As a key player in the government’s strategy to protect businesses from cyber attacks, the National Cyber Security Centre (NSCS) is uniquely placed to identify and quantify the risks and provide advice that businesses should adopt on a day-to-day basis.

Figures published by the NCSC suggest that 46% of UK businesses have experienced a breach or cyber attack. It’s a problem that is keenly felt by small businesses, which criminals often choose to target because there is a low likelihood of them being caught in the act. Of the businesses that identified a breach in the past 12 months, 45% were small and micro-size firms. Almost a quarter (23%) experienced a loss of files, while one fifth (20%) had software/systems corrupted.

In response to the threats, the bank recently hosted a webinar asking how businesses can understand the threats they face, and the steps they can take to stay safe. Entitled ‘Staying cyber & fraud safe’, it featured the NCSC’s SME engagement team lead and Julie McArdle, customer security manager for the bank.

The NCSC’s expert shared details about the organisation’s remit: “We were set up in October 2016 in support of the National Security Strategy to make the UK the safest place to do business online.” Its mission includes monitoring and understanding the growing risks, as well as reducing the risks that industry faces by producing guidance and products for businesses to use.

The expert explained that identifying the types of attacker and the means at their disposal are both key to understanding the threats businesses face. On the issue of perpetrators, these can range from criminals seeking financial gain to hacktivists with a personal or political agenda, or even terrorists and nation states. When it comes to exploiting SMEs, attackers typically choose one of five weapons from their digital armoury: phishing, ransomware, dedicated denial of service (DDOS) attacks, and using insider threats.

In all, SMEs face a multitude of threats they should prepare for, and it is with this complexity in mind that the NCSC has developed the Cyber Security Small Business Guide , a set of simple steps businesses can deploy to increase their safety.

At a tactical level, the guide recommends five low-cost steps that companies can think about immediately. These are:

  1. Backing up data to cloud as well as physical drives
  2. Protecting systems from malware
  3. Keeping smartphones and tablets safe, especially with respect to wireless networks
  4. Updating passwords and making sure they are difficult to crack
  5. Identifying the telltale signs of phishing

“You’ll also find on our website the Small Business Guide Actions list,” added the NCSC expert. Its virtue, they said, is the flexibility to devolve responsibility to different stakeholders within the business, and the guide can be implemented within a week.

At a strategic level, the guide makes recommendations for how businesses can implement safety-first policies, such as setting up a risk-management regimen, managing user privileges and setting out how to monitor and manage any incidents that do occur.

No one actually believes they will fall victim to social engineering, But when customers do, it’s because it doesn’t look exactly as they thought it would. It looks more professional than they would expect

Julie McArdle
Customer security manager

Of course, individual businesses view cyber security with different levels of urgency, and for those that are at a more advanced stage in their approach, there are more detailed options. “If you think this is a bit basic, you can implement 10 steps to cyber security,” added the expert. This involves setting different access permissions to different users in a business and how to configure devices so that access to data is limited to what is necessary for their role.

For firms that need to demonstrate their engagement with the issue – either with customers or as part of their supply chain – the expert recommends seeking NCSC accreditation, which costs £300. “That is something you can put on your website to advertise to your customers that you are taking cyber security seriously,” they added.

The NCSC has also recently launched a board-level toolkit, designed to enshrine the shared responsibility that managers and IT should have with respect to security.

A bank perspective

Viewers of the webinar also heard from the bank’s customer security manager, Julie McArdle, who was on hand to share some of the experiences she sees in her day-to-day dealings with customers. McArdle was especially keen to explore some of the social engineering techniques that attackers use, such as phishing, vishing and smishing. While these deploy the mediums of email, phone or text messaging as a means of breaking down a firm’s defences, the salient similarity between all three is that they present a credible request for information or transferal of funds that appears, on the surface, to be genuine. Often, company information may have been compromised and shared online, which criminals can then use to make contact with a company and socially engineer a payment.

“No one actually believes they will fall victim to social engineering,” said McArdle, who added that clients often feel certain they can easily recognise an attack. “But when customers do, it’s because it doesn’t look exactly as they thought it would. It looks more professional than they would expect.”

Often the person looking to exploit a business knows some information about the point of contact it chooses to target, conveying a sense of authority and confidence that brings about trust in the proposed transaction. McArdle said that when a client realises they have been subject to a scam, they’re often in a state of shock, disbelief and anger.

While social engineering techniques are becoming more widely discussed, a trend McArdle also identified was the authorised push payment. These typically involve a request to change bank details, or a bogus email purportedly sent by a senior executive to issue payment to a supplier. The types of threat may be evolving, with each requiring renewed awareness, but there are some universal tips that will help keep businesses safe from attack, and help ease minds. These are to:

check for irregularities

consider the language used

double-check by contacting the sender

use independently sourced details

follow pre-agreed procedures

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top