New plans could mean tougher cybersecurity for SMEs The Government has published a new policy proposal outlining tough new security standards for the UK's digital supply chain. Written by Helena Young Published on 19 November 2021 Our experts We are a team of writers, experimenters and researchers providing you with the best advice with zero bias or partiality. Written and reviewed by: Helena Young Lead Writer Data management firms could be required to follow stricter cyber security rules as part of new proposals to help British businesses manage the growing cyber threat.The move follows a consultation by the Department for Digital, Culture, Media and Sport (DCMS) to enhance the security of digital supply chains and third party MSPs (Managed Service Providers), which are used by firms for things such as data processing and running software.One of the biggest changes the coronavirus pandemic brought to businesses was rapid digital adoption as sales, working, and learning all moved remotely as a response to lockdown. This increased threat for small firms means that now is the time to prioritise cybersecurity.So what would the change mean for your business? And how can you best protect yourself and your employees online? This article will cover: Why is it important for SMEs to think about cybersecurity? What are the proposed new rules? What would the impact be on small businesses? How can SMEs protect themselves online? When would the changes come into effect? Why is it important for SMEs to think about cybersecurity?Cybersecurity might seem like an issue only for tech or big corporations, which is why many SMEs often don’t bother to invest in simple measures to prevent an attack. Les Roberts is content manager at Bionic, a business services comparison website. Roberts said: “As a small business owner, you might feel you don’t have the time or resources to dedicate to cyber security. You might even think your business isn’t big enough for hackers to bother with, but [no company is] too small to be targeted. If your business handles any sensitive customer data – including names, addresses, or banking information – it’s at risk from cyber-attacks.” The Department of Digital, Culture, Media, and Sport’s 2021 report puts the average cost of a cyber attack at £8,460 – enough to wipe out most SMEs, and a steep rise from last year’s figure of £3,230. Mark Brown is founder of Psybersafe, a cyber security training platform for SMEs. Brown said: “The dangers for small businesses have also increased in the past 12 months with the advent of home working, where laptops and phones are more vulnerable and workers are more relaxed around security issues. Attacks are incredibly sophisticated, so it’s more important than ever that small businesses take cyber security seriously.” Jason Stirland is CTO at DeltaNet International, a cybersecurity training provider. Stirland said: “Having a robust cybersecurity strategy in place is critical for organisations of any size, but SMEs are particularly vulnerable as they don’t have access to the same skills and financial resources a large enterprise has. According to research by ENISA EU, 85% of SMEs agree that cybersecurity issues would have a detrimental impact on businesses, with 57% saying they would most likely go out of business.” What are the proposed new rules?The proposed policy paper has been put forward by the Department for Digital, Culture, Media and Sport (DCMS) following a Gov.uk survey which called for views on the government’s current cyber risk management support.The survey found 82% of respondents said developing new legislation could be an effective or a somewhat effective solution.One possible new policy put forward by DCMS is the National Cyber Security Centre’s Cyber Assessment Framework, which outlines strict new requirements that the majority of MSPs already use as a guideline. MSPs would be legally required to follow the framework advice, by introducing measures such as multi-factor authentication for accessing data.Other plans to protect the country’s digital supply chains include new procurement rules to ensure the public sector buys services from firms with good cyber security and plans for improved advice and guidance campaigns to help businesses manage security risks. Commenting on the proposal, Minister for Media, Data and Digital Infrastructure, Julia Lopez, said: “As more and more organisations do business online and use a range of IT services to power their services, we must make sure their networks and technology are secure. Today we are taking the next steps in our mission to help firms strengthen their cyber security and encouraging firms across the UK to follow the advice and guidance from the National Cyber Security Centre to secure their businesses’ digital footprint and protect their sensitive data.” What would the impact be on small businesses?The main impact of the new legislation would be greater safety and security amongst your data supply chain. However, there are also likely to be teething problems amongst SMEs as the new security standards are implemented by customers and suppliers, including potential hazards like data losses, or short-term technology issues.We asked various IT experts and specialists how they thought the new legislation would affect UK SMEs.Many thought the proposed NSCS CAF guidance would be a good thing for small business owners: Simon Walsh is Senior Engineer at Trend Micro, a global cybersecurity leader. Walsh told us: “Absolutely. Expert guidance on building a business resilient to cyber-attacks is always welcome, especially to small businesses who may not always have their own experience or expertise in the field. The CAF principles cover a lot of bases too, everything from the basics of asset management and identity and access control to more advanced, current measures such as proactive security event discovery, something fundamental to detecting today’s advanced attacks.” However some were more hesitant about the proposal, citing IT expertise as a barrier for most small businesses to implement the necessary, more sophisticated cybersecurity measures: Debrup Ghosh is senior product manager at the Synopsys Software Integrity Group. Ghosh said: “The current CAF constitutes 39 individual assessments across a number of diverse cybersecurity domains and provides a strong baseline for risk management with a set of indicators of good practice (IGPs). However, small businesses are unlikely to have internal expertise. [Given] the current cybersecurity skill shortages, small businesses should lean on companies that have existing cybersecurity expertise to provide cybersecurity solutions and to provide expert