Michelle Kradolfer, Cyber Development Officer at the Police Digital Security Centre discusses the new Digitally Aware assessment scheme.
Monday morning. You’ve just logged onto your work computer and that pesky little pop-up notification ‘Software Update Available’ has just appeared again – annoyed, you click on ‘Remind Me Tomorrow’. While sipping away on your morning coffee, you suddenly receive an urgent email from your materials supplier asking you to review the order you recently placed by clicking on the attached document. Sensing the urgency from your supplier and without thinking twice, you click and download it.
Here’s the bad news. That was a phishing email disguising itself as your supplier and now you’ve just unknowingly infected your device with a malware. Unfortunately, it gets worse – that malware is quietly spreading across the whole network system and onto any devices it can access, while trying to steal your organisation’s sensitive business and financial information. Rough Monday morning indeed.
While that is a scenario I made up on the spot, the reality is that organisations across the UK have been targeted in an eerily similar fashion and have fallen victim to a cyber crime. According to Hiscox’s report, 65,000 cybersecurity attacks are made on UK SMEs daily, of which 4,500 are successful. Thanks to the current COVID-19 pandemic, cyber crime has increased by 600% and according to the DCMS’s Cyber Security Breaches Survey of 2021, 38% of all SMEs have experienced cyber attacks in the last 12 months and around 27% were attacked at least once a week, of which 82% are phishing attacks.
These are worrying figures which the government acknowledge. At the May 2021 CYBERUK conference, Home Secretary Priti Patel stated that “the scale of this type of criminality is truly shocking”, adding that “the threats facing the UK in the cyberspace – to our citizens, our businesses, academia and to the government – are real and significant” and “the threats we face are significant and evolving”. She highlighted that cyber criminals are increasingly focusing on companies and organisations, taking the time to research their target so they can maximise their chances of releasing higher sums of money through extortion.
Most organisations underestimate the value of the data they hold. Details about customers, contracts and even intellectual property such as designs or business plans have a value to cyber criminals who sell this information online to other criminals – so what can you do to reduce the chances of becoming a victim of these cyber criminals?
Reducing the risk
The good news is that you can reduce your organisation’s risk to a cyber breach significantly by implementing simple and easy changes within your organisation, such as introducing a strong password policy or training staff how to spot phishing emails. However, in order to understand what cybersecurity measures you need, you have to first identify what your organisation’s cyber risk profile looks like and where your vulnerabilities lie within your network system. So you’ll need to ask yourself questions like how many devices does your business have? Do you and your staff use two-factor authentication on all devices? What type of data do you store within your network system and do you back those files up on a physical server or cloud storage? It’s essential for any business to understand their cyber risk profile, but it can be overwhelming to figure out where to start and how to go about it.
Well look no further, because this is exactly what the Police Digital Security Centre’s Digitally Aware assessment scheme will do for you. To help businesses start their cybersecurity journey, Police DSC have developed a simple online assessment tool which will help businesses test their resilience to the most common types of cyber crime and will help identify their cyber risk profile. Based on the National Cyber Security Centre’s Small Business Guide and developed in collaboration with BSI (the British Standards Institution), our new Digitally Aware scheme recognises those businesses who have made the first step towards better cybersecurity. Upon completion of the assessment, you will receive a set of recommendations based on your answers, which is in accordance to the latest Government and police guidance, to help you improve your cybersecurity posture. Successful applicants receive a certificate that is valid for 12 months to show to their customers, staff and stakeholders that they take their cybersecurity seriously.
This assessment scheme was designed to show SMEs how simple it is to implement these measures and how important it is to review them on a regular basis to reduce their risk of a cyber breach. If you had undertaken the Digitally Aware assessment and looked back at the scenario I presented earlier, you would have noticed several ways this breach could have been avoided and how the recommendations we provide would have secured your organisation in that instance. You would understand the importance of training your staff on how to spot a phishing email and that by hovering over the email address you would recognise that it was not your actual supplier emailing you. Or by using strong passwords (e.g. a passphrase of three random words) on all your devices and accounts could have prevented a cyber criminal from accessing your files.
Time to invest
Investing in cybersecurity has never been more important and whilst businesses believe that they are protected against cyber threats, only two thirds of businesses who have undertaken our Digitally Aware assessment have passed it. This means that a third of organisations are not equipped with adequate cybersecurity measures, leaving them vulnerable to cyber crime and fraud. Additionally, based on the data collected, we were able to highlight some of the gaps that SMEs have in relation to their cybersecurity posture. We found that only 52% of organisations have given staff cybersecurity training in the last 12 months and 55% of organisations that failed the assessment on their first attempt, did not enable Two-Factor Authentication on their devices. However, using the resources from our Digitally Aware platform can help you understand your cyber risk profile, ensure business continuity, improve your response time and reduce loss or damage in case of a cyber breach.
Digitally Aware is all about ensuring that an organisation builds a strong cybersecurity foundation from within and encourages good cyber practices throughout the business. For some SMEs, this certificate will be a stepping stone in their cybersecurity journey, which will lead them to go onto achieving higher levels of cyber certifications, such as Cyber Essentials & Cyber Essential Plus, ISO27001 and Digitally Resilient. Ultimately, our goal is to ensure that no business is left behind and everyone, no matter the size or sector they are in, can participate in improving their cybersecurity posture and become more resilient.
So while Digitally Aware might be the new kid on the cyber block, what sets us apart is that we help SMEs build a strong foundation and encourage them to start their cybersecurity journey. We want to shift the idea that practicing good cybersecurity is difficult, expensive or should only be done by the IT department. If everyone within the organisation, from CEO down to the intern, plays their part, you will reduce your risk of becoming a victim of a cyber breach in the future.
The Police Digital Security Centre is a not-for-profit organisation, owned by the police, which works across the UK in partnership with industry, government, academia and law enforcement with the aim of reducing the vulnerability of organisations to cyber crime and fraud.
This article was originally published in the June edition of Security Journal UK. To read your FREE digital copy, click here.
