Cybersecurity
Cybersecurity can be defined as the practice of protecting systems from attacks - the technical and behavioural defences that protect computers, networks and digital data from people who want to misuse them. It overlaps heavily with information security as a whole, but cybersecurity tends to focus on the digital threats: phishing, malware, ransomware, hacking, denial-of-service attacks, supply chain compromise and the consequences when those threats succeed.
The threat picture has changed considerably over the last few years. Attacks that used to require technical skill are now offered as a service to anyone willing to pay, and AI-generated phishing emails have largely closed the gap that used to make them easy to spot. The result is that cybersecurity has stopped being a problem only for organisations that thought of themselves as targets - it now applies to every business that has a network, a website, an email address or a payroll system.
The CIA Triad and Cybersecurity Principles
The standard model for thinking about cybersecurity uses the CIA triad - confidentiality, integrity and availability. Confidentiality means information is only accessible to people who should have access. Integrity means information is accurate and has not been tampered with. Availability means authorised users can get to information when they need it. Most security incidents can be described as a failure of one or more of these three.
Working from the triad, the practical principles a business should aim to implement include identity and access management, threat intelligence, secure configuration of devices and software, ongoing patching, staff awareness, incident response planning, asset management and data backup. None of these stand alone - they reinforce each other, and gaps in one area tend to undermine the others.
Common Cybersecurity Threats
Phishing is by some distance the most common attack route into UK businesses, and it remains the route used in most ransomware incidents that follow. The phishing email persuades a worker to click a link, enter credentials or open an attachment, and from there the attacker has a foothold. Phishing now extends to text messages (smishing), phone calls (vishing) and impersonation in messaging apps.
Malware is the umbrella term for software designed to damage, disrupt or extract information. Ransomware is the variant that has caused the most public harm, encrypting files and demanding payment for the key. Other categories include trojans, spyware, banking malware and worms. Most malware now arrives by email attachment, malicious link or compromised software update rather than through obvious downloads.
Other common threat categories include credential stuffing (using passwords leaked from one breach to try other systems), supply chain attacks (compromising a supplier to reach their customers), denial-of-service attacks against websites and services, and insider misuse - whether deliberate or accidental.
Cybersecurity Controls That Work in Practice
The single most effective cybersecurity control for most small and medium-sized businesses is a combination of multi-factor authentication, kept-current software, and a workforce that has been trained to recognise phishing. None of these is technically complex, and together they prevent the overwhelming majority of opportunistic attacks.
Multi-factor authentication on email, banking, cloud services and any externally-accessible system makes a stolen password considerably less useful. Software patching - operating systems, applications, plugins, firmware on routers and other devices - closes the vulnerabilities that attackers scan for routinely. Anti-malware software running on every device adds another layer, and modern endpoint detection products will catch suspicious behaviour even where signatures do not match a known threat.
Backup is the control that limits the damage when other controls fail. A working backup, kept separate from the main system and tested periodically, is what turns a ransomware incident from a business-ending event into an inconvenience.
Cybersecurity Frameworks and Standards
For organisations that want a structured approach, the UK's National Cyber Security Centre publishes practical guidance aimed at businesses of every size, from a small business guide through to detailed frameworks for larger organisations and operators of critical services. Cyber Essentials is the NCSC's basic certification scheme and is increasingly required by central and local government contracts.
ISO 27001 is the international standard for information security management systems and includes cybersecurity within its scope. Certification is voluntary but is increasingly expected by larger customers. The standard works particularly well for organisations that need to demonstrate the management of cybersecurity to auditors, customers and regulators in a structured, documented way.
Cybersecurity sounds intimidating, but most of it is just doing the basics properly. Turn on multi-factor authentication. Keep your software up to date. Train your people to spot a dodgy email. Back up your data. Do those four things consistently and you have already cut out most of the risk - no jargon, no six-figure security vendor required. Then you can build from there with whatever else applies to what you actually do.
When I look at cybersecurity in an audit, the first question is whether the controls described in the policy are actually in place. It is common to see a cybersecurity policy that talks about multi-factor authentication, patching and endpoint protection as if they are universal, when in reality some systems have them and others have been quietly skipped because they are inconvenient.
The second question is what evidence exists that the controls are working - audit logs, patch reports, training records, phishing simulation results. A policy without evidence is the most common finding I write up in cybersecurity audits.
We had a near miss last year - a phishing email that mimicked one of our suppliers asking us to update bank details. Two people forwarded it on internally before someone flagged it. We now require a phone call to a known number for any change of supplier bank details.
Practical Compliance Guidance
The IMS1 manual covers cybersecurity within the wider information security management section. Cybersecurity is not separated out as its own discipline - it is the digital subset of the controls that protect the organisation's information overall.
The following alphaZ documents support a practical approach to cybersecurity.
| alphaZ document | How to use it |
|---|---|
| ISO 27001 Toolkit | Full document set for setting up an information security management system, covering cybersecurity policies, controls and the supporting registers. |
| P-114 Cyber Security Policy | Standalone cybersecurity policy covering principles, responsibilities and the main controls. Works alongside the broader information security policy. |
| PP-8-100 Information Security Policy Procedure | The master policy that sets out the operational controls referenced from the cybersecurity policy, including anti-malware, patching and access control. |
| ER15 Information Security Risks Register | Register of cybersecurity and wider information security risks, controls and ratings, with cross-references to the relevant Annex A controls. |
| A-C Cybersecurity Audit Checklist | Audit checklist used to verify that the cybersecurity controls described in the policy are operating as intended. |
| P-20 Information Security Policy | Top-level information security policy covering the wider commitments that cybersecurity controls support. |
Note - all the above files can be downloaded with an alphaZ subscription.
Frequently Asked Questions
UK Legislation
The following UK legislation is directly relevant to cybersecurity. Organisations outside the UK should identify the equivalent legislation applicable in their jurisdiction.
- Computer Misuse Act 1990
- Data Protection Act 2018
- Network and Information Systems Regulations 2018
- Regulation of Investigatory Powers Act 2000
