HappyAlex - Fotolia

London issues call to arms to cyber security community

Cyber security community called on to help educate capital’s small businesses about cyber crime and give them practical advice

London is calling on the cyber security community to help keep the city’s more than one million small businesses safe from cyber crime.

“Cyber crime is a growing problem for everyone, but while individuals are protected by their banks, small businesses can be sunk if their [banking] details are hacked,” said Rebecca Lawrence, chief executive, Mayor’s Office for Policing and Crime (Mopac).

“Cyber crime is a huge area of crime, and one that policing alone cannot solve,” she said. “We will not be able to police ourselves out of this problem, but we can take simple protective measures.”

Lawrence said enabling small businesses to make themselves safer from cyber attack is the driving concept behind the London Digital Security Centre (LDSC), which was set up as a not-for-profit organisation in 2015 by Mopac and is run as a joint venture between the mayor of London, the Metropolitan Police and the City of London Police.

“I believe that with more players partnering with the LDSC, we can really provide the step-change we need to see in security in London, and that it is a model that is replicable beyond – but we do need more partners,” she said.

Rajesh Agrawal, London deputy mayor for business, said small businesses are the lifeblood of the city’s economy, but typically lack the resources of big business to ensure they are cyber secure.

“Small businesses are affected by the same cyber threats, but without the resources of big business, they can easily go under if cyber attackers steal their data and money, causing damage to their reputation,” he said.

Cyber security is complex, requiring expert skills, said Agrawal. “That is why it is vital that we all work together to ensure that small businesses understand their areas of weakness and how they can reduce the cyber risk they face,” he said.

“We need to work together to educate business owners and employees about the real implications of cyber crime and give them practical tips.”

Agrawal said London is recognised as the top city in the world to do business, but it is important to ensure the same is true in terms of cyber security. “We at City Hall have been working very hard with Mopac and the LDSC, which has an important role to play,” he said.

Free membership scheme

John Unsworth, chief executive of the LDSC, detailed the progress made in the past year in the centre’s key objectives of setting up a free membership scheme, introducing a programme of activities in the community, and developing a marketplace of trusted, relevant and affordable security products and services.

Through the membership scheme, the LDSC has conducted security assessments on more than 400 small to medium-sized enterprises (SMEs), has partnered with more than 50 market-leading organisations to provide products and services, and has engaged directly with businesses by going door-to-door in partnership with the Metropolitan Police and City of London Police.

“We have instigated academic research with Oxford University to independently assess our work and establish evidence of what works and what does not work in supporting businesses to improve their digital security,” said Unsworth.

Through these “high street” engagements and events in partnership with financial institutes and trade bodies, the LDSC has reached more than 1,000 organisations, he said.

The LDSC has also created and launched an app that hosts digital security training programmes and cyber crime prevention videos from a wide variety of sources, including the National Cyber Security Centre (NCSC).

“We have developed a commercial model that is allowing the centre to be less reliant on public funding,” said Unsworth, adding that the cyber security community and big business are vital to enabling the LDSC to grow its financial independence and its capability to help businesses stay safe from cyber attack by providing free support and guidance to get the basics right.

“We are issuing a call to action to business communities across London to help them keep smaller businesses safe and to protect the backbone of London’s economy,” he said. “If you hold data, you are a viable target.

“In April, the Department for Digital, Culture, Media and Sport highlighted that 45% of micro/small businesses have been the victims of successful data breaches or attacks over the previous 12 months, so the threat is particularly real and potentially devastating to small businesses.  

“We are here to help London SMEs understand what makes a good security posture and what they can do to improve their existing security.”

Read more about SME security

Enabling SMEs to improve their cyber security protocols by identifying and implementing the appropriate controls is at the heart of the free membership offered by the LDSC, said Unsworth.

“Information is good, but action is better,” he said, reiterating the theme of a recent presentation at the Whitehall Media Enterprise Cyber Security Conference in London, where he also emphasised that although there is a lot of information available on cyber security, businesses really need help in implementing it.

The centre’s data shows that not all London SMEs are aware of the simple digital security processes they can add to their business operations, with 69% running outdated software, 74% lacking bring-your-own-device (BYOD) policies, 25% lacking anti-virus software, 69% not using encryption software, 85% not using digital signatures, and 77% not using the Dmarc email authentication, policy and reporting protocol.

But improving cyber security is not always about buying new kit and spending money, said Unsworth. A small business can do a lot to improve its cyber security posture by a simple investment in time and effort.

“This includes things like installing the latest software and app updates because they contain vital security upgrades which help to protect against viruses and hackers, using strong and separate passwords for key accounts, backing up essential data at regular intervals, never disclosing passwords, and ensuring that administrative accounts are never used for routine activities, such as browsing and emailing,” he said.

Other recommendations include: providing staff with access to simple, freely available cyber security training; conducting a cyber security risk assessment; seeking accreditation through the government-endorsed Cyber Essentials scheme; and deploying the Dmarc (domain-based message authentication, reporting and conformance) protocol and the SPF (sender policy framework) to validate a message’s email domain.

Help and guidance needed

Unsworth said the LDSC needs help and guidance from the cyber security community and big business to improve its reach, capabilities, services and processes.

The only way the organisation can achieve the goal of keeping small businesses safe from cyber crime, he said, is to partner with organisations that have the necessary cyber security skills, expertise, products and services.

“We are getting good traction with businesses, we are getting more engagement with businesses, but it is now about how we maintain that and scale it up,” said Unsworth. “But we need help, we need assistance in reaching the more than a million small businesses in London.

“There are 5.4 million SMEs across the country, so the 4.4 million outside London are asking how they get access to this kind of support, so scaling all this up is a challenge.” This can be done only through a partnership approach, he added.

The LDSC currently has five types of partner, said Unsworth: product partners, with products that are needed by SMEs but who also form a community that can identify things that will make a real difference; alliance partners, who help to deliver the membership scheme; strategic partners, who help with resourcing, financing and logistics; sponsors for events and activities; and academics, who help to collect evidence of what is working.

The LDSC is currently working with academics from the universities of Royal Holloway, Greenwich, Oxford, De Montfort and Manchester.

Looking forward, Unsworth said the pace at which the LDSC has been working is not sustainable with its current resources. “We are starting to get real traction in what we are doing, but now it is about seeking out help, support and advice about how we do the rest of it – how we get into all the London boroughs, how we get to businesses to engage with them and get the message across about how we can help,” he said.

Read more on Hackers and cybercrime prevention