Other sources of cyber security advice for your business
There is a wide range of organizations that can help SMEs (small and medium-sized enterprises) that need support or information relating to cyber security. Here, listed in alphabetic order, are some key sources of IT and online security advice.
- 10 Steps to Cyber Security
- The Association of Chief Police Officers
- BCS – The Chartered Institute for IT
- The Centre for the Protection of National Infrastructure
- Cloud Security Alliance
- Cyber Essentials Scheme
- Cyber Street
- Department for Business, Innovation & Skills
- Federal Office for Information Security (BSI)
- Federation of Small Businesses
- Get Safe Online
- The IASME Consortium
- The Information Commissioner’s Office
- International Association of Accountants Innovation & Technology Consultants
- Loss Prevention Certification Board
- National Fraud Authority
- The National Institute of Standards and Technology
- PCI Security Standards Council
- Public Services Network
- The SANS Institute
10 Steps to Cyber Security is a key component of the government’s Cyber security guidance for business. It offers advice on how to safeguard personal data, online services and intellectual property from cyber attacks. As well as an Executive Companion that discusses how cyber security is one of the biggest challenges for business and the UK economy, there are downloadable (PDF) advice sheets that provide detailed cyber security information in 10 critical areas, covering both technical and process/cultural issues. The advice sheets conveniently summarise each issue and provide practical advice about how to reduce potential risks.
The Association of Chief Police Officers (ACPO) brings together the expertise and experience of chief police officers from the UK, providing a professional forum to share ideas and best practice, co-ordinate resources and help deliver effective policing which keeps the public safe. ACPO publishes a Good Practice Guide for Digital Evidence not only to assist law enforcement, but also for all those that assist in investigating cyber security incidents and crime.
BCS, The Chartered Institute for IT, promotes social and economic progress through the advancement of information technology science and practice. Its Security Top Tips is a guide to key security issues and best practice guidance on how to address them. The content is organised under 10 generic headings, each containing a number of “security top tips”, which are periodically reviewed in the light of technological developments, reader comment, etc. In addition, there are areas that can assist, for example, system administrators of small businesses.
The Centre for the Protection of National Infrastructure (CPNI) is the UK government authority that provides protective security advice to businesses and other national infrastructure organizations. It covers physical security, personnel security and cyber security/information assurance. You can read CPNI’s cyber security advice for businesses. CPNI endorses the ‘Critical Controls for Cyber Defense’ managed by the SANS Institute. Some UK-centric advice about these controls is available on this CPNI page.
The Cloud Security Alliance (CSA) is a not-for-profit organization that promotes the use of best practice for providing security assurance within cloud computing. It also provides education on the uses of cloud computing to help secure all other forms of computing. The CSA is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. It publishes many research papers on cloud security.
Cyber Essentials is a new UK Government-backed and industry supported scheme to guide businesses in protecting themselves against cyber threats. It was developed as part of the UK’s National Cyber Security Programme. It is run jointly by the Department for Business, Innovation and Skills and the Cabinet Office. The scheme, launched on 5 June 2014, enables organisations to gain one of two new Cyber Essentials badges. It is backed by industry and a number of insurance organisations which are offering incentives for businesses. From 1 October 2014, government requires all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme.
Cyber Street is a cross-government campaign, funded by the National Cyber Security Programme, and delivered in partnership with the private and voluntary sectors. The campaign is led by the Home Office, working closely with the Department for Business, Innovation and Skills and the Cabinet Office. It aims to measurably and significantly improve the online safety behaviour and confidence of consumers and small businesses (SMEs). As well as amusingly presented straightforward advice, it links to detailed resources provided by its partners.
The Department for Business, Innovation & Skills (BIS) is the government department responsible for UK economic growth. It invests in skills and education to promote trade, boost innovation and help people to start and grow a business. BIS also protects consumers and reduces the impact of regulation. BIS has published an introductory booklet for small businesses on cyber security.
The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) is the agency responsible for managing computer and communication security for the German government. It publishes a number of information security standards, including the IT-Grundschutz Catalogue of security controls and an information security management standard BSI-Standard 100-1. The organization is unrelated to the British Standards Institution, although both use the BSI abbreviation.
