CyberSecurity - The Introduction. Whether you sell online or not, it is very likely that you are using the internet to support your business - even if just through email, accessing the world wide web or publishing a basic website. Unfortunately, even at this minimal level, you are at risk. See: the short video explaining who might attack your organisation.
Indeed, a UK Government survey estimated that in 2018, 61% of large corporations and 31% of small businesses suffered a cyber breach. The average cost of a cyber-security breach is £22,700 for large businesses and £3,650 for small businesses. (The Association of British Insurers.) A further study by Hiscox showed a 15% rise in those figures in 2019. The results of a GOV.UK survey released in March 2020 confirms cyber security breaches are becoming more frequent. It found 46% of UK businesses and charities reported a cyber-attack during the year. Of those, 33% claimed they experienced a cyber breach in 2020 at least once a week – up from 22% in 2017.
The average mean cost of a cyber security breach for a small business in 2019 was £11,000. This figure includes costs such as ransom payments, hardware replacements and indirect factors such as business interruption.
Therefore, the risks you have to consider are real and the considerations for mitigating those risks are:
For a checklist of actions that you should consider\undertake see: The National Cyber Security Centre's (NCSC) Small Business Guide Actions.
You may also find it helpful to check out the NCSC's Small Business Guide: Cyber Security.
If you are dealing in any way online, it is very likely that you should be registered with the Information Commissioner's Office.
Why not carry out a quick online self-assessment to receive your CyberSecurity Guidance and Action Plan from IASME? (IASME is committed to helping businesses improve their cyber security, risk management and good governance through an effective and accessible range of certifications.)
See: Advanced CyberSecurity if you would like to consider advanced issues such as:
Finally, you should discuss CyberSecurity with your in-house IT team as well as your internet and website service providers. If you do not have a dedicated internal team to manage your CyberSecurity, we suggest that you read the National Cyber Security Centre's definition of Cyber Security.
If you feel that you would like advice from an independent consultant, then it is suggested that you see if the BSI's Cyber Security and Information Resilience Consultancy Service could help you.
Cyber Insurance covers the losses relating to damage to, or loss of information from, IT systems and networks.
If you feel that insurance cover is appropriate for your organisation, then you may consider the services provided by Hiscox Cyber insurance policies. You can review a non-binding quote in just 5 minutes. (For organisations that subscribe to one of CyberSmart's Pricing Plans, these will include a £25,000 insurance policy; terms apply.)
Any business, contractor or freelancer using the internet as part of their work could fall prey to cyber crime or face a data breach which insurance might help to resolve.
This means enterprises of all shapes and sizes could stand to benefit from cyber insurance. Nonetheless, certain professions may have a greater need than others.
Data Protection: - You must make sure that you comply with relevant recommendations and regulations. In particular, you must conform to The General Data Protection Regulation 2016/679 (GDPR).
The Information Commissioner's Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The ICO has published its data sharing code of practice, which provides clear guidance for organisations and businesses on how to share data lawfully. They have also produced new tools, such as a data sharing checklist and templates, to help you further.
The Data Protection (Charges and Information) Regulations 2018 requires every organisation or sole trader who processes personal information to pay a data protection fee to the ICO, unless they are exempt.
As at 1st January, 2020 there are three different tiers of fee and controllers are expected to pay between £40 and £2,900. The fees are set by Parliament to reflect what it believes is appropriate based on the risks posed by the processing of personal data by controllers.
The tier you fall into depends on:
Not all controllers must pay a fee. Many can rely on an exemption.
Tier 1 – Micro Organisations
You have a maximum turnover of £632,000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £40.
Tier 2 – Small and Medium Organisations
You have a maximum turnover of £36 million for your financial year or no more than 250 members of staff. The fee for tier 2 is £60.
Tier 3 – Large Organisations
If you do not meet the criteria for tier 1 or tier 2, you have to pay the tier 3 fee of £2,900. The ICO regards all controllers as eligible to pay a fee in tier 3 unless and until they tell the ICO otherwise.
LawBite's 7 minute video "How to comply with GDPR rules".
CyberSmart's GDPR White Paper.
Hardware Failure can happen at any time putting your data and software at risk of loss. It is therefore very important to have a back-up system in place. Detailed UK Government advice on backing up your data can be found on the National Security Council's website.
The key points to consider when back-up your data are:
Identity Fraud is one of the major risks when contracting online. There are steps you can take to reduce risk by checking the identity of the company and individual you are dealing with. Once you are sure of your partner's identity. You can also sign legally binding contracts via the internet.
There are 4 steps you should take here:
Whether in the digital or physical world, you should carry out the same level of due diligence regarding both sets of identity.
