For many small businesses one of the biggest challenges is simply knowing where to start. This is a problem (overworked) founders will know all too well. With so many competing priorities it can be hard to know what to focus on next, and this means that certain tasks can fall to the wayside.
Unfortunately, cyber security is often one of the things that gets sidelined. According to the latest Cyber Security Breaches Survey, published in April 2019, only 78% of micro and small businesses said that cyber security was a high priority. While on first glance that might seem like a healthy figure, it is significantly lower than for medium (92%) and large firms (95%). Furthermore, while small businesses might be saying cyber security is a priority, this does not seem to be translating into concrete action, with only 32% having formal cyber security policies, compared with 71% for medium and 74% for large firms.
One of the possible explanations for this gap between perceived importance and action is that organisations feel, as the survey notes, that “there is still a lack of clarity on what they should ideally be doing”1. Quantitively, around three in ten businesses (32%) and charities (30%) surveyed reported that they are not sure how to act on the advice they have seen or heard around cyber security.
To do our part to help remedy this issue we are publishing a series of blogs to introduce small businesses to some of the key organisations and concepts relevant to cyber security and data protection in the UK. In the future we’ll cover the Information Commissioner’s Office and Cyber Essentials, but the focus of this article is the National Cyber Security Centre (NCSC).
What is the NCSC?
The NCSC is the government organisation that provides advice and support for the public and private sector in how to avoid (and respond to) cyber security threats.
It is a recent addition to the UK’s cyber security landscape, though several of its preceding agencies are much older. It was first announced in November 2015 by the then Chancellor of the Exchequer, George Osborne, in a speech at GCHQ (the NCSC’s parent agency). It became operational a year later in October 2016.
According to Robert Hannigan, former Director of GCHQ (2014-2017), there were two animating ideas behind the formation of the NCSC. First was the need for a centralised point of authority on cyber security for both government and industry. Prior to the NCSC’s formation, senior officials “instinctively felt that there were far too many parts of government jostling for space in cyber”. One of the most vocal critics of this disjointed approach was the Governor of the Bank of England, Mark Carney, who complained that there were “too many sources of advice from government and too much confusion for industry”2.
Second was a realisation that the government’s approach, encouraging the private sector and individuals to get better with regards to cyber security, though it had achieved a significant improvement, had hit a plateau. Security officials at GCHQ and in the wider Civil Service were acutely aware that “(t)here was a limit to how far businesses would or could progress” and that “a security model that presupposed everyone would do the right thing was bound to fail”3.
Adding urgency to this project was the fundamental role the internet has come to play in all our lives. In his speech, Osborne remarked that while “(t)he internet has made us richer, freer, connected and informed in ways its founders could not have dreamt of. It has also become a vector of attack, espionage, crime and harm”4.
Talk of “attack vectors” and “espionage” may seem to have little relevance to your average small business, but Osborne was explicit in his belief that cyber security is the responsibility of all, from central government to individual citizens; “(t)he starting point must be that every British company is a target…cybercrime is not something that happens to other people”5.
Indeed, the all-pervasive nature of the threat Osborne was referring too had been highlighted by the government’s own research earlier that year. In the 2015 Information Security Breaches Survey, 90% of large organisations and 74% of small businesses reported they had suffered a security breach, with the average cost of such sitting at an eyewatering £1.46m-£3.14m for large organisations and £75k-£311k for small businesses6.
It was in response to figures such as these that the NCSC was established. It can be thought of as an attempt, if not to solve, then at least to mitigate the fundamental problem at the heart of cyber security – chiefly, the asymmetry between attack and defense. By unifying several existing agencies, and with a clear mandate to support industry, the NCSC is set up to tip the scales back in favour of defence by providing businesses with world leading advice to help them safeguard themselves against current (and future) cyber security threats.
What does the National Cyber Security Centre do?
The NCSC has a broad range of responsibilities, with a split in its work between public sector focused activities like helping to defend certain government networks and those designed to help industry. It also sits in a larger cyber security eco-system, working alongside GCHQ, the Ministry of Defence and law enforcement agencies like the Metropolitan Police, as illustrated in Figure 1.
For businesses, charities and other non-governmental organisations, the majority of the NCSC’s work is concerned with providing relevant information and support to help them improve their cyber security (though they continue to have an operational role with responsibility for investigating certain cyber security incidents).
This outreach takes a variety of forms. Perhaps best known are the various guides and the NCSC infographics. They update and amend these regularly, along with publishing on new topics, and the issues covered range from introductory explanations of common cyber security terms through to detailed cloud security guidance.
In a similar vein, the NCSC also handles cyber security accreditations and drafts and enforces cyber security standards. The former includes certifying training providers and university degrees. On the latter topic, their flagship scheme is Cyber Essentials, a set of basic security controls to help prevent the most common cyber-attacks. Organisations can be formally assessed and certified against Cyber Essentials to demonstrate the maturity of their cybersecurity programme (for more information on this topic please see our Introduction to Cyber Essentials blog).
Why is the NCSC relevant to SMEs?
SMEs face a number of unique cyber security challenges. As mentioned at the above, in many small and medium businesses there are often time constraints and more pressing operational concerns can take priority over cyber security. But there are other issues too, with the lack of cyber security expertise being, arguably, the most pressing of them all.
Indeed, the situation in the UK is now so serious that it is attracting government attention. In July 2018, the Parliament’s Joint Committee on the National Security Strategy published a report highlighting the problem. A summary to the report, noted that “there is not currently the cyber security skills base to match [demand], with both the Government and private sector affected by the shortage in skills”8.
Thankfully, the NCSC is alive to this problem and produces guidance specifically for SMEs. Their Small and Medium Business Series is written with an understanding of many of the struggles SMEs face, and is focused on simple, practical steps that can be undertaken by those with limited budget or experience. The aim is not to make SMEs invulnerable, but to reduce their exposure to some of the most common cyber threats. They achieve this by offering a clear pathway that starts with an introduction to key terms and ends with Cyber Essentials certification.
This guidance is what we believe makes the NCSC so relevant to SMEs. By providing businesses with information they do not have access to in-house, the NCSC is helping to redress some of the imbalance that Osborne mentioned in his speech back in November 2015. While there is still work to be done towards making us all safer, Hannigan believes the NSCS represents a successful first step, having established itself in a little under three years as “a leading authority, giving a single source of coherent advice and defining ‘what good looks like’ in a large number of areas”9.
Learn more about Cyber Security & Compliance here!
1 Department for Digital, Culture, Media and Sport, Cyber Security Breaches Survey 2019: Statistical Release, p.18 2 Organising a Government for Cyber: The Creation of the UK’s National Cyber Security Centre, Robert Hannigan, RUSI, (2019) p.13 3 Ibid 4 See: https://www.gov.uk/government/speeches/chancellors-speech-to-gchq-on-cyber-security 5 Ibid 6 2015 Information Security Breaches Survey, p.6 7 Organising a Government for Cyber: The Creation of the UK’s National Cyber Security Centre, Robert Hannigan, RUSI, (2019), p.18 8https://publications.parliament.uk/pa/jt201719/jtselect/jtnatsec/706/70603.htm#_idTextAnchor000 9 Organising a Government for Cyber: The Creation of the UK’s National Cyber Security Centre, Robert Hannigan, RUSI, (2019), p.21