From start up to large organisation – Mapping the cyber security maturation journey
An imagined case study in four parts that follows the cyber security evolution of an organisation over seven + years as it matures from a start up to a large organisation.
Two friends, Hazel Nutt and Patti Cake shared a love of baking and in 2018, decided to set up a small patisserie business called Essential Cookies.
They began their journey by baking custom cakes, biscuits and pastries from a small commercial kitchen in their hometown of Bakeitwell. Initially, their focus was on delivering high-quality, handmade products to local customers through in-person orders and a simple website displaying their offerings.
This is the first part of a fictional case study that charts the cyber security journey of ‘Essential Cookies’ from micro patisserie to established dessert supplier using all the NCSC schemes as milestones.
Part One – Early Years: 2018-2022
Part Three – Becoming a larger organisation and a supply chain partner: 2024
Part Four – Ongoing operations and continuous improvement: 2025 and beyond
Part One – Early Years: 2018-2022
In its early years, Essential Cookies had a minimal digital presence. Their website was basic and functioned primarily as an online portfolio and they accepted orders through email and phone; all payments were handled in person or through bank transfers.
What were their cyber security challenges?
Minimal cyber security: Although their IT infrastructure was basic (consisting of one laptop, two mobile phones and a simple website), there were only minimal cyber security measures in place.
Lack of cyber security awareness: Hazel and Patti lacked awareness of cyber security threats and mistakenly believed that their business was too small to be attacked.
What steps did they take to be more cyber secure?
Cyber Essentials Readiness Tool: Hazel and Patti used the free online Cyber Essentials Readiness Tool, a set of interactive questions designed to help organisations understand their cyber security. They found the information was written in clear, non-technical language, which helped them to work out which important technical controls they needed to put in place to help protect their business. After following the Readiness tool process, they got an action plan listing the measures they needed to take; this included links to relevant guidance.
Hazel and Patti worked through the action plan and implemented the following measures:
Firewalls: They enabled a firewall on their company network and on the laptop.
Strong passwords with multi-factor authentication enabled: Hazel and Patti started using three random words as passwords for their email and website accounts. The three random words were over 12 characters long, but were easy to remember too. As well as the unique password, they set up multi-factor authentication which provides another level of security by sending a one-time code via text message.
Remove unused accounts and software: They deleted guest accounts on their laptop and removed apps and features they were not using on their smart phones to reduce the potential openings for cyber criminals to find a way into their network.
Account separation: Hazel and Patti created separate user accounts to use for their day-to-day work on the computer. This action reduced the security risk of working from an admin account. E.g. If an attacker had breached their account, they would get the same privileges as the compromised account. If this was an admin account, they would be able to install malicious software, delete files and access sensitive data.
Enable automatic updates: This meant all devices and software were automatically kept up to date with the latest security fixes.
Anti-malware software: Hazel and Patti used a Windows computer which had the malware protection software, Defender already installed. This protected their device from malware and scanned web pages to prevent access to known malicious websites.
How did these steps help?
Hazel and Patti understood that their startup business had a few security gaps, but the changes needed were relatively simple and free of charge, and they could improve the security themselves using the guidance.