Getting started with Cyber as a small business? Start here.

Key takeaways (TL;DR):

Don't have time to read the blog but want the take-away actions? Here you go:

To decompose your initial goals head to the National Cyber Security Centre’s Cyber Aware Survey, and answer a few questions honestly to get a tailored collection of suggestions as an action plan. The Small Business Guide goes into some more detail on the first five major things to consider for the security of your business. Answer the three questions in the body of the blog to get comfortable with what you're protecting and how, and then look to 'systematise your gains' with a look at Cyber Essentials.

Introduction

We’re nearly half way through 2024, and a majority of smaller organisations still feel like they’re behind the curve on cyber security. The small business is already a full time job without considering the responsibility you have to your customers data, or the risks posed to you in an age where digitally enabled crime has never been easier. With a market-full of software and training and salespeople and consultants, it can feel quite exhausting to wade into the long grass of talking about what you feel like you need to do – let alone worry about whether you’re doing it properly and in a way that is accountable.

We’re a consultancy that evolved out of efforts to secure the SME landscape at the national level, and so we’ve seen first hand how tough it can feel to just get started. We’ve picked up the best guidance that has already been ironed out as ‘good’ and stuck it here so that you feel comfortable having the conversation about where you are with your cyber security. Maybe you’ve taken some initial steps and don’t know how to commit these to policy, or perhaps you’ve decided to give some time to the issue but really don’t know how to get the ball rolling; wherever you are, take a read of the following suggestions and see how you feel about them.

To get the obvious out of the way: We are a for-profit consultancy, and this blog will end in a call to action to get in touch with us. We enjoy working with organisations at all stages of their security journey, but we’re posting this to signpost some resources that will help visitors to our website feel empowered to have effective and well-directed conversations about what they think is right for them. We take pride in our work, and a part of that pride is that we’re here to demystify security and make it accessible. In short, you’re reading this because it will make your job easier, and our job easier too.

First things first

The first thing to note is that you’re not the first small business tackling these problems, and so there’s some awesome and cost-effective (and mostly free!) options out there to develop your understanding and planning around cyber security. The resource you most likely to need to invest in your cybersecurity is therefore the one that small business owners tend not to have a lot of: Time. Respecting this, we’ve put our key takeaways for you at the top of the page! The biggest favour you can therefore do for yourself is to decompose your goal of ‘cybersecurity’ into manageable targets and then set reasonable time frames to get these achieved. To decompose your initial goals head to the National Cyber Security Centre’s Cyber Aware Survey, and answer a few questions honestly to get a tailored collection of suggestions as an action plan. Something very useful is to give yourself a time target to meet these goals. This effort will see you focusing on identity and access management – making sure that you have proper controls in place to secure all your online services from criminals, and that you have a central account of what the digital elements of your organisation are. Taking these measures in your personal life will also contribute to better protecting your business.

An awesome play book also produced by the National Cyber Security Centre is the Small Business Guide. This goes into some more detail on the first five major things to consider for the security of your business. It’s worth it to read through with a notebook and note down anything you’re unsure of, to look into and learn about at your convenience.

Once you feel aware and informed of these considerations you’ll feel comfortable discussing how to turn them into business-as-usual parts of your operation, and will also be better positioned to have a conversation with a professional who can help you design or implement them in a way that matches up to your exact needs and context. It can be difficult to turn this understanding into results, and so you may wish to seek professional help at this stage. If you do, then remember that following the small business guide can be done at a low-cost or indeed for free if you have time to give to it, so go into conversations knowing that you’re likely only going to be paying for someone’s time to help you, and for any security solutions that provide additional convenience or features.

I’m comfortable with all of this – now what?

Once you have a functional baseline of security (or a good understanding of what one should look like and the will to try and make it happen), the best thing to do is often to sit down and run a few workshops that help you identify the following:

1. What things do I need to run my business?

What hardware, software, relationships, contracts, and physical things do I use to run my business, and do I keep them all in mind when making decisions. It is a great resource to collect a list of these things and keep it up to date. This is called an Asset Register.

2. What are the risks to my business?

What are the things that get in the way of what I’m trying to do, or may jeopardise my ability to run my business or turn a profit? Who are the people that pose those risks, and what do I do about them? Are there any legal requirements or obligations I need to meet? This ongoing mindset and the documentation it tends to produce is known as a Risk Register.

