senior individuals within a business should be assigned responsibility for specific issues and risks, and they should report regularly to the board.
The NCSC’s message is clear, cyber threats are escalating in scale, sophistication and impact. For SMEs, cybersecurity can no longer be a technical afterthought; it is now a board-level priority that directly affects business continuity, reputation, and financial stability.
Put simply, resilience is not optional, but essential for survival and growth. So, take all appropriate steps now, including professional advice, and look forward into a more cyber-secure business future.
Scott Moncur is head of financial services & sustainable development at Vialex
Related
#SMEs #Daily #Business #Magazine