Making security advice usable

With increasing numbers of millennials turning to self employment, what impact might this have on SME cyber security?

Technology is always political…

…and cyber security is no exception. But when we’re buried by discussions about cyber war and international arguments about the misuse of data, how do we work out what it means for small businesses?

It means nothing… and everything.

The reason that large-scale cyber attacks are successful is usually down to a really small technological flaw… in a vast number of machines. We’re so reliant on technology that critical national infrastructure (power stations, water, gas, communications etc.) is one of the biggest recipients of government cyber security support and advice. They’re a strategic target. If the services aren’t available it would cause mass disruption.

The thing is, we’re now all so connected that it’s possible for hackers to cause widespread disruption without needing to hit the strategic targets. They can make a large number of us fairly miserable without needing to disrupt our electricity, water or broadband. They can create economic disruption without touching central government or the FTSE 100.

It’s because of this that NCSC, DCMS and the police, among others, are working quite hard to make us all more cyber aware. Cyber security is about making everybody less vulnerable in every role they have in life.

What do they suggest for small organisations? The Cyber Essentials Standard. It’s a list of the most basic things small organisations should be doing to stay secure. A minimum requirement for organisations bidding for some types of government funding.

It asks businesses to do 5 things:

• Add a firewall to our devices and/or the network we use

• Choose secure configurations for the devices and software we have

• Control who has access to our data and services

• Protect yourself from malware

• Allow all the devices and software you use to install updates

This is where cyber security inadvertently becomes even more political. Why? Because the technology we use is so much about culture and circumstance.

Alongside the news about cyber security there’s a long-running conversation about the way our lives are changing… and the cyber security advice hasn’t caught up with millennials yet. It’s possibly an unforeseen consequence of the imbalanced demographics in cyber security, where most of the people I network with are men who are quite a bit older than me.

The problem with this isn’t that government has failed to secure our avocado toast – there’s advice on what extra things we should do if we’re using free café WiFi to work (it’s worth following, because there’s all sorts of badness in free networks… you just need a firewall on your phone or laptop and to do a little bit of configuration). The advice on the NCSC website is pretty user friendly, but actually gaining accreditation is harder… and it’s not just about time, there are hidden costs.

Where are our boundaries?

Device firewalls are easy. However, talking to the accreditation bodies, this isn't a perfect solution. What they’re ideally looking for is a firewall in the networks we use, creating a boundary between your business and the Internet. This isn’t just at the office, if the business is run from a home or allows home-working then there should be a boundary there too. It’s still not that onerous, but it does assume that you have one household under each roof.

The number of new businesses is rising, at the same time that the proportion of working age people living in shared rented accommodation (often with people they don’t know) is rising. Extremely high business rates are also pushing greater numbers of businesses into home-working or shared innovation spaces. 

Adding security might not cost much. Living and working in a space where the broadband router is mine to secure? In Oxford that would cost me about £12,000 extra per year. Over the past 5 years I’ve been spending a staggering 50-60% of my income on rent, so for many this hidden cost is unaffordable.

Controlling access can also be an issue.

It’s fairly easy to stop employees from accessing things that they shouldn’t and to spend an afternoon checking that nobody has too much power… even business owners can click on the wrong thing after all!

The problem is the GDPR and the number of free services we use where the service provider doesn’t think our data should be private from them. These services probably have more security than the business can manage alone, but if the supplier puts conditions on our ability to control access, then being secure comes at a cost.

Finally, those pesky updates.

People who start businesses don’t start with big budgets. In fact, with the growth of the gig economy I suspect that there’s a relatively large proportion of new business owners who will barely be scraping minimum wage.

But updates are free?

Only if you have a phone, tablet or PC operating system that is still being supported by its manufacturer. 

Often, needing updates means replacing a perfectly functional device with a new one. When you do, manufacturers often only offer a couple of years of updates, from the date that they released the phone. That excludes you from cheap contracts with older models (the contract is often longer than the amount of time you’ll get updates) and manufacturers are bad about providing information about anything other than their flagship phones.

Doing something free might cost you upwards of £600 up-front, or £300 per year.

So the advice we give is political too. It’s not easy for everybody to achieve and there are some significant hidden costs before we even think about the cost of peoples' time.

Does this mean we should all give up? Nope!

Everything you do will reduce a bit of your risk. Some things are free. Some things are easy to do. You’re not expected to be perfect from day one. Better is better than nothing.