Christian M. 10 min read

Essential business cybersecurity practices

The age of AI is now in full swing, bringing new and unthinkable cybersecurity threats to both digital and brick-and-mortar businesses of all sizes. From the local corner shop to the multi-national enterprise, everyone with an internet connection is increasingly exposed.

It’s never been more important for businesses to understand and implement robust cybersecurity measures to ensure your company’s finances, data and reputation are not irreversibly damaged.

This article delves into the essentials of business cybersecurity, providing key insights and practical strategies to help safeguard your business against the under-rated cybersecurity threats that are changing the business world.

💡 Key takeaways:

  • Cyber Essentials: The government-backed Cyber Essentials Certification ensures your business gets cornerstone cybersecurity.
  • Key practices: Simple and effective practices include strong passwords, multi-factor authentification and staff training.
  • Main threats: The most popular attack vectors include ransomware, DOS attacks, phishing and credentials stuffing.

What is business cybersecurity?

As the name suggests, cybersecurity is the protection of your business’s digital assets from malicious access or attacks. This includes protecting your computer systems, networks, devices, and data.

It involves a range of techniques, technologies, and processes designed to safeguard the confidentiality, integrity, and availability of information and IT infrastructure.

Unfortunately, it is not as simple as installing the latest Norton anti-virus, locking the door to your servers and using long passwords with odd characters that are hard to find on your keyboard.


Business cybersecurity regulation and compliance

Businesses in the UK have a legal duty of care over their cybersecurity and data. This responsibility is detailed in regulations and is essential not only for protecting against cyber threats but also for avoiding potential legal penalties. Here are some key regulations and their implications for different UK sectors:

Data Protection Act 2018 (DPA 2018)

The DPA 2018 is the UK’s implementation of the EU’s General Data Protection Regulation (GDPR). It sets out the framework for data protection in the UK, including principles, rights, and obligations for businesses.

Compliance with the DPA 2018 is essential for UK businesses to ensure lawful and secure handling of personal data, including obtaining explicit consent, ensuring data security, and reporting data breaches within 72 hours.

Network and Information Systems Regulations 2018 (NIS 2018)

The NIS Regulations are designed to improve the security of network and information systems that are critical for the provision of essential services such as energy, transport, healthcare, and digital infrastructure.

Businesses that are identified as Operators of Essential Services (OES) or Digital Service Providers (DSPs) must comply with the NIS Regulations by taking appropriate security measures and reporting significant cyber incidents.

Industry-specific regulations

Depending on the industry, businesses may also need to comply with additional regulations that have cybersecurity implications. For example, financial services firms are regulated by the Financial Conduct Authority (FCA) and must adhere to specific cybersecurity guidelines.

💡 Cyber Essentials: Although not a legal requirement, the UK government now offers a Cyber Essentials Scheme to support regular businesses in protecting themselves against common online threats. It may be a requirement for bidding on government contracts.


Essential business cybersecurity practices you must implement

While larger businesses have dedicated IT departments that procure security measures and comply diligently with regulations, most smaller businesses are largely left to their own devices when it comes to their cybersecurity.

In the UK, these businesses can sign up for the government-supported Cyber Essentials Certification to ensure that fundamental best practices are put in place.

Besides this, at Business Broadband Hub, we have compiled the easiest and most effective ways of protecting your business from cybersecurity threats:

Cybersecurity training and audits

Training

Regularly training staff on the basics of cybersecurity threats and prevention will keep businesses safe from not only attackers but also themselves and their own personal data and accounts.

Teaching about cybersecurity in schools and universities is limited, so many people remain unaware of cybersecurity dangers, especially in this digital era. Both regular people and businesses lose money, have their identities or credentials stolen or experience a loss of reputation due to cybersecurity breaches.

Phishing emails can easily be opened by unaware staff members and can lead to significant data breaches.

Audits

The purpose of regular audits is to ensure that your business is consistently up-to-date with cybersecurity developments and remains eligible for cybersecurity insurance.

We include this together with training because it is also a great way for those responsible for cyber safety (those who will train the rest of the company) to remain current in this rapidly evolving sector. Remember that developments in AI, deepfakes and other technologies are bringing unprecedented cybersecurity challenges.

Strong passwords and Multi-Factor Authentication (MFA)

Passwords

Having strong passwords is essential in preventing credential stuffing. This means having passwords unrelated to those used in personal accounts, as well as being over 12 characters long and composed of upper and lowercase, as well as special characters.

An alternative to this is using a Password Manager that creates extremely robust, dynamically changing passwords for your essential accounts such as Google, apply or enterprise social media like X and Instagram.

💡 The dawn of passwords: Passwords are becoming increasingly obsolete with the rise of Biometric and Multi-Factor authentication. This is welcomed by many who deplore the impracticality of having to remember, record and constantly change multiple passwords.

Multi-Factor Authentification

Multi-factor authentication (also known as two-factor authentication, 2FA) is one of the most effective ways of protecting your business accounts from phishing, ransomware, or data breaches.