consulting services to help understand the results, provide remediation guidance to help them do effective risk management, and drive an outcome-program security program.” How can SMEs protect themselves online?Consider upgrading softwareAnti-virus software is a must for companies. If you’re looking to upgrade, products with Anti Malware Scan Interface (AMSI) capabilities provide the most thorough service when it comes to restricting untrustworthy files.But if you’re working to a stricter budget, simpler technology controls can produce some cheap wins when reducing risk. Advanced email filters, for example, can help to find and block suspicious-looking files before attachments are downloaded.Outsourcing your protection can also be a simple and low-cost way to manage threats Rick Jones is CEO of DigitalXRAID, a cyber security provider. Jones said: “[Cybersecurity technologies] may seem like an extensive and intimidating list to small businesses who have smaller cyber budgets, which is why the smartest and simplest choice for SMEs is to outsource to the experts. Partnering with a managed security services provider can ease pressure on SME business leaders that ultimately need to focus on their own clients and business revenues rather than cyber security.” However, there are some considerations you need to make if you choose this route. Ryan Langley is CEO of Atech.cloud, a cloud-based solutions provider. Langley said: “We advise businesses to consider how your IT partner can support you across all technology requirements, not just break-fix. There are plenty of IT support companies who do just support, and fall short on security [as well as] plenty who understand that there is an opportunity to upsell security services as part of the package!” Educate your teamThe software company Tessian recently found that 47% of people working from home had clicked on a phishing email, meaning your employees could be a weak point in your security.Investing in a training provider will educate staff about healthy cybersecurity, and make them aware of the basic preventative methods such as setting safe passwords, recognising email scams, and updating computers at the end of the working day. Lee Wrall is Director at Everything Tech, an IT provider. Wrall said: “With effective security awareness training, a business can transform employees into a solid line of defence against cyber-attacks, by helping them identify, avoid and report sophisticated attacks. The training can simulate a cyber-attack and be created bespoke to a business so employees can understand what could happen and what to look out for when carrying out their day to day role.“Offering security awareness training to staff is quick to deploy, runs in bitesize segments and will reduce the likelihood of human-caused data breaches and create a strong culture to combat cyber-attacks on your business.” Make use of government resourcesThe government’s National Cyber Security Centre (NCSC) already offers a raft of cyber security support and advice on identifying business-wide risks and vulnerabilities – including the Cyber Assessment Framework – as well as specific Supply Chain Security and Supplier Assurance guidance.There is also advice on defending against ransomware attacks, while the Cyber Essentials scheme offers small and medium-sized firms a cost-effective way of getting basic measures in place to prevent the vast majority of cyber attacks.High-profile scams are also generally posted on the National Cyber Security Centre website.You should use this, and other government sites, to flag potential threats to your workforce and help them stay alert.Secure wireless networks Attackers often exploit weaknesses in the security of wireless networks. As more people work from home or flexible shared workspaces, companies are becoming vulnerable to network breaches.Basic precautions, such as regularly changing the default password of your router, can help to minimise this risk. Make sure your router’s built-in firewall is activated for another simple defence against cybercriminals.Attackers can also spy on network traffic to learn passwords or redirect users to a malicious website. Popular business VPNs like Perimeter 81 or NordVPN can be bought to help protect company data by providing a secure network and internet connection. Matt Fossen, US Communications Manager at ProtonVPN. Fossen said: “Hybrid work is clearly a welcomed arrival for a lot of workers, but it’s a challenge for privacy and cybersecurity. Any company that has no concerns about employees using public WiFi in cafes is putting a huge target on its back. CTOs should be encouraging remote workers to use VPN services by default, and shifting their organizations to encrypted drive providers that keep your data secure no matter what kind of network you’re on.” Data protection is an important consideration for SMEs. If you’re a small business owner, read our guide to the best and worst antivirus protection. When would the changes come into effect?The proposed new policy highlights the government’s support for developing a new or updated UK cyber strategy.However, it will likely be a while before the changes are implemented. The government will now work on developing a more detailed policy proposal, whilst carrying out a review of the current laws and measures which encourage firms to improve their cyber security.It will then launch a new national cyber strategy later this year, although any new legislation is unlikely to become law until 2023 at the earliest.For SMEs, now is the time to begin research into your current or future IT consultancy firm, to get ahead of the changes. Even if the legislation does not come into effect, now is still a good opportunity to ensure that your data management process, or provider, is fully compliant with the National Cyber Security Centre’s Cyber Assessment Framework. Want to know more about protecting your small business from cyber attacks? Read our comprehensive guide to staying safe online for SMEs. Share this post facebook twitter linkedin Written by: Helena Young Lead Writer Helena is Lead Writer at Startups. As resident people and premises expert, she's an authority on topics such as business energy, office and coworking spaces, and project management software. With a background in PR and marketing, Helena also manages the Startups 100 Index and is passionate about giving early-stage startups a platform to boost their brands. From interviewing Wetherspoon's boss Tim Martin to spotting data-led working from home trends, her insight has been featured by major trade publications including the ICAEW, and news outlets like the BBC, ITV News, Daily Express, and HuffPost UK.