From start up to large organisation – Mapping the cyber security maturation journey
An imagined case study in four parts that follows the cyber security evolution of an organisation over seven + years as it matures from a start up to a large organisation.
Two friends, Hazel Nutt and Patti Cake shared a love of baking and in 2018, decided to set up a small patisserie business called Essential Cookies.
They began their journey by baking custom cakes, biscuits and pastries from a small commercial kitchen in their hometown of Bakeitwell. Initially, their focus was on delivering high-quality, handmade products to local customers through in-person orders and a simple website displaying their offerings.
This is the second part of a fictional case study that charts the cyber security journey of ‘Essential Cookies’ from micro patisserie to established dessert supplier using all the NCSC schemes as milestones.
Part Two – Growth Phase: 2022-24
Part Three – Becoming a larger organisation and a supply chain partner: 2024
Part Four – Ongoing operations and continuous improvement: 2025 and beyond
Part Two – Growth Phase: 2022-24
As their reputation for delicious cakes started to grow, so did their business. Hazel and Patti expanded their operations and opened in additional locations. They created several social media accounts to grow a following and market their products, and launched an e-commerce platform which allowed their customers to place orders online. They started to use cloud services for inventory management and storing customer data; this included names, addresses, and payment information.
With this growth came challenges and further steps were needed to protect their business and their customers from online threats.
What were their cyber security challenges?
Increased attack surface: A more complicated IT infrastructure (cloud services, social media accounts and e-commerce platform) increased the potential for security risks.
Data protection: Processing and storing customer data brought the responsibility of privacy and data protection.
Ransomware threat: With more data being stored digitally, the risk of a ransomware attack was increased.
What steps did they take to be more cyber secure?
Engagement with a managed service provider (MSP): As their IT infrastructure expanded, Hazel and Patti decided to outsource the management of their IT to qualified professionals. Using a managed service provider (MSP) meant that their technology was set up and looked after by knowledgeable and experienced IT experts, leaving Hazel and Patti more time to innovate and bake.
Cyber security made a business priority: Although they had delegated their IT support to a third party, Hazel and Patti were made aware that the responsibility for their company’s cyber security still lay with them. They decided to use the ‘Cyber Essentials guide to working with a third-party IT Provider’, a free resource available from IASME. By giving the comprehensive list of questions to their MSP, they could check that their IT infrastructure met the minimum cyber security requirements.
Engagement with a Cyber Advisor: Now the organisation and its operations were more technically complicated, there was a higher risk of damage to the business from a potential cyber attack and Hazel and Patti recognised they needed some expert help. They engaged the services of a Cyber Advisor who is assured by the National Cyber Security Centre. Cyber Advisors adhere to a specific code of conduct and have been assessed on their ability to understand and effectively communicate with small organisations, providing appropriate and practical cyber security support.
The Advisor recommended that Essential Cookies implemented the Cyber Essentials core controls and they were able to help them achieve this. (There is evidence to show that the technical controls of the Cyber Essentials scheme mitigate the majority of high volume, low-skill attacks perpetrated through the internet and by achieving this baseline level of cyber security they could close the gaps that most cyber attacks rely on.)
Achieved Cyber Essentials certification: Cyber Essentials certification signalled to the customers of Essentials Cookies that they had good cyber security in place and could be trusted with their data and business.
Improved cyber resilience: In addition to the five controls of Cyber Essentials, their MSP and Cyber Advisor helped them implement the following measures:
Regularly backing up their website and organisational data to ensure they could recover quickly in case of a ransomware attack.
Creating an incident response plan outlining the steps to take in case of a cyber security incident, including communication protocols with partners and customers.
Rehearsing and reviewing their cyber incident response plan. They started by using the free NCSC tool ‘Exercise in a Box’ to conduct tabletop exercises to simulate various cyber attack scenarios.
How did these steps help?
Achieving Cyber Essentials certification acted as a useful checklist for Essential Cookies and helped reassure them they had not overlooked anything; they also found the process highly educational enabling them to apply their new knowledge to their computers and digital services at home.