Cyber Security Fundamentals

Our host explains what risk management is and why it is important for businesses that are looking to increase their cyber security.

Topics include:

• What is cyber risk management?
• Five steps of Cyber Risk Management

Cyber risk management has, for the most part, always been an element of any businesses risk strategy or management plan. Historically this was a case of making sure we were safe from Denial-of-Service attacks or disruptive/malicious software threats.

Today however the risks that businesses face in the digital workspace are both legion in number and variety; and the intent behind them is different. The impact they have on our business has similarly changed, it is no longer about causing a nuisance and/or disrupting the operation of a business and the services it offers.

Cyber risk management is now about taking a much more focussed approach on the risks posed by todays (and tomorrows) cyber threats; this means understanding and prioritising the types of cyber threat that are most relevant to your business, determining the magnitude of the impact they could have on your ability to work and trade normally, and developing/implementing solutions and countermeasures to mitigate those risks.

Identifying Risks

This involves assessing your systems, processes, and data to identify potential vulnerabilities and threats.

The first step to identifying risks to your business is to understand the mission-critical areas of your digital environment.

Key questions to identify these are: 

• Which servers and/or services are critical to your ability to support business as usual operation?
• What would be the impact on your business if these critical elements were unavailable?

Assessing the Likelihood & Impact

Once potential risks have been identified, the next step is evaluating the likelihood of each risk occurring and what potential impact on the organisation if it does occur.

The financial risks to a business today are without doubt the elephant in the room, they are often intangible and very difficult to measure, it’s easy to dismiss expensive cyber security solutions and “run the risk” of a significant cyber incident not happening – every day organisations discover that hard way that the financial risks they thought were acceptable turn out to be orders of magnitude higher than they anticipated.

Of course, not every cyber security ‘incident’ is apocalyptic in nature but there are some that are, and their ramifications need to be understood to the greatest extent possible.

Prioritising Risks

Based on the likelihood and impact of each risk, the organization should prioritize the risks that need to be addressed first. Don’t waste time on risks that are not credible at the expense of those that are. A key consideration for prioritising risk is asking how long could you sustain operations if one or more of these systems were lost?

Using a risk assessment framework is one of the best ways to prioritise the risks that have been identified. There are numerous frameworks freely available that assess risks using different approaches, its often a good idea to assess the same risks in different ways and compare the results to help you understand the severity of the risk to you; risks identified as concerns by both are a safe starting point as to where your priorities lie.

Implementing Controls

Businesses should implement proper controls to mitigate or eliminate the risks identified. These controls can include technical solutions such as firewalls and antivirus software, as well as policies and procedures to improve security awareness and incident response.

Consider how changing the way you operate might affect the risks you have identified, can small process changes or introducing security features of your existing solutions – such as encryption of data at rest – mitigate or eliminate the risks you have identified for little or no cost?

Monitoring and Reviewing

For most effective risk management, businesses need to be continuously monitoring their systems and processes. This is key to ensuring that the cyber security controls that have been implemented are effective and that new risks are identified and dealt with.

Many of us are only conducting perfunctory cyber risk assessments and we would greatly benefit from adjusting our approach, Gartner’s studies have led them to the same conclusion…

With the increasing frequency and sophistication of cyber attacks, it is crucial for SMEs to adopt robust cyber security practices to safeguard their business and data.

This blog focuses on essential cyber security best practices tailored for SMEs, highlighting key resources and actionable steps to protect your business.

Implementing effective cyber security measures doesn’t require a massive budget or extensive expertise.

Employee Training and Awareness

Educate your staff about common cyber threats such as phishing, malware, and social engineering. Regular training sessions can help employees recognise and avoid potential security risks.

Strong Password Policies

Encourage the use of strong, unique passwords for all accounts. Implement multi-factor authentication (MFA) wherever possible to add an extra layer of security.
Regular Software Updates: Keep all software, including operating systems and applications, up to date with the latest security patches. Regular updates help protect against known vulnerabilities.

