Firms should need no government incentive to become cyber secure / Mike Briercliffe

“We want to help protect UK businesses against cyber attack and make the UK the safest place in the world to do business online.” So said Digital Economy Minister Ed Vaizey when launching a new £1m cyber security innovation voucher scheme, which offers micro, small and medium-sized businesses up to £5,000 for expert advice to improve their cyber security.

I applaud the government’s ambition to make the UK one of the leaders in the global digital economy, and this scheme is a worthy attempt to encourage firms to bolster their IT security. But it’s important to emphasise that the onus is on businesses themselves to want to become cyber secure and then decide the best way for them individually to do that. The government scheme doesn’t provide solutions for firms – they must find their own.

The 'Cyber Security Innovation Voucher', which pays up to £5,000, is a refunded subsidy for work already done by companies to make themselves digitally safer; companies must explain the work they have carried out and why they think it merits a voucher. Those deemed to be worthy cases (though it’s unclear what are the criteria for deciding this) will compete for a slice of the available pot of money through a form of competition.

It’s certainly not a shortcut to become cyber secure. You could also argue it doesn’t offer much of an incentive – I ask myself whether the head of a medium-sized firm with a turnover running into millions of pounds would want to find the time to jump through all this scheme’s hoops for the prospect of a few thousand pounds?

But, of course, the incentive to become more cyber secure should be clear to most firms. The day is coming when big businesses will want guarantees from the companies they do business with that their own networks won’t be compromised by their suppliers, and will demand that they have comprehensive protection against cyber attacks and security measures in place that have been either tested or accredited (preferably both).

Cyber security can ensure a firm’s survival

The question small and medium-sized businesses have to ask is: do they wait until a major client demands to know what are their data security measures, or do they pre-empt that conversation by making sure they are already secure? You don’t want your firm to be the weak link in your biggest client’s supply chain, targeted by a hacker. Think about the insurance risk and the consequences of being pursued for compensation for causing a major security breach.

If I am in your supplier community and my security is breached, then any electronic communication I have with you is a potential security hole. And if my breach creates a problem for your systems, then, if undetected and unchecked, it can carry on up the supply chain.

'Phishing Attacks' are a simple example of this. I send you an email without knowing my system has been compromised; you open it because you trust me. Suddenly you have a problem, unless you have your own security system to defend you.

In a sense I think it’s good that the government scheme isn’t too prescriptive. It doesn’t offer a set of bullet points on what firms should do, or a list of approved providers. But, as I’ve said before in these blogs, a firm must understand that it cannot have an IT business solution done to it. Nowhere is this lesson more important than in cyber security.

Get the right advice and the right solution

Business owners and managers need expert advice to decide what they need to do, and to help them think through the solution; they then must get the right system processes to provide that solution. Also, that solution is doomed to fail unless the firm’s staff is fully engaged with understanding and implementing it. There is no sticking-plaster solution to IT security: it must be deep-rooted within the culture of a firm and how it fundamentally manages its affairs.

Cyber security isn’t some nerdy problem, divorced from the everyday realities of running a business. With the rise of the Internet of Things, the sanctity of a company’s data is paramount to its future competitiveness, and even, I would argue, its survival in tomorrow’s digital economy. What would your business do if it were struck off tender lists or lost long-standing contracts because it didn’t have the processes to comply with customers’ tougher data security criteria?

If a firm doesn’t have a senior manager or director who is responsible for data and security then they need to appoint someone on the double. That person doesn’t necessarily need to have all the skills, just understand the importance of the obligation and bring in the skills that are missing.

The government has helped to highlight this growing issue, through the creation of the scheme and its new online hub. For that it should be praised, as should all those who have helped to increase the national focus on this matter.