In the first instalment of our new Spotlight series, we talk to James Borkoles of 3B Data Security about how easy - and affordable - it is for SMEs to boost their cyber resilience.
Q: Hi James. Before we discuss the cyber threat landscape, tell us a bit about 3B Data Security.
We're a company that was founded by our CEO Benn Morris in 2016. Today, we’ve got a HQ in Cambridge and then we’ve got staff all over the country, particularly in the Midlands. We have carefully built a team of experts with extensive knowledge of cyber-security.
We specialise in PCI (Payment Card Industry) - helping companies comply with data security standards and conducting investigations if their data systems become compromised in any way. We’re one of 22 companies globally who are licensed by the PCI Security Standards Council to conduct PCI Forensic Investigations.
We also do a lot of incident response work with clients, irrespective of whether that’s payment card systems or other systems. We provide expert and specialist technical staff that help organisations identify, contain, eradicate and deal with any data breaches or intrusions.
We’ve then got hundreds of other services – things like Cyber Essentials, ISO 27001 implementation and auditing. We also provide a whole range of software solutions such threat-hunting solutions, next-gen antivirus perimeter security and so on.
* Get to know all of our Trusted Partners, join as a EMCRC Member for FREE and sign up to our e-newsletter.
Q: You also monitor the dark web. What can you tell us about that?
That's right. Instead of just looking at security on a computer network, we look at the chatter that's going on in dark web forums and marketplaces. We do this to predict whether any of our clients are likely to be attacked, either because of the technology they are using or the company specifically because their IP address is being discussed.
Q: What can you tell us about your client base?
We’ve got clients all across the UK and overseas from many European countries, both within and outside the EU, the Middle East and North Africa – that's our primary stomping ground. Our furthest away client is based in the Philippines. As well as SMEs, we also work with some multinationals, including some very large retailers.
Perhaps the main thing about our clients is that they value our focus – we always focus on getting the best security result. For example, we might be engaged to conduct a PCI Report on Compliance, and our consultants will go above and beyond that to provide the best security advice and suggestions that they can – and this from highly experienced Qualified Security Assessors.
Q: 3B Data Security helps businesses get certified to Cyber Essentials / Cyber Essentials Plus. What is Cyber Essentials and how affordable is it?
Cyber Essentials is a Government-recommended programme to help organisations protect themselves against cyber criminals. By following some straight-forward, routine advice, they will prevent the vast majority of cyber attacks.
No-one is ever going to be 100% secure, but if you’re harder to crack than anyone else, you’re going to be a less attractive target than others. Cyber criminals target the easy pickings. They want to get in and get out fast and go for the easiest pickings – the “low hanging fruit” if you will.
If businesses focus on just a few simple areas, they’re going to be holding themselves sufficiently. Everybody should do that – you can achieve a lot without a massive investment or technical knowledge to be more secure.
Q: How affordable is Cyber Essentials?
The real message here is that the basic Cyber Essentials assessment is easily accessible and affordable for even the smallest business (the assessment is only £300) and can be done very quickly. That certification then lasts 12 months. Organisations might have some work to o to pass the assessment, but there is plenty of free advice available, for example from the National Cyber Security Centre or the East Midlands Cyber Resilience Centre; and clearly our company and those like us an offer additional support at a cost.
The benefits of taking steps to become Cyber Essentials certified include being more secure, but there are also commercial benefits. The certification can help you land contracts, as businesses and organisations want a secure supply chain so you are a more trustworthy partner.
Q: How important is it that companies get cyber security right?
Absolutely 100% essential. If you’re a company with a warehouse, you put a good alarm in and invest in decent locks. Cyber security is no different.
For example, for a lot of companies, intellectual property is their business. If somebody gets into their systems and steals intellectual property and farms it out to somebody else who can replicate it, their business will suffer enormously.
You’ve then got all the compliance and regulatory issues, but they’re almost secondary. The be-all and end-all is to keep your business, customer and employee information secure.
Perhaps the biggest impact for many businesses of suffering a data breach is that you must tell your customers, and then you have to go out of your way to win those customers back. Their trust in your company and systems you use will have taken a knock. This proves to be a big challenge for many companies – the statistics are quite revealing as a high percentage of businesses never manage to recover.
Q: Who’s at greater risk? Larger corporations as there’s more for cyber criminals to gain? Or smaller businesses because they might be considered as easier targets?
We’ve got 20 investigators who every single day of the week investigate data breaches. The vast majority are SMEs. For cyber-criminals, they’re the easiest targets to generate money from.
There’s two trends at the moment that make SMEs particularly attractive to cyber criminals. One, SMEs have less budget and less awareness about cyber security. Two, more and more supply chains are fully integrated. So if your company has access to a supply portal for example for a Co-Op, a Tesco or a Sainsbury’s, you can be used as an entry point into those organisation’s systems. That is a big trend at the moment. We’re seeing hundreds of these kind of attacks in the UK alone.
In response to that trend, what you’ll see is large organisations insisting on better supply chain risk management. So for SMEs, yes Cyber Essentials is a cost – but it’s also an investment because it’s an opportunity to demonstrate to your customers how secure you are.
Q: How concerned should business owners be about cyber crime?
The reality is it could finish your business. But fear is the wrong reaction. Leave fear to people who want to wring their hands and do nothing about it. Instead of being fearful, just sit down and have a long, hard look at what you can do – because there’s a lot you can do with either no budget or a very limited budget. You just need a bit of discipline, consistency and perhaps some guidance. There’s plenty of free advice out there, not least from the National Cyber Security Centre.