Protect your business from cyber attacks in five simple steps

Around one in three UK businesses are likely to experience a cyber breach in the next year. It’s a frightening statistic.

Firstly, could you tell us a bit about the NCSC?

“Of course. The NCSC was set up in 2016, as part of Government Communications Headquarters (GCHQ). Our aim is to make the UK the safest place to live and do business online. We help manage and mitigate the impact of cyber attacks. We also look to better understand cyber attacks, so we can stop them happening in the first place and improve responses when they do.”

How is the NCSC working with businesses to help them improve their cyber security?

“From talking to businesses, we found that they want consistent, easy-to-follow advice on cyber security that’s inexpensive to implement.

“So the first phase for us was focused on providing that basic cyber-security advice and then building partnerships to help share it.

“Back in October 2017 we launched the Cyber Security: Small Business Guide, which helps businesses protect themselves from the most common cyber-security threats. It’s the foundation of the NCSC’s offering to SMEs, and you can find it on our website. It’s simple and low cost to implement, so it’s the perfect first step on the path for you to improve your business’s cyber security.

“Protecting your organisation really doesn’t have to be daunting. Most cyber threats are preventable by implementing some basic technical controls.”

How common are cyber attacks and what types of attacks do you see most often?

“The cyber breaches survey produced by the UK government said, in 2019, you as a UK business have around a one in three chance of experiencing a cyber breach, with the average annual cost being £3,650 per small business.

Protecting your organisation really doesn’t have to be daunting. Most cyber threats are preventable by implementing some basic technical controls

Cyber-security expert at GCHQ

“For SMEs, we see a high volume of quite basic, opportunistic attacks. The most common things we’re seeing are:

  • Phishing attacks. These are scam emails sent en masse. They might ask for personal information like bank details, or encourage you to make a payment or visit a fake website via a malicious link. We’re still seeing high numbers of these attacks. To counter them, make sure you help your staff identify and report suspicious emails, and turn on two-factor authentication where possible. Lastly, if in doubt about an email, discuss it with a colleague or initiate a call-back to verify, using a number you trust.
  • Ransomware. That’s malicious software that makes data or software unusable until the victim makes a payment.
  • Insider threat. This is the potential damage that can be done either maliciously or accidentally by a legitimate user of your technology. To reduce this risk, we recommend using administrator privileges, so making sure that people only have the right level of access to systems they need to do their job.

“We’re finding that SMEs are vulnerable to untargeted attacks. Small businesses commonly don’t see themselves as at risk, and therefore they’re not implementing the basic controls. A key goal of ours is to raise awareness and to help businesses improve their resilience just by implementing the basics, so they can take themselves out of that easy target zone.”

What advice would you give to businesses looking to better protect themselves?

“As a starting point, follow the five simple steps which are set out in our Small Business Guide:

  • Make sure you’re backing up your data. This should be to a physical hard drive that isn’t connected to a network. You can also consider backing up to the cloud.
  • Protect your business against malware by using antivirus software and keeping it updated, and keeping your firewall turned on. Also, make sure you’re running all your software updates, as these contain fixes for identified vulnerabilities.
  • Keep your tablets and smartphones safe. A lot of smaller businesses don’t necessarily have an office; they might be working on the move, perhaps in a coffee shop or on the train. So make sure you’ve got a password and a PIN on your device, and if you’re out and about using the internet, consider tethering instead of connecting to public wifi.
  • Only use strong passwords. Cybercriminals use loads of different combinations of the most common passwords to break into accounts with weak password protection. We suggest creating passwords that are strings of three random words. This creates a long complex chain that’s hard to crack, but easy to remember.
  • Build a culture of awareness. This is particularly important to combat phishing attacks. It’s about fostering an open culture within your organisation that says it’s OK to speak up if you think you’ve received a phishing email or clicked a suspicious link. The sooner people know, the better. It’s about training and awareness, making sure employees know the signs to look out for.

“It’s also important to make full use of the security options your bank provides to protect you online. If you’re a Bankline customer, for example, take the time to set dual user controls and payments limits. There are webinars and support pages to help you with this.”

If a business does fall victim to a cyber attack, how can they limit the damage?

“Sadly, sometimes it’s not a case of ‘if’, but ‘when’. The best way you can limit the impact of a cyber breach is to be prepared. Preparing your response and planning your recovery will help you react and recover quickly.

“We’ve recently produced a Response & Recovery guide to help with this. It covers things like how you identify a cyber incident and making sure you’ve got a business continuity and recovery plan. Depending on your business, this could be as simple as a sheet of paper with a list of people you’ll need to contact in a cyber incident.

“One key piece of advice. If you’re ever involved in a live cyber incident, call Action Fraud immediately. If you press 9 on your keypad, they’ll deal with your call as a priority and triage your incident over the phone. The number’s 0300 123 2040, and this could form part of everyone’s continuity plan.”

Where can businesses go for more support?

“On our website, there’s bespoke advice and resources for business of all sizes. If you’re looking to implement basic cyber-security controls, start with the Small Business Guide and the small business actions list. If you’re looking to take things further, you can seek certification under the Cyber Essentials scheme. And if you’re a larger business or you’re at greater risk of cybercrime, then we’d point you to our Ten Steps to Cyber Security.

“There’s also our free ‘Exercise in a Box’ product, which is designed to help you and your colleagues with incident and recovery planning. It’s full of scenarios to help you test your business’s preparedness, including an easy-to-use simulation exercise for more technical people. It gives you all the tools you need to run the exercises yourself, and you get a feedback report at the end.

“Lastly, I’d mention our Cyber Security Information Sharing Partnership (CiSP) platform, a live threat intelligence platform. You can join your regional or sector node, and people use it to share intelligence about recent threats and the latest mitigation techniques.”

Is there cause for optimism about cyber security?

“Absolutely! We understand cyber security is a fairly new concept for a lot of businesses, but protecting your organisation really doesn’t have to be daunting. Many cyber threats are preventable by implementing the basics. Most attackers are opportunistic – they’ll go for the easy target – so what you need to do is take yourself out of that easy-target zone.

“It’s about making cyber security part of business as usual, and not that extra task you need to worry about that’s going to take up loads of your time and money, because it really doesn’t have to.”

To find out more about improving your cyber security, visit the NCSC website.

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top