Data Encryption

Encrypt sensitive data both in transit and at rest. This ensures that even if data is intercepted or accessed without authorisation, it remains unreadable.

Backup and Recovery Plans

Regularly back up your data and ensure that backups are stored securely. Test your recovery plan to ensure that you can quickly restore operations in the event of a cyber incident.

Gain Cyber Essentials

Achieving Cyber Essentials certification demonstrates your commitment to cyber security and provides a solid foundation for your security practices.

Cyber Essentials is a UK government-backed certification scheme led by IASME, designed to help organisations of all sizes protect against common online threats.

The scheme covers five key areas:

• Firewalls and Internet Gateways: Implementing firewalls to secure your internet connection.
• Secure Configuration: Ensuring that systems are configured securely to reduce vulnerabilities.
• Access Control: Managing user access to data and services to minimise risk.
• Malware Protection: Installing and maintaining anti-malware solutions.
• Patch Management: Keeping software up to date with the latest security patches.

By adhering to these principles, SMEs can significantly reduce their risk of cyber attacks and improve their overall security posture.

Here are additional steps small businesses can take to protect themselves from cyber threats.

Conduct Regular Security Audits

Periodically review your organisation’s security posture, taking a holistic approach that assesses to identify and address any vulnerabilities or gaps. There are several, open-source industry standards and security frameworks available online that organisations, including SMEs, can align to such as NIST, CIS Critical Security Controls SME Companion, and NCSC. CIS even offers a free Controls Self-Assessment Tool (CIS CSAT) to help you get started.

Vulnerability Management

Regularly identify, assess, and mitigate vulnerabilities in your systems. Using Cyber Security as a Service (CSaaS) solutions, such as HackRisk, can help you stay on top of vulnerabilities without the need for a dedicated in-house team

Develop an Incident Response Plan

Prepare for potential security incidents by creating a response plan. Outline procedures for detecting, responding to, and recovering from cyber-attacks. Sophos offers a free incident response planning guide which can be downloaded here.

Utilise Cloud Security Solutions

Many cloud service providers offer robust security features that can help SMEs protect their data and applications.

Outsource to Experts

If maintaining an in-house cyber security team is not feasible, consider outsourcing to a dedicated team of experts. Services such as those offered by Sophos provide ongoing support and incident response capabilities, alleviating some of the cost and resource burdens.

Communication Protocols

Establish clear protocols for communicating internally and externally during a security incident. This ensures that information is disseminated quickly and accurately, minimising confusion and mitigating damage.

With e-commerce thriving as a cornerstone of retail, securing websites and applications has never been more critical. Cyber criminals target vulnerabilities in commercial platforms and websites to exploit sensitive customer data and disrupt operations.

This month, we explore the cyber threats and implications facing online retail and e-commerce, as well as delving into some best practices and frameworks like OWASP, and secure development methodologies, to help organisations stay secure online.

Threat Landscape

Cyber crime targeting e-commerce platforms remains a top concern, according to the NCSC, 50% of UK businesses experienced a cyber attack in 2023 alone. 18% of breaches that were reported in 2023 to the Information Commissioner’s Office (ICO) were in the retail sector.

Rising Threats

Cyber crime targeting online businesses in the UK is being driven by increasingly sophisticated attacks, with the number of affected businesses only set to increase year on year. Common threats include SQL injection, cross-site scripting (XSS), and API breaches.

Impact

A single breach can result in financial loss, reputational damage, and even regulatory penalties. For example, Magecart’s attacks on British Airways showcased the devastating impact of compromised third-party integrations, resulting in the flag carrier airline having to pay a £20m data protection fine. [source: The Register]

Trust and Loyalty

Ensuring robust security builds customer trust, enhances brand reputation, and protects critical data like payment information and personal details.

APIs (Application Programming Interfaces) are the backbone of modern web applications, enabling integration between systems, other applications, and services. According to Business Wire, a survey in 2022 found that 97% of enterprise business leaders agree that successfully executing an API strategy is essential to secure organisations’ future revenue and growth.

