Cyber Threat Report released by NCSC and NCA

The national Cyber Security Centre and National Crime Agency have today released their joint report on the cyber threat to UK business.  The headlines are certainly powerful and could give any business leader sleepless nights:

  • The cyber threat to UK business is significant and growing.
  • This threat is varied and adaptable.
  • The rise of internet connected devices gives attackers more opportunity.
  • The past year has been punctuated by cyber attacks on a scale and boldness not seen before.Illustration of emerging technology

Further, the report points out that the opportunities for attackers are increasing and the technical skills required to carry out an attack are decreasing, which means that the number of people capable of launching an attack is increasing.  However, the good news is that it is possible to defend against all but the most determined and technically capable attackers.  Basic “cyber hygiene can thwart the vast majority of threats.

The threat

  • Malware and services are traded on the dark web; enabling unskilled people to launch attacks
  • Cyber extortion (ransomware, DDoS etc) has increased and is targeting specific businesses for increased reward
  • “Internet of Things” botnets are growing – to the extent that government intervention and product recalls are becoming necessary.
  • Financial exploits have become more targeted and less visible
  • The threat to mobile devices (smartphones) is low but growing.
  • Social media is a significant attack vector, exploiting the trust and familiarity associated with these sites.
  • Large scale data breeches continue to hit the headlines.

How can we deal with these threats?

As I said above, simple, basic, measures will prevent the vast majority of attacks.  The Cyber Essentials steps (boundary control, secure configuration, access control, malware protection and patch management) are still an effective starting point.  Key decision makers should engage with the risk assessment and mitigation process.  This is true for cyber risks just as it is true for any other risk.  Cyber threats affect the whole business, not just the IT department, and so you need a whole-business approach to dealing with them.

Similarly, awareness-raising, information-sharing and incident reporting are vital safeguards.  Your customer-facing staff are far more likely to receive and respond to messages from an unknown and un-trusted origin than your IT security team.  Do they know how to recognise a suspicious request and how to deal with it?

Of course, we are happy to help you with your cyber security management and with awareness training.  Simply contact us for a free initial consultation.

Using Weather Warnings in Business

Unplanned events, by their nature, often occur with little or no warning.  Weather is one of the notable exceptions.  The Met Office issues warnings, free of charge and up to five days in advance.  But, the warnings come in almost every week in the winter months.  So, how can you ensure that your business response is proportionate?  The answer lies in decoding the information that the Met Office provides.

Getting Weather Warnings

The Met Office posts weather warning on their website and circulates them to the media.  You will hear these as the red, amber and yellow warnings in TV and radio bulletins.  You can also have the warnings sent to you via email or as a notification on your mobile device via the weather app.  TV and radio warnings usually give only the basic information.  The full warning has much more detail.  As a subscriber to the email or application notifications, you will get the full detail and notifications whenever it is updated.

Is this for me?

First, look at the specific area covered.  The regions that you can subscribe to are vast and can easily have different weather conditions from one side to the other.  The Met Office provides both a map and a list of local authority areas covered.   This allows you to quickly filter out those warnings the do not apply where you are.

The report itself consists of three sections: the warning, the chief forecaster’s assessment and the weather impact matrix.  It is easy to overlook this matrix but it actually provides the critical information at a glance.

Enter the MatrixA weather impact matrix

The matrix displays the impact and likelihood of the adverse weather in a format that will be immediately familiar to business people used to evaluating risk.  This means that you can use this information directly;  apply it to your own business risk appetite; and decide whether you need to act to mitigate the risk and likely impact.

The Met Office has very detailed explanations of what the impact statements are for each level.  You can find that detail here.  This means that you can actually plan in advance which weather types are likely to affect your business and what each impact level on the warning is likely to mean for you.

How big is the impact?

How can the weather affect your business?  Clearly, every business will answer this question differently.  Some of the general impacts to think about are:

  • Ease of travel – can staff get to work (and back home afterwards)? Is it prudent to postpone non-essential meetings or move to remote working? What about deliveries?
  • Health and safety of those working outside.
  • Disruption to utilities and communications
  • Damage to premises and/or assets stored outside.

All of these items are covered by the impact statements.  For instance, a low impact event may include localised power disruptions but a high impact event says that widespread and prolonged power outages are expected.

Is it worth it?

When all is said and done, we do expect to get adverse weather in this country, especially in winter.  Much of our plan for dealing with the weather should be business as usual.  Yes, we don’t need to take action for the majority of weather warnings.  We already know we can cope with the weather.  An informed glance at the impact matrix is how to quickly identify the warnings that you do need to sit up and take notice of.

New Year Fitness

2017 is just around the corner.  Every January, fitness clubs get a surge of new members as people decide to improve their health in their new year’s resolutions.  Do your resolutions include taking a critical look at the health and fitness of your business?

Planning for Fitness

There is no doubt that these are difficult and uncertain times for business.  Companies who are fit, healthy and agile often do well in such times.  History tells us that planning for uncertainty and looking beyond the immediate problems are the keys to thriving.  According to the Cabinet Office: “Whether the business recovers [from a serious incident] or not and whether it is still operating 12 months later depends on what advance planning has taken place.  This means action before and not after disaster strikes.”