The Federation of Small Businesses (FSB) is the UK's largest campaigning pressure group promoting and protecting the interests of the self-employed and owners of small firms. Formed in 1974, it has 200,000 members across 33 regions and 194 branches. The FSB regularly runs campaigns to support its members’ interests. The FSB has investigated the impact of cyber fraud on small businesses, publishing its finding in a downloadable report.
Get Safe Online aims to be the UK’s leading source of unbiased, factual and easy-to-understand information on online safety. It is a jointly funded initiative between government departments and private businesses. It is the government’s preferred online security advice channel. Get Safe Online offers lots of practical advice on how to protect your business and yourself from online threats. The site’s business section covers not only keeping safe online, but also information security, data protection and disposal of computers. Some pages in other sections (eg passwords) are just as helpful to SMEs as they are to individuals.
The IASME Consortium developed and now maintains the IASME (Information Assurance for Small and Medium Enterprises) standard, which is particularly applicable to smaller firms that need to demonstrate good information security to their clients. The UK government’s Technology Strategy Board funded its creation as an alternative to ISO/IEC 27001 for small businesses. Consequently, it is based upon ISO/IEC 27001, but it is intended to be more affordable and achievable for small firms. It enables suppliers within a chain to demonstrate their level of cyber security and ability to protect their customers’ information. Available either as a self-assessment or independently audited standard, IASME is an affordable way for small firms to prove they are following best practice.
The Information Commissioner’s Office (ICO) is a UK independent authority that was set up to uphold information rights, promote openness by public bodies and protect data privacy. It too has published a practical guide to IT security aimed specifically at small businesses. The ICO has also produced numerous booklets that deal with specific aspects of cyber security and some are listed on the ICO Security measures web page. In 2010 the ICO commissioned a review of advice on security for small and medium-sized enterprises (SMEs). This report provides an excellent introduction to SME cyber security problems and provides superb analysis of why ‘one-size-fits-all’ solutions do not work for all SMEs.
The Loss Prevention Certification Board (LPCB) has been working with industry and government for more than 100 years to set standards for physical security products and services. LPCB is part of BRE Global, a not-for-profit trust that was originally a UK government-funded body, the Buildings Research Establishment. The LPCB publishes a ‘Red Book’ of approved fire and security products that is used worldwide.
The National Fraud Authority (NFA) is an executive agency of the Home Office that works with wider government, law enforcement, industry and voluntary/charity sectors to coordinate the fight against fraud in the UK. The NFA runs the Action Fraud website, which acts as a central point of contact for information about fraud and financially motivated online crime. This website provides an easy way to report internet fraud and receive a police crime reference number for it.
The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States Department of Commerce that is responsible for measurement standards. Its Computer Security Division provides standards and technology to protect information systems. All NIST documents are free to download from the NIST website. Details of all NIST cyber security publications are available from the Computer Security Resource Centre. NIST Special Publication SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, is probably the most comprehensive free online source of security controls. Although aimed at US government departments, many aspects are international and relevant to SMEs.
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education and awareness of payment card industry (PCI) security standards, including the Data Security Standard (PCI DSS). Compliance with the PCI DSS is a requirement of all major card service providers. There are many PCI standards and supplementary documents (the full list is here).
The Public Services Network (PSN) is a UK government programme that aims to unify the provision of network infrastructure across the UK public sector into an interconnected “network of networks” to reduce the cost of communication services across government and enable new, joined-up and shared public services for the benefit of citizens. PSN has published online security standards for use by PSN customers, some of which address topics not covered by British or International Standards. They are free to download from the standards section of the public PSN website.
The SANS Institute is a cooperative research and education organization for information security training. Its programs now reach more than 165,000 security professionals around the world. SANS also makes available (at no cost) a large collection of information security research documents, including a large number of white papers written by SANS members that are relevant to SMEs. In particular, SANS publishes and regularly updates a list of twenty Critical Security Controls for Effective Cyber Defence.