'Cyber attacks are getting closer to home - SMEs are starting to listen'

In the second instalment of our new Spotlight series, we talk to TecSec Services MD Morton Bell about the growing uptake of cyber security measures.

Morton Bell is managing director of TecSec Services, an approved Cyber Essentials and Cyber Essentials Plus approved as Cyber Essentials Plus certification body.

Q: Hello Morton, nice to meet you. First, tell us a little bit about TecSec Services.

We’re a Sheffield-based IT & Risk Management specialist that has been providing Cyber Security, Disaster Recovery and Business Continuity solutions to clients nationwide since our inception in 2006. 

We provide these services to a wide range of clients, with particular expertise in serving highly regulated industries. We implement technical controls, governance and training that mitigate risks, and provide independent auditing to prove that our clients understand those risks.

Our risk management consultants have achieved Cyber Essentials, IASME Gold and we are now an IASME certification body. Today, we promote Cyber Essentials and IASME to anyone who will listen to us.

Q: Small businesses are often accused of burying their heads in the sand over cyber security. How difficult is it to get businesses to embrace accreditation schemes such as Cyber Essentials and IASME? 

It is getting easier. There’s certainly been more receptiveness towards it over the past three years. Most people I talk to personally know a business that has experienced a serious cyber attack and suffered data losses etc. When it’s a bit closer to home, people take it a bit more seriously. As a result, we’re finding the take-up of Cyber Essentials is better nowadays. That’s obviously a good thing as Cyber Essentials will protect you against 80% of major cyber attacks. 

Q: Businesses are often encouraged to implement a cyber security strategy. Is it fair to say Cyber Essentials is the minimum they should do?

Cyber Essentials is certainly a good start. It gets you looking at your IT security and your practices and procedures as a business. Once you start looking at those and realise how vulnerable you are, you start to consider what else you can do to protect your business. From there, businesses will start listening to recommendations. They might not put all of them in place but at the very least they’re much more receptive to hearing about it. 

Q: Cyber Essentials will boost a company’s cyber resilience. Are there any other reasons why businesses should consider getting the qualification?

Yes, it can also help them land new contracts. We sat with a manufacturing company last week and they weren’t aware of Cyber Essentials. We know the marketplace they work in and advised them they will have to have it, which is absolutely true. They sell into the Ministry of Defence and into overseas governments – there's no way they can do that going forward without these qualifications, because it’s a minimum standard these days.

Q: A typical Cyber Essentials package costs £300+VAT per year. What would you say to business owners who are reluctant to incur those costs, given the current economic climate?

If Cyber Essentials protects you from 80% of known cyber attacks – malwares and things out there that are likely to trip you up – then, as a director of a company, you’d be found wanting if you’d decided not to do it. In its raw format, Cyber Essentials costs £300. A company would spend that on a cleaner. My advice to a business that doesn’t want to pay for Cyber Essentials would be to not have the office cleaned for a week - and then put the money saved towards Cyber Essentials. You can live with a dirty office for a week but you can’t live without your data. 

Q: How does a business become accredited to Cyber Essentials? Is it a lengthy process?

Cyber Essentials is actually a very simple thing to put in place. The changes businesses need to put in place are usually minor and do not cost anything to implement. Understanding it is really where people struggle a bit, which is where we come into the process.

Our approach is to send a form of about 10 questions for the business to complete. Those questions are all quite straight-forward to answer. We’ll have a look at that and then have a conversation with them about what they need to do. The business can then choose whether to complete the process themselves or have their hand held a bit by us. 

Most businesses will have a good go themselves. If they’ve got some knowledge about IT, it’s a relatively quick process. But if they are completely new to cyber security, we’re able to guide them along for a small uplift in the fee. 

Q: You mentioned a lot of businesses only need to make minor changes to become Cyber Essentials accredited. What’s an example?

One example is changing passwords. A lot of SMEs will get a router, put it in, it works and they walk away. They won’t have changed the password on it. They probably don’t have a password policy or keep a record of who has what in their business. It’s just about putting in the very basic level of good practice.

Q: According to the Government’s Cyber Security Breaches Survey, 46% of businesses identified cyber security breaches or attacks in the past 12 months. What kind of attacks have your clients experienced?

One of our recent clients was hit by ransomware during the early stages of the Covid-19 pandemic. The client has RDP (remote desktop protocol). They were running RDP without much knowledge about it or how it works. They had given their staff the ability to connect into their network using that RDP technology, but they hadn’t set it up in a secure manner.

We suspect they were hit by a brute force attack. These are programs running on servers all around the world that just bombard IT systems with passwords until eventually they get through. That can take a matter of minutes to achieve.

For our client, it shut their business for a whole week and they’ve had an enormous amount of expense to catch up. That’s why businesses should seek to gain qualifications such as Cyber Essentials. It's cheaper to prevent a cyber attack than it is to fix the damage of one actually occurring. 

*TecSec Services are a Trusted Partner for the East Midlands Cyber Resilience Centre. To learn how they can support your business with Cyber Essentials, click here.


READ MORE: NCSC defends UK from record number of cyber attacks


The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.