How do you know if your cyber security is adequate?

Cyber security and GDPR are closely linked, together they provide the foundational assurances that your data is used and protected appropriately. It’s important to keep in mind that cyber risks come from internal breaches as well as attacks on vulnerabilities in your business and in your supply chain. 90 per cent of data security issues were caused by human error in 2019, according to the UK Information Commissioner’s Office (ICO).

Covid-19 created a surge in home working and as a result the attack surface of organisations increased. In 2020 there was a sevenfold rise in ransomware attacks and this is a trend that’s likely to continue. It’s become a case of when, not if you will face a security issue.

Spending upfront on cyber protection won’t generate an immediate financial return but it will save you recovery costs. In one incident a UK SME was faced with a £1 million cyber security bill after a ransomware attack brought down their entire production capability for several weeks. The business lost all their documents and were left with pallets of unusable computer equipment.

The benefits of a robust cyber security strategy aren’t just financial, they include regulatory and customer confidence. Many SMEs are third-party suppliers and partners in vast networks belonging to larger organisations. SMEs are under increasing pressure to prove their security credentials, or risk losing access to lucrative business opportunities.

GDPR regulations are part of UK law. GDPR has placed greater emphasis on transparency, accountability, data security plus other technical and business controls. The regulation has also increased the rights of Individuals over their personal data.

The question is often asked how GDPR is impacted by Brexit, and the answer is, very little. At the time of writing the requirements are largely still the same. This may change over the next 12 months as we move from the EU to a UK model so it’s important to keep up to date. 

Key questions to ask of your business

Are adequate cyber security protections in place both in technology, people and process?
Are your teams aware of cyber security threats and the importance of their role in mitigating them?
Are GDPR regulations complied with?

What does this often look like in average SMEs?

increasing numbers of SMEs now have a cyber security strategy in place, but some are implemented inconsistently with ad-hoc risk assessments and ad-hoc security training. System access is often broad and open with only basic processes in place for starters and leavers.

It’s common to find an absence of Multi-factor Authentication (MFA), infrequent cyber security compliance exercises, and little or no penetration testing of key applications.

Supplier risk management is a particularly challenging aspect of cyber security. Many SMEs have limited visibility into their supply chains, and lack the tools and expertise to evaluate cyber risks posed by suppliers.

At a basic level of GDPR compliance there should be a named person with responsibility for data protection within the business, an up to date GDPR policy with privacy notices meeting Article 13 and breach reporting processes in place.

What does good look like?

Mature SMEs with robust cyber security and a high level of GDPR compliance have accountability at senior level and board-level reporting, and regular awareness training for all staff.

The security risk is actively monitored, system access privileges are tightly aligned to roles under the ‘principle of least privilege’, regular penetration testing is undertaken and MFA is implemented across all systems and users.

Well protected businesses have achieved Cyber Essentials Plus or ISO27001 certification in order to demonstrate to their stakeholders that they can be better relied upon to manage security risks.

Mature businesses will undertake regular cyber security awareness training accompanied by periodic phishing simulation exercises to test whether awareness is improving among staff.

For SMEs lacking in house expertise or capacity, these services can easily be procured from third party specialists at reasonable prices.

The business has established control and oversight of their supply chain, implementing the recommendations in the National Cyber Security Centre Supply Chain Security Guidance.

Good GDPR compliance means the ability to deal with subject access requests and personal data breaches within the defined 72 hour period. Personal data processes are fully understood, documented, and appropriately assessed against the business’s appetite for risk. Marketing processes have an auditable trail to make sure they are supported by an appropriate legal basis.