What I've learned about cybersecurity

Since starting up bespoke software agency Rocketmakers in 2007, Richard Godfrey has worked with hundreds of clients to build, scale and improve the digital side of their business. Operating across app, web and VR development for everyone from start-ups to scale-ups, Godfrey and his team are often brought into early-stage conversations around how to set up all the technical aspects of an SME— including its cybersecurity.

According to the Department of Science, Innovation and Technology, half of UK businesses reported experiencing some sort of cyber attack in the last year, risking data breaches and ransoms. The associated costs can run to the thousands.

When it comes to defence, technical good practice - strong passwords, antivirus scans, regular back-ups - is just the baseline. A stand-out cybersecurity posture involves more holistic thinking. Here are Godfrey’s top five insights…

There are some vital “day zero” actions that businesses sometimes miss entirely, says Godfrey. First is implementing a “least permissions” principle for access to digital applications. Though it can be tempting for efficiency to give every employee access to every app, try to limit this to a by-need basis.

Second is to create a security checklist for leavers. “This is one of the most fundamental things to have,” says Godfrey, particularly for a new or growing business. This should include removing their access to key apps and redirecting their emails to a new address accessible to the business.

Finally, remember the physical side of security. For example, Rocketmakers issues blank key cards so if one gets lost, it’s not obvious what business it grants access to.

“Making security part of the culture has to happen, for any size business, especially a start-up,” says Godfrey. This means weaving security into the mindset and behaviour of how everyone does their jobs - you don’t want them seeing it as ‘something for IT’, or considering it only as an afterthought when planning projects. Broadly speaking, this is because it’s much easier to prevent a cyber attack than it is to thwart one.

There are a number of ways to achieve this, from putting it in the company’s mission statement and ensuring senior leadership buy-in, to celebrating when team members spot phishing emails. But there’s one tactic Godfrey particularly likes. “Employers should do security drills, like they do fire drills,” he says. “Sitting down with the team and going through a real scenario of social engineering, or playing out a bit of a role play to show how a data breach could happen - it makes it real.”

While off-the-shelf products are extremely useful for businesses, they often are not configured in a way that is properly secure. “It’s a fairly common misconception,” says Godfrey. “But often the first port of call for us is to go in and have a look at how they are set up.” Problems can include databases sitting unsecured on the web or the vendor collecting user data without the business realising.

A professional consultant can help resolve these issues. Godfrey also recommends the National Cyber Security Centre as a resource. “It has a really nice knowledge base of documents geared around this stuff. If you want to brush up on best practice, that would be a really good place to start.”

Some new founders mistakenly believe that cybersecurity is a nice-to-have and that it’s down to them how they wish to approach it in practice. That’s not the case: there are official standards that tend to differ according to company size and revenue, and every passing year sees higher security requirements for certain kinds of business activities. “It’s a landscape that’s shifting all the time,” Godfrey says. “Businesses need to keep track of what they need to do.”

Some of these will be opt-in certifications, but they are becoming normalised. “One day, if businesses don’t meet these standards, they will fall significantly behind to the point where they can’t conduct business,” says Godfrey. This is particularly true in the public sector - if you bid for a government contract and you can’t demonstrate sufficient digital security, you are unlikely to succeed.

As companies grow, they often end up using more than one set of contractors to build their digital products. This can result in a knowledge gap as the software is handed over from one team to another. As those latter teams patch together fixes, find workarounds, or simply build on the old system inefficiently, it can introduce “tech debt”. These shortcuts often have to be untangled later to ensure performance or even maintain security.

“The problem is often not intentional,” says Godfrey. “It’s just that not everybody understands the whole system or the implications across the system.”

To avoid headaches down the line, work with a contractor who can demonstrate a through-line of work with companies across their entire growth journey. This will minimise the risk of having to switch halfway through. Also, keep track of how the architecture of your digital platform evolves: ask developers to keep detailed, accessible notes about changes and updates to your systems.

Ultimately, you simply need to trust whomever you ask to build your digital products for you. “Find some people who've been through all this many times before,” says Godfrey. “There’s no substitute for experience.”