It adds an extra layer of security by requiring multiple forms of authentication for access to a device or account. This means that even if a user’s login and password are compromised, malicious attackers still require another credential.

This authentication may come in the form of biometrics (digital fingerprint or eye scan), SMS message, e-mail or authentication code(s).

While e-mail and SMS have traditionally been used, biometrics and authentication codes are considered much safer as they would require the malicious actor to physically trick the user into providing biometrics or these codes.

For example, say a member of staff accidentally gives away their Google credentials through phishing. Even if the attacker wants to log in to the account, it will need to pass through an unrelated security hurdle, making it extra difficult.

Software updates, backups, antiviruses, firewalls and WiFi

These are bundled together as they are considered the core cybersecurity tasks of any IT department to buff the safety of its business’s software, hardware and network infrastructure.

Updates

Regularly updating all software, including operating systems and applications, is a great way to patch security vulnerabilities and prevent zero-day attacks. Sometimes, some platforms will release emergency patches in response to recently discovered vectors, so there needs to be some proactiveness.

Backups

Regular data backups are essential for recovery after an incident and can be critical protection against ransomware. Backups tend to be securely hosted by encrypted cloud storage providers, although ‘cold’ offline storage in hard drives can, in some cases, be safer. In any case, all backups tend to be automated for ease.

Antivirus

Antiviruses are your device’s protection from any malware that has filtered through. While most operating systems come with a built-in antivirus, it’s important to set them up to update regularly and do scans for any obvious malware that may have infected a device through a phishing e-mail or download.

Firewalls

A firewall is like your business’s network checkpoint, checking incoming and outgoing traffic for malicious traffic like viruses, DDOS or hackers. It establishes a barrier between your internal network and external sources (such as the internet).

While infrastructure providers like Cloudflare, business broadband routers, and modems come with their own firewalls, some businesses may add custom ones for additional security.

WiFi

WiFi networks are typically targetted as entry points to a business’s network, as these have been historical points of weakness. Ensure that your business’s Wi-Fi network is secure, encrypted, and hidden, using strong encryption protocols such as WPA3 and the use of guest networks.

Local and remote access control

Access controls become complex and troublesome in larger organisations but also tend to be more difficult to break. Smaller businesses can easily implement access controls but often don’t have the knowledge or capacity to do this in the absence of a dedicated IT department.

Local access

Access control is akin to controlling who has the digital keys to what is within a business. You may have seen this before in the form of needing ‘admin rights’ to change specific settings, which is key to preventing any malicious actors from accessing core data and infrastructure that can lead to system-wide exposure.

Access control includes user authentication based on roles, permission management, restricting physical access to key infrastructure like servers and device storage (think of movies like Mission Impossible), and setting up separate guest networks to ensure that third parties cannot gain easy access.

Remote access

Similarly, remote access control refers to managing connections from outside the local network, like staff working remotely, and presents its own set of challenges.

Most businesses require remote workers to log into the business’s local network using a VPN to keep the data encrypted in transit. Your sensitive data, such as messages, logins and passwords, will leave your device encrypted, and only your business will have the ‘translation keys’ to read them!

This provides protection from malicious actors on public WiFi or other local networks you may be logging in from, who may have an interest in stealing this for nefarious reasons.

Incident Response Plans (IRPs)

IRPs are key for identifying, containing, and mitigating the impact of security incidents, thereby minimising damage and ensuring a swift recovery. They are akin to the response plans of any medical, defence, or firefighter unit.

For example, if your administrator receives alerts about unauthorised access to a key employee account, an IRP provides clear steps to promptly change passwords and secure your systems before the breach escalates.

Also, timely reporting is not only essential for managing the situation but also a requirement for validating cybersecurity insurance claims, which are a key buffer when the attack leads to a financial loss or requires extra work.

An IRP should be tailored to different types of incidents, such as data breaches, ransomware attacks, or insider threats. It should outline specific actions for detection, containment, eradication, and recovery, ensuring a coordinated response across your business.

If your business gets certified under the Cyber Essentials scheme, you will be encouraged to develop an IRP for typical incidents under their guidance.

💡 Cyber Incident Response (CIR): This government scheme provides access to a list of NCSC-certified incident response companies that have demonstrated their expertise in handling sophisticated cyber attacks. See the CIR page here.

Other

There are always additional measures that your business can implement to boost security. For example, some businesses may opt for additional network security measures like IDS (Intrusion Detection System) and IPS (Intrusion Prevention System), which are more challenging and costly yet useful against sophisticated attackers.

We could go on and on and on and include extreme measures such as avoiding wireless technologies like mobile business broadband or satellite business broadband or even housing any fibre optic connections like full fibre business broadband or cable broadband in concrete containers to reduce the risk of anyone tampering with physical connections, including any leased line broadband cables.

💡Business broadband providersAs your traffic is ultimately handled by your broadband company, it is important to choose amongst those that match your business’s security profile. Compare business broadband deals and get the cheapest and most secure connection possible.


Business cybersecurity threats

Understanding how and why malicious attackers target businesses is key to understanding why it’s so important to implement essential cybersecurity measures at the very least.

