Cyber Security & Risk Assessment FAQs

Cyber Security is nothing more than a subcategory of the larger Information & Data Protection and Cyber Security topic; it’s not new or novel. It is though; a symptom of today’s businesses suffering at the hands of cyber criminals.

Cyber Security has gained recognition purely because businesses are experiencing a commercial loss, and quite rightly so business managers have moved this topic up their agenda. You only have to look at the daily press to see yet another story of a business being hacked.

To put this into perspective, Cyber Security is becoming a problem for all businesses due to a perfect storm of events that singularly would not cause too much concern, together though they have created the current situation that has led to so many cyberattacks. This perfect storm of events has come about for three reasons:

1. Rapid and reliant IT evolution Businesses are relying on and trusting IT systems more than ever, and such systems are now considered a ’must have‘ as opposed to a ’good to have’. Ask yourself. Does your business use internet banking? Was it used five years ago? Would the business do without it now? Surprising how things can change so quickly! The doctrine of ‘productivity over security’ prevails as the business wants to make profits; the unintended consequences though, are opportunities for cyber criminals.
   
   
2. Interconnected world The traditional boundaries of a business tended to stop at its walls, and to some part its internet gateway, todays perimeters extend the business’ network into third parties, such as suppliers, business partners, and unmanaged devices of staff. These borderless networks create greater complexity, and complexity is an enemy of security! In this instance it is the ability to manage security across and into these new borderless realms of inter-connection.
   
   
3. Multiple threats The traditional and largely benign threat has been replaced with well-resourced internet based attacks that are motivated by either: fraud, espionage, or hacktivisim. They use multiple, in-depth, and skilful techniques to avoid detection and assure success, they do not seek the old style glory of notoriety; rather they prefer to be inconspicuous. As a result traditional security methods are not dealing with these new types of ingenious targeted threats. And conversely whereas before the access to cyberattack tools were limited to a clever few, their proliferation has meant just about any criminal can now become a cyber-criminal; the entry bar has all but dropped to anyone who wants to try.

This year alone saw a huge increase in cyberattacks, and those are just the reported attacks, many more remain undisclosed. For instance ‘Staysure’ a UK travel and medical insurance company, was hacked leading to 90,000 of their customer’s credit card details being stolen. This was a large reputable insurance company being hacked.

Is it safe to assume that small business are somehow immune to Cyber Security, that they are insulated from such attacks, and that it’s only a ’large company’ problem? This is not the case, a reason for the surge in Cyber Security is that small businesses have just as much to lose, and lack the defences of larger business, making them easy targets. For instance in 2013, Birkenhead based varnish producer AEV Ltd lost £100,000 when their banking codes were stolen.

A similar loss was experienced by a small bakery ‘Truffles Bakery’ losing some £20,000. These are just a couple of examples of seemingly low profile, small businesses that never thought they would be worth targeting by cyber criminals, discovering the hard way that anyone with an online business account is a target! Another misnomer is that the banks will cover cyber attack losses. The businesses used in these examples had banks that were sympathetic to their loss, but were not able to refund all of the money stolen.

Banks have also had a bad time of late; with both Santander and Barclays being subject to highly developed attacks. Outlying branches were targeted with a bogus telephone engineer tricking their way past reception staff to install equipment on PC’s, that in turn allowed the attackers to remotely control and access the banks finance system, in Barclays case over £1.3 million was lost.

To ensure the UK economy is as robust as possible, the UK Government over the last few years has been pushing ahead with initiatives to educate business and commerce about the risks from cyber criminals.

The latest initiative is called ‘Cyber Essentials’, and the goal is to lay down key controls that if adopted would place an organisation in a position of resilience to the majority of typical attacks. The previous initiative to the UK Governments’Cyber Essentials’ was termed ’10 step to Cyber Security’, and consisted of the following 10 suggested controls:

1. Information management regime
2. Network security
3. Secure configuration
4. Manage user privileges
5. End user awareness
6. Incident management
7. Malware protection
8. Monitoring
9. Removable media
10. Home and mobile working

The most recent initiative ’Cyber Essentials’ has mandated the following 5 controls:

