What is cyber resilience?

“The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” - NIST Cybersecurity Framework

“Data Security is the protection of data from accidental or deliberate, unauthorised change, destruction or disclosure.” Education Data Hub

In 2022, 39% of UK businesses were the victim of a cyber attack. This has fallen from 2020, when 46% of businesses were affected. If you fall in this large proportion of UK businesses subject to attacks, it’s important to be prepared. 

Cyber resilience is essential for a business to continue to function despite a cyber attack. Companies must be able to not only protect themselves against such threats but also detect, respond and recover data, in order to maintain cyber resilience. 

Why is it important?

Cyber attacks are conducted across the globe, and the risk to smaller, less protected businesses is increasing. It is now standard practice for large companies to have dedicated cybersecurity specialists, making vulnerabilities few and far between.

The vast majority of cyber attacks are conducted by unskilled individuals. Often, they use relatively unsophisticated means: the digital equivalent of when a burglar unlatches a house door in the hope it is unlocked.

The risk arises due to the volume of cyber attacks that are now being launched every day from around the world. For this reason, organisations of all shapes and sizes are being encouraged to adopt an “If-Not-When” approach to mitigate this risk. 

Common cyber attack methods

A preferred method for cyber attackers is to use the credentials of privileged account holders. Often, this is simply done by discovering passwords to gain unauthorised access to networks.

Another common type of cyber attack is “phishing”. This is where employees are encouraged to click on a link and are taken to a malicious website, and/or asked to download an attachment. The employee may then have unwittingly allowed the hacker access to the company’s confidential data.

Phishing usually takes place through emails delivered to employees via their work email addresses. They are typically designed to appear as if they are from a trustworthy third-party source, so as not to arouse suspicion. 

It is also possible for a rogue employee to be the source of a cyber attack on the business that employs them - either acting alone or on the instruction of organised cyber criminals. These individuals tend to use the account privileges granted to them as employees to cause damage from within an organisation.

Consequences of cyber attacks

Interruption of your business for the duration that systems are compromised, ie the inability to make sales from a hacked website.

Reputational damage, especially when your business is entrusted with confidential data of customers/clients.

Sanctions for failing to meet regulatory and/or legal requirements.

Ways to enhance a startup’s cyber resilience

1. Implement a “Data Security Policy”, detailing: 

• what data the business will store;

• how data will be securely stored; and

• the relationship of every employee with that data (to access, use etc.).

2. Provide cybersecurity awareness training for ALL employees. Both for new starters, and then at regular intervals for the duration of employment.

3. Password creation policies. A password can be more effective through strength and frequent changes. Additionally, requiring two-factor authentication can increase security.

4. Consider issuing standardised company hardware to employees. It is tempting to save money by requiring employees to work on their own personal devices. The problem with allowing employees to use whatever laptop or device they happen to own is that it becomes far more difficult to monitor and enforce the standards (for software and operating systems) that are necessary to keep hackers away from company data.

5. Banning the use of external devices to transfer data, for example through computer USB ports.

6. Security software packages, that protect and encrypt any data deemed sensitive. Regularly updated to patch any vulnerabilities. 

• Security software packages can’t guarantee cyber resilience, so it may be worth considering expenditure on cybersecurity insurance, to cover the costs of recovering from a cyber attack. Such protection is particularly important for startups, given that around 60% of small businesses close within 6 months due to a cyber attack, according to research by the National Cyber Security Alliance.

7. Regularly backing up data, and having a system in place to quickly store that data in the relevant databases. Ideally, your data should be backed-up remotely in the “Cloud” and on an external hard drive. The advantage of cloud-based storage is that your data remains safe, even if your IT equipment is physically destroyed, lost or stolen. However, because cloud storage can be hacked, your business may be vulnerable to ransomware attacks, unless you also back up your data onto an external hard drive.

8. Establish a system for removing data and other content from retired devices prior to their disposal. Files should be rendered truly unrecoverable, in a way that a surface-level “delete”, is not achieved.

9. Inform your employees of the procedure used in the event of a cyber attack (and ensure you have such a procedure in place). Of particular use, is the National Cyber Security Centre - NCSC.GOV.UK free tool for organisations to test and practise their response to a cyber attack, Exercise in a Box - NCSC.GOV.UK. 

Cyber resilience is still a nascent area, but one that requires constant supervision as updates and new provisions will come into effect. We hope this article has raised awareness of the increasing issue of cyber attacks and provided insight into some ways you may be able to become more cyber resilient. However, it is advisable that you keep up to date with the latest insights and news around this topic, specifically from the National Cyber Security Centre. We have collated further resources below which may be of interest.

Useful Sources

Small & medium sized organisations - NCSC.GOV.UK

About Cyber Essentials - NCSC.GOV.UK

How to protect your startup against cyber attacks (officechai.com)

5 Steps To Help Protect Your Startup From A Cyber Attack (forbes.com)

Exercise in a Box - NCSC.GOV.UK

How startups can protect their websites from cyber attacks | Startups Magazine

DISCLAIMER

This article has been written by law students for the sole purpose of providing informative insight. The information in this article is intended for educational purposes only and does not constitute legal advice, nor should the information be used for the purpose of advising clients. You should seek independent legal advice before relying on any of the information provided in this article.

Sources

Department for Digital, Culture, Media & Sport, 'Proposal for legislation to improve the UK’s cyber resilience' (GOVUK, 19 January 2022) <https://www.gov.uk/government/consultations/proposal-for-legislation-to-improve-the-uks-cyber-resilience> accessed 24 November 2022 

Cabinet Office, 'Government Cyber Security Strategy: 2022 to 2030' (GOVUK, 25 January 2022) <https://www.gov.uk/government/publications/government-cyber-security-strategy-2022-to-2030> accessed 24 November 2022

ICAEW, 'Six top tips for developing cyber resilience strategies' (The Institute of Chartered Accountants in England and Wales) <https://www.icaew.com/insights/features/2020/mar-2020/six-top-tips-for-developing-cyber-resilience-strategies> accessed 24 November 2022

AON, 'Five Steps To Cyber Resilience For SME And Mid-Market Organizations | Step 2: Protect' (AON) <https://www.aon.com/cyber-solutions/thinking/five-steps-to-cyber-resilience-step-2-protect/> accessed 24 November 2022

IT governance, 'Cyber Resilience' (IT Governance) <https://www.itgovernance.co.uk/cyber-resilience> accessed 24 November 2022