We have suggested using First Report with regard to credit standing – but you can start with:
Once you have confirmed the details of the company – and possibly also checked their entry in Kompass for further details – you can cross-check the identity of the person with whom you are dealing (are they a director)? (listed on the website?). Can they be reached via the company’s switchboard? Do they have a company email address?
eSignatures are now recognised under English Law. In fact, from a number of points of view, they are preferable to signatures written by hand. This greatly facilitates B2B eCommerce allowing for the electronic exchange of signed commercial documents.
LawBite's Document Management Platform provides not only a legal library, and a system for the management of electronic documents but also the facility to e-sign documents. Print or e-sign - You have the option to download, print or send your documents digitally to use e-signing.
See the video: Checking, e-Signing and filing.
N.B. An eSignature is not simply a scanned image of a handwritten signature pasted into a document.
Electronic signatures provide three quantifiable benefits:
Electronic agreements can be signed at a fraction of the time of paper-based agreements, especially when signatories are not in the same physical location.
Signing electronically also results in reduced paper usage and the environmental impact of physically transporting agreements between locations.
With proper identity verification methods and audited IT infrastructure, an electronic signature is much more secure than paper-based signings.
Considerations for Choosing your eSignature Solution
How should your eSignatures be delivered?
Many signing solutions rely on email-based delivery of an agreement without requiring any additional form of identity verification.
This, in many cases, is the typical replacement for paper-based signatures and is familiar for the users. Unfortunately, this gives no assurance of the signer’s identity.
SMS OTP is the process of sending a random code to a mobile number, and this code is input to show that it has been received. This proves that the user signing has access to the device, but does not provide verified identification.
Some countries, particularly in the Nordics and Benelux regions, have access to third-party electronic identities (such as BankID), as provided by their governments or banks. These eIDs can be used to sign electronic agreements.
Some signing solutions leverage ID document scanning (such as passport or driver’s license) or NFC reading of the document as a way to verify the signer’s identity.
Document Security & Future Proofing Agreements
When generating digital signatures, digital certificates are involved. A digital certificate has an expiry time, after which it is no longer valid. It may also be revoked at any time, and the certificate authority maintains lists of these revoked certificates.
Digital signatures are based on mathematical algorithms, which can be attacked by advances in mathematics, software, and hardware. The algorithms used for digital signatures 10 years ago are no longer secure, and it is simple to forge a document that looks like it was signed 10 years ago.
The above challenges are addressed by adding long-term-validation information into the document. This is done by a Qualified Trust Service Provider, which collects all the evidence and embeds this into the signed document. (See tScheme Members for UK TSPs or The EU Commission site for EU TSPs.)
Keep Your Mobile Devices Safe. It is of course important to keep your mobile devices safe. However, there is always the risk that they will be lost or stolen; in which case you will need procedures in place to track them and keep safe the data stored on them. Detailed UK Government advice on keeping your mobile safe can be found on the National Security Council's website.
The key points to consider when implementing mobile device protection policy are:
Malware puts everyone at risk. There are different types of malware - none of them are good all of them are being widely circulated. No matter how small your business you must have malware protection systems in place. Detailed UK Government advice on protection from malware can be found on the National Security Council's website.
The good news is that protection need not be expensive (indeed many services are free of charge - however, these will necessarily offer lower levels of protection than more expensive services).
The key points to consider when implementing your anti-malware protection are:
Password Protection is a key method of protecting access to your organisation's sensitive commercial data. (Detailed UK Government advice on keeping your data safe can be found on the National Security Council's website.) However, when using passwords you should consider the following:
Phishing attacks occur when an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure. These messages can be sent by any communication channel e.g. telephone, email, text, whatsapp, social media etc.). Detailed UK Government advice on keeping your data safe can be found on the National Security Council's website.
It should be emphasised that phishing attacks are becoming ever more sophisticated. However, the following should help you identify the most common phishing attacks:
Reporting CyberCrime helps everyone. If you suffer a CyberCrime or thwart an attempt at CyberCrime, it helps everybody if you report this to the competent authorities. In the UK, these are:
The Information Commissioner's Office (ICO) is responsible for enforcing the rules on spam texts. Incidents where data is compromised or stolen could breach GDPR, so these must be reported to the ICO within 72 hours to minimise possible penalties.
If you receive a suspicious email, text message, telephone call that claims to be from Royal Mail or discover a Royal Mail branded website which you think is fraudulent, please report it.
Website Security. Websites secured by a TLS/SSL certificate will display HTTPS and the small padlock icon in the browser address bar. TLS/SSL certificates are used to protect both the end users’ information while it’s in transfer, and to authenticate the website’s organisation identity to ensure users are interacting with legitimate website owners - and the address begins https:// rather than just http:// where the “s” stands for secure.
Invisible to the end-user, a process called the “TLS/SSL handshake” creates a protected connection between your web server and web browser nearly instantaneously every time you visit a website.
SSL/TLS Certificates need to be issued from a trusted Certificate Authority – you can find a list of SSL/TLS Certificate Service Providers on The ExportersAlmanac – Secure Certificate Providers.