Continual improvement – can you do better?

Last month DSIT published their annual report on cyber security breaches affecting businesses and charities in the UK.

It’s good to see that most businesses and charities have cyber hygiene measures in place, and that this number has gone up since last year.


  • awareness of the information and guidance available from the NCSC, and other initiatives such as Cyber Essentials, has fallen, particularly among small businesses. This is counterbalanced by the findings that most businesses and charities have a broad range of cyber hygiene measures in place—such as malware protection and network firewalls.
  • only 22% of businesses have formal incident management plans in place, and—rather surprisingly—more charities than businesses would, for instance, keep an internal record of incidents, try to identify the source of the incident, or tell the directors or trustees of their organisation.
  • more charities than businesses would report incidents to external bodies such as the police, Action Fraud, or the NCSC—and more businesses than charities don’t know who to report to or think that reporting will make no difference.
  • and relatively few are reviewing the risks posed by their immediate suppliers and wider supply chain. Only 11% of businesses (of all sizes) think about the cyber risks presented by their immediate suppliers, and 6% think about the risks from their wider supply chain.

What does this mean for you?

You may already have cyber hygiene basics in place, but it’s worth checking the NCSC recommendations, and making small improvements in your cyber security where you can. It all helps.

  1. Take a look at the NCSC website for advice for small and medium sized organisations. Start with the 10 Steps to Cyber Security and Cyber Aware pages if you are new to cyber security, and check whether you have basic cyber hygiene measures in place.
  2. Consider Cyber Essentials, too—even if you decide not to follow through, it’s worth considering the requirements as recommendations for your own business  
  3. Think about developing an incident response plan—and who you should notify if you experience an incident.
  4. And review at least your immediate supplier list to assess whether there is any cyber risk to your business (and then consider how you might mitigate that risk).

Need more help? The Click and Protect team can help with any of these tasks, and more. Contact us on 0113 733 6230, or via the contact form.