However, their rapid adoption has also made them a prime target for attackers. In 2021, Gartner predicted that APIs would become the top attack vector used to target applications.

Fast forward to 2024 and there have already been some notable breaches…

Peloton API Breach (2021)

Hackers exploited a vulnerability in Peloton’s API that enabled users to make an unauthenticated request for account data to the API without the API first verifying if that user has authorisation to access said data.

The API enables the end users’ bikes to capture and upload data back to Peloton’s servers. Sensitive user data for around 3 million individuals was exposed due to insecure API configurations.

This included personal details such as names, emails, and workout statistics. Peloton’s inadequate authentication and authorisation measures highlighted the critical need for robust API security protocols. [source: Threatpost]

Facebook Data Breach (2021)

An API misconfiguration in Facebook’s (Meta’s) contact importer feature was exploited by malicious actors, exposing the personal data of approximately 533 million users from 106 countries.

Personal data such as phone numbers, full names, and locations were leaked, with the issue originally stemming from scraping public profiles before the vulnerability was patched in 2019. [source: Twingate]

Penetration Testing

Penetration testing is a cornerstone of application security, especially for retail and e-commerce businesses handling vast amounts sensitive customer data and requiring 24/7 availability online.

While large enterprises like Amazon may have the capacity to conduct internal pen testing, most organisations in this space face cost and resource constraints that make outsourcing these services more practical and effective. Partnering with external cyber security experts provides access to specialised skills, tools, and up-to-date threat intelligence that many internal teams simply can’t maintain.

Moreover, hiring third-party testers eliminates the bias that might come with in-house testing and ensures that vulnerabilities are approached with a fresh perspective. The cost of penetration testing is often outweighed by the potential financial and reputational damage of a breach, particularly in high-stakes industries like retail.

Independent testing not only provides peace of mind but also aligns with compliance requirements and industry best practices, ensuring businesses are well-protected against the ever-evolving threat landscape.

Code Reviews

Code reviews are an essential part of any secure development process, ensuring that security vulnerabilities are caught early in the development lifecycle. This practice involves systematically examining source code to identify flaws, errors, or opportunities for improvement, with a strong focus on maintaining high security standards.

For retail and e-commerce businesses, where customer trust is paramount, code reviews play a vital role in protecting sensitive user data and ensuring seamless functionality. Conducting thorough code reviews:

• Identifies Common Vulnerabilities: Helps uncover issues such as injection flaws, insecure data handling, and authentication weaknesses, which align with risks highlighted in the OWASP Top 10.
• Enhances Collaboration: Encourages teamwork among developers, fostering a culture of accountability and shared responsibility for secure coding practices.
• Reduces Costs: Fixing security vulnerabilities during development is significantly less expensive than addressing them after deployment or following a breach.

Given the fast pace of the e-commerce sector, it may be tempting to bypass code reviews to save time. However, the long-term risks far outweigh the short-term gains. Engaging third-party experts or employing tools like static application security testing (SAST) solutions can streamline this process, providing an additional layer of confidence before your code goes live.

Ultimately, code reviews are more than just a quality check – they are a proactive defence against cyber threats, reinforcing the integrity of your applications from the very foundation.

Security is now a core business risk, not just an IT concern.

Cloud adoption, hybrid work and a fast‑moving threat landscape mean leaders need simple, practical answers to three recurring questions:

• Has security really changed that much in the past few years?
• Am I using the best‑in‑class security vendors today?
• Do I have the right skills and time in‑house to manage these solutions?

CyberLab addresses each question and outlines a pragmatic way forward.

Yes. The perimeter has shifted, and so have attacker methods and business expectations.

• Hybrid work and SaaS sprawl
  People, devices and data now operate beyond the office. Access happens from anywhere, often to third‑party applications. Security must follow identity and data, not only networks.
• Identity is the new control point
  Strong authentication, conditional access and least privilege are now essential. Compromised credentials remain one of the most common root causes of incidents.
• Cloud as default
  Security needs to be built for cloud platforms and APIs. Posture management, workload protection and secure configuration now sit alongside traditional controls.
• Detection, response and resilience
  Prevention is vital, but it is not enough on its own. Organisations need visibility, rapid response and tested recovery. Backups, restore testing and incident playbooks are part of core security.
• Supply chain and third parties
  Vendors, partners and integrators can introduce risk. Contracts, minimum controls and periodic assurance need to be part of the operating model.

