© Andrew Beale (2017), all rights reserved

About the Author
Andrew Beale OBE

Her Majesty Queen Elizabeth II has awarded Andrew with an OBE for his "services to intellectual property and business".

Previously a Consultant to the United Nation's World Intellectual Property Organization (Geneva), Andrew is an Associate Professor in Intellectual Property Law and the Director of IP Wales, an award winning £4m initiative aimed at providing SMEs with the knowledge and financial means to commercialise their intellectual assets.

To email the author click here

"Doing nothing is no longer an option". This is the advice to SMEs from the recently created UK National Cyber Security Centre (NCSC). Preventing, detecting, or disrupting a cyberattack at the earliest opportunity limits potential business impact and reputational damage. So what can a business proactively do to protect itself?

 

Protecting the business starts with a Board level commitment to the implementation of Cyber Essentials, the UK government’s minimum standard of protection for IP cybersecurity. The NCSC warns that "cybersecurity is all too often thought of as an IT issue, rather than the strategic risk management issue it really is" and calls upon SME Boards of Directors to assume their responsibility for cyber risk management under corporate governance.

 

In the first instance Board of Directors need to review the data estate of their business and agree upon which data is critical to the business, and determine their appetite for risk associated with that data. The Board then needs to assure itself that the company's cyber risk management regime is effective in meeting that appetite for risk (typically this work is delegated to non-executive directors under corporate governance).​

Measures which the Board might call upon the business to implement include:

  • Firewalls & internet gateways – detect and block any executable downloads, block corporate access to known malicious domains, and prevent corporate devices from communicating directly with the internet as appropriate

  • Malware protection – establish and maintain malware defences to detect and respond to known attack code. Corporate users should be trained in cyber risks and made aware how social media can be exploited. Corporate users should not use unofficial media (e.g. USB sticks given away at conferences) and all official media should be scanned for malware. Use of removable media should require approval (granted only on a needs must basis) and sensitive data held on any movable media encrypted

  • Patch management – use only supported software and update (patch known vulnerabilities) with the latest version of the software

  • Whitelisting & execution control – prevent unknown software from being able to run or install itself (including Autorun on CD & USB drives) on all corporate devices

  • Secure configuration – restrict the functionality of every corporate device, operating system, and application to the minimum needed for the business to function.  Corporate wireless devices should only be allowed to connect to trusted wireless networks and all corporate wireless access points should be password protected (note it is equally important to establish 'Cloud' cybersecurity principles)

  • Password policy – ensure an appropriate corporate policy is in place which delivers an effective balance between security and usability. Always use unique and unguessable passwords for work accounts and store them using a secure and reputable password manager 

  • User access control – limit normal users’ execution permissions (i.e. prevent users with 'normal' privileges from installing or disabling any software or services) and enforce the principle of needs must access. Ensure that users with 'privileged' system rights (i.e. administrators) have constrained internet and email access to limit exposure from a single vulnerability. Ensure user access is revoked when a member of staff leaves.

 

Many IP cyberattacks are 'asymptomatic' - meaning you will be unaware that your business has been hacked - so how can you tell if you're under attack?  Internal system monitoring & external surveillance (e.g. dark web) provide a capability to detect actual or attempted cyberattacks - tools such as network intrusion detection and prevention should be on the corporate network and configured by qualified staff to monitor traffic for unusual or malicious incoming or outgoing activity with any generated alerts promptly managed by appropriately trained staff.

(*)  Common Cyber Attacks Reducing The Impact (NCSC)