Inspector Gavin Mayes, who manages the North Yorkshire Police Cybercrime and Digital Forensic Units, looks at some of the cyber challenges facing small and medium sized enterprises and microbusinesses, highlighting free tools and resources that can help target harden your business.
 

'Considering the recent well-publicised incident involving a global cybersecurity provider and the subsequent impact caused to millions of Microsoft Windows Servers, this really focuses the mind on the importance of cyber business resilience within your organisation and casts the net wide in terms of your considerations around risk, not only from internal and external threats, but also from day to day deployment of patches from trusted sources and what to do when it all goes wrong.  

The 2023 government cyber security breach survey highlighted the fact that the most common cyber threats were relatively unsophisticated. Worryingly over the last three years that survey identified a consistent decline in cyber hygiene among businesses, specifically:
 

• use of password policies - 79% in 2021 compared to 70% in 2023
• use of network firewalls - 78% in 2021 compared to 66% in 2023
• restricting admin rights - 75% in 2021 compared to 67% in 2023

Having worked in policing, with a specific remit on cybercrime for almost 10 years, I have seen hundreds of successful cyber-attacks from a broad and varied spectrum of attack vectors. There are some very capable people out there who can find and exploit both hardware and software vulnerabilities for the purposes of criminal gains. However, in my experience the weakest link in your cyber security architecture is nearly always the human element.

Broadly speaking I mean user error, such as inadvertently creating exploitable access points through poorly configured networks / firewalls, failure to patch known vulnerabilities or a simple a lack of process controls, such as network administrators failing to manage permissions, access levels and enforcement of password management. In addition to that, employees often fall foul of phishing emails, social engineering and having credentials compromised, all of which brings risk to your organisation. That coupled with an often-seen mentality of “it will never happen to us” and complete lack of preparedness in the form of business continuity plans makes for the perfect storm of business disruption, monetary losses, and impact on customer confidence, especially in the context of any resulting data breaches.' 
 

The impact and reality of cybercrime

'Unfortunately, I have on more than one occasion witnessed a microbusiness forced into insolvency and countless other small and medium sized enterprises in a state of turmoil, left dealing with the cleanup and operational recovery from a cyber-attack. In many instances these attacks could have been avoided by implementation of a robust cyber security risk management framework and business / disaster recovery plans.

In one such instance my team successfully charged and prosecuted a disgruntled ex-employee, who after resigning several months earlier, was able to log back into a cloud storage platform and delete over 5,000 of the company’s files. This led to financial losses of over £100,000 as the company employed IT professionals to try restoring its data, but ultimately ended in job losses and insolvency. Clearly ex-employees can pose a serious risk to a business due to the familiarity with the company’s IT infrastructure and internal procedures, and in this instance, the failure to remove the ex-employees account permissions was enough to bring the whole business down. Simple stuff, but I emphasize this case to demonstrate it doesn’t take nation state hackers or organised crime groups to bring down your business.'
 

Free resources available to your business right now

'Cybersecurity does not have to cost the world and you can start taking those first steps towards target hardening your business against the most common vulnerabilities right now. I often struggle to understand why businesses fail to tap into the wealth of free resources that the National Cyber Security Centre provides, which if utilised could significantly reduce the chances of businesses becoming a victim of cybercrime. One of those resources is Cyber Aware, which provides you with a free ‘Cyber Action Plan’ which takes about three to five minutes to complete. This will provide you with a free personalised action plan on what you can do right now to protect against cyber-attacks.  

The National Cyber Security Centre also provide material on how to plan and prepare for a cyber-attack and how businesses can respond and recover should the worst happen. This should be at the heart of your business continuity plans. Within the Yorkshire and Humber region you can receive free ‘Exercise in a Box’ training to help your organisation test and practice your response to a cyber-attack. Your local police force also offers free ‘Cyber Escape Room’ training in the form of a team-based tabletop exercise, pitched at your non-IT staff to help them understand the importance of cyber security at both home and work.

Looking wider towards other free resources and services, businesses should consider taking advantage of ‘Police Cyber Alarm’ - an award-winning free tool, provided by your local police forces and funded by the Home Office, to help your business or organisation monitor and report the suspicious cyber activity it faces. Police CyberAlarm can scan your website and external facing IP addresses for known vulnerabilities, providing you with regular reports detailing any detected suspicious activity on your network, enabling you to take action and better protect your business. Since its launch it has already identified over a billion suspicious events resulting in reports and advice being given to members, enabling them to take action to prevent a successful attack.

Small medium enterprises should also consider taking advantage of the free core membership offered by the North East Business Resilience Centre (NEBRC) which provides a wealth of support and guidance to businesses to help you on your journey towards becoming Cyber Essentials Certified. This will help demonstrate your commitment to cybersecurity, reassuring customers that you take cyber-security serious and are committed to protecting their data. 
 
For some organisations, cyber resilience may seem unattainable or incredibly challenging to create and maintain, but most companies I speak to are yet to even take those first steps of exploring basic National Cyber Security Centre guidance and tap into free resources and services that could assist them on their journey. In summing up, cyber-resilience can no longer be ‘tomorrow's priority’ and I would implore all businesses to take these first steps in ensuring cyber-defence is at the core of their business continuity plans.'