What do potential new cyber security laws mean for SMEs?

A gavel on top of a computer keyboard

Here at Techsolve we’re big advocates of the importance of taking cyber security threats seriously and the role outsourced IT support can play in improving the cyber defences of London’s small businesses. We’ve written about the subject here and here and it’s not a topic that’s going to disappear anytime soon.


Hardly a day goes by without new statistics and data being released in the media, or news of someone’s cyber misfortune.


This week (at the time of writing) we’ve had the Foreign Office struggling with “a serious cyber security incident”,  new data from Microsoft showing a 1,070 percent increase in ransomware attacks year-over-year between July 2020 and June 2021 and a poll of 1,500 business decision-makers by security company Kaspersky revealing that more than four in five (82 percent) UK businesses have fallen victim to a cyberattack in the last twelve months.


So when we heard the government had announced a consultation on new laws proposed to strengthen the UK’s resilience from cyber attack, we had to applaud the fact that proactive action was being taken to try and address what has become an ever growing problem for businesses of all shapes and sizes.


The gist of the government’s argument is that new laws are needed to drive up standards in the outsourced IT services that many businesses use as part of their cyber defence. They’re also looking to make improvements in the way organisations report cyber security incidents and reforming legislation so that it is more flexible and can react to the speed of technological change.


Part of this consultation is also about giving The UK Cyber Security Council, which regulates the cyber security profession, more powers to raise the bar and create a set of agreed qualifications and certifications so those working in cyber security can prove they are properly equipped to protect businesses online.


Let’s pick apart what this means for small business owners:


  • Driving up standards in outsourced IT services — on a surface level of course this is a no-brainer. While Techsolve is firmly in the outsourced IT space we’ll be the first to admit that the industry isn’t perfect. Some of our industry peers can certainly be described as a bit ‘shonky’, and we’ve talked before about the cycle of disappointment many small businesses get caught in working with IT managed service providers (MSPs). Driving up standards and making MSPs more accountable is undoubtedly a good thing.


As a user of outsourced services this legislation will mean you can feel more confident that you’re not getting taken for a ride.


But the danger, when it’s applied specifically to cyber security, is the suggestion that MSPs could become solely responsible for their client’s cyber defences. We don’t think that’s right and MSPs risk becoming the scapegoat when someone needs to get clobbered.


Anyone involved in cyber security will tell you there are no cast iron certainties. You can’t ‘do this thing’ or ‘install this software’ and be 100% secure. For every solid defence there are malicious actors trying to find the next weakness. Cyber security is an ongoing process of incremental improvement. Good equals trying to stay on top of the obvious threats and doing whatever you can to try to stay one step ahead of the attackers.


Our view is that increasing MSPs accountability is a positive thing but there must remain some shared risk with the customer.


  • Improving reporting of cyber security incidents — this one seems to be more geared towards bigger businesses. It doesn’t appear to involve any additional obligations for you as a small business owner.


  • Better qualifications and professional standards — again this is another no-brainer. At the moment it’s a bit too easy to call yourself a cyber security expert without actually having the experience or evidence to back that claim up.


The government’s proposals would give the The UK Cyber Security Council the ability to define and recognise cyber job titles and link them to existing qualifications and certifications. People would have to meet competency standards set by the council before they could use specific job titles in cyber security. The proposals also include the creation of a Register of Practitioners, similar to what exists in the medical and legal professions.


Ultimately the new laws will make it easier for you to know that when you outsource work to a cyber security professional they’re actually ‘suitably qualified’ to do the job.


The subtext to these recent developments is that every UK organisation must take their cyber resilience seriously. It is not an optional extra for small businesses.


We’ll be watching the government’s consultation with interest and in the meantime will continue to do everything we can to make sure the services, skills and tools Techsolve provide are at the forefront of today’s best practice.