Having a clear plan means that all key staff know their roles and the tasks that need to be achieved.  It also helps to avoid missing or overlooking important matters in the heat of the moment.  Most importantly, it sets the company on the road to recovery much quicker than a trial-and-error method of incident response.

Exercising the Plan

No battle plan survives first contact with the enemy.  The only way of knowing whether your plan will actually work is to test it.  You do not necessarily need to simulate a full-scale emergency in order to check your plan’s fitness.  Often, talking through a scenario around a table is enough to reveal hidden flaws and highlight missing elements.

Your Fitness Check

A great way to start your plan is to have a fitness check from Tom Crellin, Consultant.  We will look at where you are now and where your main pain-points are.  Using this information, we will develop a personalised action plan to take you through the next steps.  We start by gathering information about your company and how it operates.  Next, we sit down with you and discuss what you view as important to your business and how you tackle problems today.  We have designed the process to be quick and painless for you and to accelerate your own planning process by giving you a clear set of goals and action plan.

So that you get a flying start on your 2017 business resolutions, we have decided to offer the Fitness Check at the discounted price of £850 for the month of January (normal price £995). Contact us now for more information.

Planning for uncertainty

A key planning tool for any business is a PESTLE analysis.  At the moment, however, the analysis for many companies looks something like this:

  • Political: uncertain.  New PM, new cabinet, soon to be new shadow cabinet
  • Economic: uncertain.  Post Brexit negotiations have yet to be started
  • Sociological: uncertain.  What effect will changes to EU migration have on supply and demand?
  • Technological; uncertain.  All we know for sure about technology is it is fast-changing
  • Legal; uncertain.  Will the new government increase or decrease red tape?
  • Environmental: uncertain.  Electricity demand is likely to outstrip supply this winter. Rationing? power cuts?

Pondering the futureAll in all, it is what you might describe as a perfect storm of uncertainty.  It would be very easy to conclude, then, that companies should batten down the hatches and take shelter – concentrating on core products and waiting for new markets to emerge.  In fact, the world’s most successful businesses have often become successful through expanding or developing new products in uncertain times.  These companies view uncertainty as an opportunity: a time to create and exploit market shifts; a time to lead rather than to follow.

What is the worst that can happen?

One way to plan for uncertainty is to ask yourself: “What is the worst that can happen?”.  Ask this for each of your products and services and each of your markets.  Now plan how you would continue to grow your business even if that does happen.   It may be that the answer is to diversify so that, if one product begins to fail, other products can compensate for that loss.  Alternatively the answer may be to specialise so that you can ride on the growth of a niche market even when the general market is falling.  By putting plans in place to cover even the very worst case scenarios, you are building the foundations of a business that will not easily be knocked down.

Planning for uncertainty, not planning to fail

Some people feel that planning for the worst case is, somehow, planning to fail.  Nothing could be further from the truth.  In fact, it is well known that failing to plan is planning to fail.  Planning for uncertainty, on the other hand, is your umbrella on a murky day.  Carry your umbrella and it will be dry; leave it behind and the storm of uncertainty will not be far away from you.

We’ve been hacked – what now?

Recently, I spoke at a seminar in Brighton.  The topic was “We’ve been hacked – what now?”  The other speakers were: a data forensics expert, a disaster recovery expert and a police officer. I thought I would share with you the common themes that emerged:

Internet Crash Security HackedCommon Themes

  • Don’t rely on your in-house IT team. It requires specialist skills to investigate an attack in a way that provides quality evidence for court. Your in-house IT is likely to compromise evidence in their attempts to get service up and running.
  • Have an incident management plan and good working backups of your data. Robust planning prior to an attack is often the key difference between a company that survives an attack and one that does not.  Companies neglect the basics, such as backing up data, at their peril.
  • Concentrate on dealing with the effects on your business, not on the technical issues. It is easy to tie yourself up in the detail of how to fix your servers and get things back up and running. However,  it is actually far more important to keep your customers happy.  In fact, never lose sight of what your customer wants and needs from you.
  • Think carefully about statements to the press and social media. Recent cyber-crime surveys show that the biggest cost of a cyber attack is not the loss of data or loss of trading.  It is the loss of reputation. Manage your reputation carefully throughout the incident.
  • Take time to stop, look and listen before jumping in with a recovery plan. Make sure you fully understand the scope of the problem before trying to patch it up.  A patch for a specific problem can lead to a false sense of security because the underlying issues that exposed that problem are still vulnerable.

Your reaction matters

Overall, business owners have different definitions of what it means to get hacked.  For some, a single PC catching a virus is a security incident.  Others only view it as a problem when they have evidence of actual data loss or angry customers.  Whatever your definition, customers will usually focus on how you react to the incident; not how it happened.  Your best protection against losing reputation and customers is to have a robust plan in place so that you know your reaction will impress.