Skip links

Effective Cyber Security for Small and Medium Business – Why a Structured Approach to Service is Paramount to Managing Risk

With cyber-attacks and data breaches hitting the news headlines seemingly daily, it cannot have escaped anyone’s notice that risk management around cybercrime is now a massive issue for all businesses.  Small and Medium sized firms are now a primary target and great many are now falling victim to Cyber Crime.
I am therefore increasingly being asked by clients for advice on the best ways to manage the risk around Cyber Security, so I thought it would be useful to share some information on this important subject.
Cyber Security breaches are now a widespread issue, with the government’s Cyber Security Breaches Survey 2017 revealing that 52% of small firms and 66% of medium sized firms had identified a Cyber Security breach or attack in the last 12 months.

The types of attacks experienced are diverse, ranging from fraudulent emails such as "phishing" attacks, where criminals attempt to obtain access to confidential information or passwords, through to "ransomware" attacks, such as the recent WannaCry attack on the NHS and many other organisations, where criminals hold your data to ransom by encrypting it and demanding money for its decryption.  The motivation behind these attacks varies from quick money-making scams, through to much more sophisticated espionage.

Protecting confidential client information is vital to and small and medium sized business and as such, it is critical that Cyber Security is not just treated as an IT issue, but that there is ongoing Partner/Director involvement with establishing and maintaining an effective information risk management regime, which incorporates appropriate policies to match the firm's risk appetite.

And this is where a structured approach to IT management becomes critical.  With many in-house IT Managers understandably being pulled from pillar to post delivering day-to-day support, it is easy to lose sight of the systemised approach and relentless attention to detail that is needed to manage an risk around Cyber Security.  There is so much more to Cyber Security management than technology. Yes a suite of technological solutions will be part of the solution (and these days that needs to be a lot more than some antivirus software and a firewall), but just as important are your firm’s processes and procedures surrounding Cyber Security.  For example: How promptly do security updates get applied to your servers and PCs? How are they tested to ensure they won’t cause a problem with your systems? What procedures do you have around leavers and removing their access, including remote access? How do you separate and secure data that is held on personal devices such as emails on smart phones? What policies do you have to prevent data leakage from stolen mobile devices or copies of files made to portable media like USB sticks? How do your staff know which emails are genuine and safe to open, and more importantly, which they shouldn’t open? How do your processes and procedures ensure new starters or temporary resources are educated in cyber safety procedures?  How is your system backed up and how long would it take to recover it in the event of something like a ransomware attack? How often is it tested to ensure it would be successful? How would your firm operate in the interim? And in a worst-case scenario, how would you handle communication of a Cyber Attack in order to minimise the reputational damage?
To compound matters, Cyber Crime is a constantly changing landscape, with new threats emerging continuously and a constant need for accountancy firms to re-evaluate and update their risk management plans in order to remain one step ahead of cyber criminals.

In my experience, the key to successful risk management around Cyber Security is having a structured service management approach, at the heart of which is Risk Register which enables the decision makers to understand their Cyber Security and Data Protection risks in the context of potential impact on  the business, and in parallel having access to a range of options for mitigating them.
Well documented Service Management Policies and Procedures as well and all importantly a culture of following policies and procedures is also paramount.  Such policies will involve a multifaceted approach, incorporating user training to help people at all levels in the firm understand how to reduce the likelihood of attack, a suite of technological solutions to help guard against threats, day-to-day operating procedures that are rigorously adhered to, as well as contingency plans to fall back on should the worst happen.  Such a structured approach towards management of IT systems not only addresses the challenges of Cyber Security but also brings with it the ability to successfully and safely harness technology to deliver real value to accountancy firms.

If you are concerned about your organisations vulnerability to cyber threats, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Connexion can help.

Rob Leverton

Rob has worked as an IT technician and project manager with Connexion for 14 years before moving into his current role as head of the technical services team.

Although Rob comes from a technical background he’s very much a people person and he is exceptionally good at building excellent working relationships with our customers and his technical team to deliver service excellence to our clients.

Rob Leverton

James Stratton

James is passionate about technology and how it can transform business.  Having worked with hundreds of businesses in many different sectors over the last 25 years he has a huge amount of business IT knowledge that he enjoys imparting to Connexions customers.

James is responsible for Connexions strategic development and also still enjoys a role in consulting and sales and marketing