The model to aim for is identity‑first, least privilege, assume breach, with layered controls that prevent, detect, respond and recover.

“Best” depends on outcomes, integration and operational fit, not just features. Many estates grew into a patchwork of point products. Consolidation around fewer, well‑integrated platforms often improves security and reduces effort.

What good looks like in a modern stack

• Identity and access
  Enterprise identity provider, phishing‑resistant MFA, conditional access, privileged access management, lifecycle governance.
• Endpoint and server security
  EDR or XDR with behaviour‑based detection, central policy, and response tooling. Coverage for Windows, macOS, Linux and mobile.
• Email, web and DNS security
  Advanced phishing protection, attachment sandboxing, impersonation and brand spoofing controls, safe link handling and DNS filtering.
• Cloud and SaaS posture
  Cloud security posture management for IaaS and PaaS, and configuration governance for SaaS. Guardrails and continuous checks.
• Network security
  Secure web gateway, ZTNA for private apps, and segmentation. Where appropriate, an SSE or SASE approach to apply consistent policy from anywhere.
• Data protection and backup
  Classification, DLP, encryption and secure, isolated backups with regular restore tests.
• Vulnerability and patch management
  Accurate asset inventory, regular scanning, prioritised remediation and clear service levels.
• Logging and monitoring
  Centralised log collection, correlation, detection content mapped to common frameworks, and alert triage.

Selection principles that help

• Prioritise integration and coverage over feature checklists.
• Favour open standards and proven interoperability.
• Demand outcome measures, not only demos.
• Consider operational cost. The best tool is one the team can run well.

Common anti‑patterns to avoid

• Buying duplicate tools that overlap.
• Deploying without hardening defaults.
• Ignoring decommissioning, leaving legacy exposure.
• Running security in silos that do not share telemetry or policy.

Many incidents are caused by misconfiguration rather than missing tools. Operating security well is a discipline that combines people, process and technology.

Operate to a plan, not heroics

• Define standards and baselines for identity, endpoint, cloud and data.
• Use automation for onboarding, patching, certificate and key management.
• Maintain runbooks and playbooks for detection and response.
• Track metrics such as mean time to detect and recover, patch compliance and simulation results.

When to consider managed services

• You need 24×7 detection and response but cannot staff it continuously.
• You want co‑managed operations, where a partner handles monitoring and escalation while your team owns design decisions.
• You have gaps in specialist skills such as cloud security engineering, incident response or penetration testing.

Roles and responsibilities that matter

• Risk owner to align controls with business priorities.
• Security engineering to design and harden platforms.
• Operations for monitoring, patching and access governance.
• Incident response with clear authority to act.

Data breaches remain one of the most expensive risks organisations face today. IBM’s latest Cost of a Data Breach Report reveals that the global average cost has reached $4.44 million. Though, for the first time in five years, that figure is trending downward thanks to faster containment driven by AI-powered defences.

Closer to home, the United Kingdom sits near the global average, with the typical breach costing £3.29 million (around $4.14 million).

These numbers are more than statistics. They highlight why robust security strategies, rapid response capabilities, and investment in advanced technologies are essential.

In this edition, we explore the trends shaping cyber security and what they mean for your organisation. One thing is clear: the cost of inaction is far greater than the cost of prevention.

Operational Downtime: For JLR, every day of halted production meant lost vehicle sales, supply chain disruption, and financial strain on thousands of partner businesses.

Supply Chain Ripple Effects: The JLR attack affected over 5,000 organisations, with some suppliers facing collapse due to delayed or cancelled orders.

Reputational Damage: Retailers like M&S faced public scrutiny, parliamentary investigations, and the need to sever long-standing IT partnerships in the wake of the breach.