While we cover these in detail in our long-form cybersecurity and data loss threats article, here is a short summary of the main threats:

  • Malware: Various forms of malicious software, including viruses, worms, and trojans that infect systems, steal data, etc.
  • Ransomware: A specific type of malware that encrypts a business’s files and demands a ransom payment for their release.
  • Phishing: The use of fraudulent communications to trick employees into revealing passwords, sensitive details or download malware.
  • Denial of Service (DoS/DDoS): Overwhelming a business’s network or website by spamming it with unnecessary traffic, rendering it unavailable to users.
  • Zero-Day Exploits: When previously unknown vulnerabilities in software or hardware are exploited before they can be patched.
  • Credential Stuffing: When publically available stolen usernames and passwords are used to gain unauthorized access to your business network.
  • Supply chain attacks: Supply chain attacks, also known as third-party or value-chain attacks, occur when attackers infiltrate a system through an outside partner or provider with access to the systems and data of the target organisation.

Remember that these attack methods do not necessarily have to come from outside your organisation and its partners. It is also possible to have malicious attacks from insiders like contractors, business partners and even employees with malicious intentions!


Cyber attack implications for businesses

The implications of a successful cyber attack can range from a minor inconvenience to full-fledged business closure due to reputational and financial loss or even a lawsuit.

Here’s a short summary of the potential consequences:

Financial loss: Cyber incidents can result in direct financial losses due to theft of funds, disruption of business operations, costs of remediation, legal fees, and potential fines for regulatory non-compliance. There are also long-term security costs resulting from the need to improve cybersecurity, including upgrading technology, enhancing monitoring, and providing ongoing employee training.

Reputational damage: A cyber attack can significantly harm a company’s reputation, leading to a loss of customer trust and confidence, which can be challenging to rebuild. This can also include losing a competitive advantage and the erosion of partner relationships, especially when this also results in a breach of their data.

Legal and regulatory consequences: UK businesses are subject to data protection laws. Failure to protect data or report breaches in a timely manner can result in hefty fines and legal action.

Operational disruption: Cyber incidents can disrupt business operations, leading to downtime, loss of productivity, and potential loss of critical data or intellectual property.

Increased insurance premiums: Following a cyber incident, businesses may face increased premiums for cyber insurance or might find it more difficult to obtain comprehensive coverage.


Cyber Essential Certification

The UK’s National Cyber Security Centre (NCSC) offers a government-backed certification system to help businesses:

  • protect themselves against common cyber threats,
  • demonstrate the implementation of essential cybersecurity measures to protect their own and customer data,
  • meet contractual requirements for certain government and private sector contracts,
  • qualify for cyber liability insurance.

The scheme has been on offer since 2014 in recognition of the growing cybersecurity threat and lack of awareness and preparation by UK businesses. There are two certification tiers:

  • Cyber Essentials: The basic level of certification that demonstrates the implementation of the essential cybersecurity controls.
  • Cyber Essentials Plus: The higher level of certification that involves a more rigorous assessment, including a technical cybersecurity audit of systems to verify that the controls are in place and effective.

How does my business get certified?

Businesses can achieve certification by completing a self-assessment questionnaire, which is then verified by the IASME consortium (an external certifying body) to ensure the necessary measures have been implemented.

How much does it cost?

The costs vary depending on your business size and complexity.

In general, the cost for the basic Cyber Essentials certification ranges from around £300 to £500, while the more comprehensive Cyber Essentials Plus certification can cost from £1,000 to several thousand pounds.

How can my business qualify for cyber liability insurance?

To qualify for the insurance, businesses need to :

  • Be registered and operate in the UK.
  • Have an annual turnover of less than £20 million.
  • Certify their entire business for Cyber Essentials (not just a part of it).

The Cyber Essentials insurance is intended to provide financial protection in case of cybersecurity incidents, such as data breaches or ransomware attacks, under certain terms and conditions.

Cyber Essentials Certification renewal

The certificate requires yearly renewal to ensure that your business is up-to-date with the latest cybersecurity measures. The renewal process involves re-assessment, re-submission, and payment of renewal fees.

💡 Effective reduction: According to official surveys, certified businesses are less likely to experience a cyber breach. The certification helps organisations prevent up to 80% of common cyber attacks and reduce their insurance premiums.


Business cybersecurity essentials – FAQs

Our business broadband experts answer commonly asked questions on business cybersecurity in the UK.

Can a business be fully protected from cyber-attacks?

Cybersecurity is akin to the security of your own home, your car or your bicycle in the sense that it’s impossible to guarantee you will never be breached. Even if you have an alarm system and state-of-the-art locks, there is still a way of stealing it. However, the more deterrents in place, the less likely it is that this will happen, to the point where you can decrease your risk to nearly 0%.

Covering the essentials, like having recurrent staff training and multi-factor authentication, deters most unsophisticated cybercriminals who look for easy targets. Otherwise, having cybersecurity insurance can cover you in case of a more sophisticated breach.

 

 

Talk to a Cyber Security Specialist

Related