3. What am I currently doing about these risks?

What solutions or behaviours have I put in place (or am trying to put in place) to make sure that these risks don’t have an adverse effect on my business, and have I made sure that if there’s nothing I can do about these risks, that I’ve got the correct protection in place with something like insurance. When we commit these thoughts to a document or try and systematise it as an approach, we call it a risk treatment plan.

Whilst this may feel like a lot of work, it will be an undertaking proportional to the size and scale of your organisation; we’ve undertaken risk assessments and treatment plans over the course of a few afternoons, and it really is more about nurturing a way of thinking than it is about anything else. This work may feel far from what we think of when we think of ‘cybersecurity’, but we are much better positioned to decide how to protect our business when we know what it’s made of and what risks those things might come up against. Importantly, it also means we’ll only ever commit to software, expertise, or controls in proportion to what we need to be concerned about – so we don’t overspend our time or money and get exactly what we need.

We can track these things however we want to, and there’s no shortage of templates to take advantage of from the ‘Information Assurance for SME’s’ group: IASME. This leads us into our next big step.

Systematise your gains

You’ve taken efforts to secure the business and you’ve done so in the context of the risks you face, now it’s time to build these into a system that you can use to keep track of your cyber security goals. Things change over time, and we can still make mistakes with our security after we’ve set everything up. A sure-fire way to ensure you don’t let your own standards slip is to systematise them. All this means is to create and take care of a few documents that you check when it feels appropriate that let you audit your current behaviour against the standard you want to be at. Deciding to build out a ‘management system’ of some kind opens the door to standards and frameworks that have been designed specifically for the SME community, which take the best practice guidance and turn it into auditable lists of controls and efforts that you can assess yourself against (or get assessed against by a professional third party if you want a formal certification of your efforts).

The first port-of-call if you’re interested in this is to look at Cyber Essentials, which assesses the technical components of your organisation to make sure that you’re protected against the most common types of digital crime that are likely to happen to an SME. You can self assess yourself in five areas (not the same five areas as the Small Business Guide, confusingly), and then have a professional body verify your reporting. This costs about £300, and there are a lot of resources to help situate you and support you. You can then elect to have these controls formally assessed and audited by a third party (which includes a vulnerability assessment on your technology and network) to get accredited as compliant with “Cyber Essentials Plus”. The cost of this will vary based on your size.

This is no small feat and takes up some time to do, but is certainly one of the most useful options to pursue for a business looking to meet a robust and reputable standard in technical security measures. Equally, you may decide that you are confident in the measures you’ve taken after reading best practice guidance – and don’t feel the need to demonstrate your digital security. Either way, it’s good to know the standard is out there and that you have access to it’s content for free. There are plenty of other frameworks to choose from too, and consultants and third-party experts often try to align their efforts with these frameworks.

As a quick aside - even if you decide not to pursue accreditation, it’s still worthwhile to build a management system that assures you have a robust and repeatable approach to your work and your security. It’s a true investment in yourself and your business to do so, and it’s something that can be done quite quickly and painlessly – with awesome benefits. Learning how to use and maintain one ‘type’ of management system means you’re able to quite easily make another; you can have management systems for quality assurance of your services, information security, business continuity, and more – and they’re all very easy to use in collaboration with one another as they follow very similar design principles.

Conclusion

Taking action to secure your organisation is as simple as putting one foot in front of the other, the difficulty is clearly about finding the time and expertise to make it happen. This short post signposts some fantastic resources to help acquaint you with the type of work and what it may look like – and indeed what the goals and objectives may be for you. Only you have the power to commit to the project and make it a reality. That can certainly feel daunting, but know that you’re not alone. Remember to reach out to your neighbor organisations or members of your business community and ask what they’re doing, and see if you can collaborate in discussion or in producing useful resources for your specific sector.

Further to this (of course), reach out to us for a consultation that will put all the resources on the table for you and let you take comfort in professional advice and support. Our team has experience across a large array of sectors and are positioned to help mature SME’s into a comfortable and sustainable position where you feel at ease when you think of cybersecurity.