Regulatory and Legal Costs: UK GDPR and Data Protection Act violations can result in fines up to £17.6 million or 4% of global turnover, not to mention the cost of remediation and customer notification.

Cyber Security is Economic Security

As highlighted by the National Cyber Security Centre (NCSC), the scale of these incidents means that cyber resilience is now a matter of national economic security, not just IT hygiene. With 4 major incidents being reported per day in the UK, and a 50% increase from last year in ‘nationally significant’ attacks, UK businesses that fail to prepare for such events risk putting serious strain on the nation’s economy and increase our collective exposure to such events. (source: NCSC)

Attackers Exploit the Basics

Many breaches still begin with social engineering, weak access controls, or poor digital hygiene. This serves as a reminder that foundational security practices remain critical.

Preparation and Response Matter

The ability to rapidly detect, contain, and recover from incidents can dramatically reduce costs. Incident response retainers and robust playbooks are essential investments.

No organisation is immune to cyber incidents or data breaches. Experiencing one is a matter of when, not if. While absolute, around-the-clock security appears unattainable in a constantly evolving threat landscape, adopting proven best practices can make a significant difference. By implementing these steps below businesses and organisations can greatly reduce the impact and financial burden of inevitable cyber events:

Invest in Resilience

Regularly review and test incident response plans. Ensure board-level oversight of cyber risk.

Implement Multi-Factor Authentication (MFA)

Require MFA or two-factor authentication (2FA) for all users, especially for accessing sensitive systems, to provide a crucial layer of security beyond the password.

Supply Chain Security

Assess and support the cyber resilience of key suppliers. Proactively manage your third-party risk, monitor vendor posture, and strengthen your supply chain security with HackRisk’s Supply Chain Security tools.

Cyber Insurance

While insurance can offset some costs, most policies only cover a portion of total losses. Understand your coverage and its limitations.

Continuous Dark Web Monitoring

Employ tools or services such as HackRisk AI to monitor for compromised credentials on the dark web, allowing for swift response if employee or organisational data is found in breach dumps.

Comprehensive Staff Training

Deliver regular cyber security awareness training for all employees, with a focus on recognising phishing attempts, the importance of password hygiene, and how to respond to suspicious activity.

Ongoing Policy Review and Enforcement

Routinely review and update password and authentication policies to adapt to emerging threats and ensure enforcement with automated checks wherever possible.

The financial consequences of a cyber incident can be devastating and, in some cases, fatal for organisations, as demonstrated by the experiences of companies such as JLR, M&S, and Co-op. These cases underscore how quickly costs can escalate, cascading far beyond initial estimates and affecting multiple facets of a business.

Given the severity of potential losses, it is essential for organisations to recognise cyber security as an integral business risk in order to preserve not just brand and reputation but ultimately business survival.

Treating cyber security with the same level of attention as other core business risks ensures that appropriate resources are allocated to mitigation and preparedness, potentially reducing the harm caused by cyber incidents and also the penalties or fines that may be imposed.

We’re making changes to your contracting company.

This transition is part of our ongoing commitment to making life easier for our customers and our people, and reflects our values of simplicity, quality, and passion.

You will need to onboard Chess Cybersecurity as a supplier, with the bank details listed above. If you already have Chess Cybersecurity onboarded as a supplier, no further action is required.

Our team is here to support you with any questions or additional fraud checks you may require.

You can contact your Sales Account Manager, or reach our Finance Team on 0333 050 8120 (Option 3) or at [email protected].

Tom Davies, CFO at CyberLab, explains why investing in cyber security should be a key priority for CFOs and Finance Directors.

He covers:

• Investing in cyber security to protect your business
• Optimising cyber security budgets
• Cyber security support

Cyber criminals are constantly scanning the internet for vulnerable targets and businesses are often lucrative targets for cyber criminals.

The UK Gov Cyber Breaches Survey for 2024 found that half of businesses (50%) have experienced some form of cyber security breach or attack in the last 12 months. This is much higher for medium sized businesses (70%) and large businesses (74%).