1. Boundary firewalls and internet gateways
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management

And lastly the SANS (System Administration, Networking, and Security) Institute, is an organisation that is dedicated to system and information security. They are highly regarded and respected specialists who have published the following top 20 controls, we think of them as the best practises for cyber security and management:

1. Inventory of authorised and unauthorised devices
2. Inventory of authorised and unauthorised software
3. Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers
4. Continuous vulnerability assessment and remediation
5. Malware defences
6. Application software security
7. Wireless access control
8. Data recovery capability
9. Security skills assessment and appropriate training to fill gaps
10. Secure configurations for network devices such as firewalls, routers, and switches
11. Limitation and control of network ports, protocols, and services
12. Controlled use of administrative privileges
13. Boundary defence
14. Maintenance, monitoring, and analysis of audit logs
15. Controlled access based on ‘need to know’
16. Account monitoring and control
17. Data protection
18. Incident response and management
19. Secure network engineering
20. Penetration tests and red team exercises

Critical Security Controls information can be found on the SANS wesbite.

The three lists above have an obvious overlap, the SANS have the most in-depth and rigorous requirements, and the Cyber Essentials that has the least. You may be wondering why the Cyber Essentials has the least, yet is the most recent? This is due to the UK Government wanting to promote the wider adoption of cyber security, and deliberately lowering the entry bar to promote take-up. The possibility and likelihood is that over time, the 5 controls will grow and expand to strengthen the protection it affords. Right now the entry requirements have been designed to deal with the most common type of attacks (but not all!), and to make the entry level as simple as possible.

The existing laws governing IT Security reside with the Data Protection Act (DPA) and the Computer Misuse Act (CMA). The CMA is the law used to prosecute hackers and virus writers. Whereas the DPA is the law that describe how businesses and organisations should treat and control information relating to individuals within the EU. The DPA is an interpretation of the EU Data Protection Regulation, each member state making their own native parochial interpretation; the revised law will be a ‘regulation’ rather than a ‘directive’. As such the implementation will be common to all, with more stringent requirements and penalties.
Key summary of change:

• Disclosure - the requirement to formally advise the authorities where a data breach occurs.
• Staff – the need to have a data protection officer.
• Fines – up to 100 million Euros or 5% of annual turnover (whichever is greater).
• Due to be implemented 2016, with various readings, and likely amendments.

The easiest way to measure your cyber resilience is to do a Cyber Risk Assessment such as CyberV, which includes a review and analysis against the top advocated controls and good practises that make for a robust cyber security. These controls are based on what the SANs institute recommend along with suggestions made by the UK Government for critical national cyber security. The CyberV service focuses on key areas of cyber security addressed collectively to deliver a report that is bespoke to your organisation. This encompasses a prioritised report of risks, an interactive workshop, and review of the following cyber topics:

1. Leadership and governance
   
   
2. Assessment against industry best practises and doctrines.
   
   
3. Threat intelligence and cyber visibility.
   
   
4. Cyber protection and response.
   

Systems and host platforms are the typical targets for cyber attacks. It is via the penetration of these, that cyber threats succeed. The solution is a service designed to measure and report on the strength of a systems configuration, and its ability to resist an attack. Typically suited to high risk (public facing) or high value (key assets) systems or platforms, where a tangible objective security measurement is needed, either to:

1. Confirm that existing controls are implemented and operational, as per prescribed policies.
2. Identify security improvements to host systems.

Identifying how sensitive information is being passed, stored, and distributed are the first steps to evaluating your risk to a data breach. We would suggest an ’Information Risk Audit’ (IRA) which assists in equating the actual risk of an accidental or malicious disclosure.

This service is designed for organisations that are concerned about data leakage and those that have anxieties concerning information being disclosed by unauthorised parties. Most organisations will have information that is deemed to be confidential, privileged, and of high value; where if it were to fall into the wrong hands the consequences would include:

• Embarrassment and loss of professional standing.
• Loss of customer confidence and business.
• Regulatory and compliance penalties.
• Competitor advantage and intellectual property loss.

The service is specifically tailored to the exact needs of the organisation, with a focus on data loss across access points on the network that are unmanaged or uncontrolled, along with the internal data governance policies that mandate access, retention, and duplication.