There are many scenarios regarding cyber threats that pose many questions as to the best defence, the best response, and best way to manage Cyber Security.
Click on the questions to find out the answers or use the registration on the right to become cyber resillient.
Cyber Security is nothing more than a subcategory of the larger Information Protection and Cyber Defence topic; it’s not new or novel. It is though; a symptom of today’s businesses suffering at the hands of cyber criminals.
Cyber Security has gained recognition purely because businesses are experiencing a commercial loss, and quite rightly so business managers have moved this topic up their agenda. You only have to look at the daily press to see yet another story of a business being hacked.
To put this into perspective, Cyber Security is becoming a problem for all businesses due to a perfect storm of events that singularly would not cause too much concern, together though they have created the current situation that has led to so many cyberattacks. This perfect storm of events has come about for three reasons:
This year alone saw a huge increase in cyberattacks, and those are just the reported attacks, many more remain undisclosed. For instance ‘Staysure’ a UK travel and medical insurance company, was hacked leading to 90,000 of their customer’s credit card details being stolen. This was a large reputable insurance company being hacked.
Is it safe to assume that small business are somehow immune to Cyber Security, that they are insulated from such attacks, and that it’s only a ’large company’ problem? This is not the case, a reason for the surge in Cyber Security is that small businesses have just as much to lose, and lack the defences of larger business, making them easy targets. For instance in 2013, Birkenhead based varnish producer AEV Ltd lost £100,000 when their banking codes were stolen.
A similar loss was experienced by a small bakery ‘Truffles Bakery’ losing some £20,000. These are just a couple of examples of seemingly low profile, small businesses that never thought they would be worth targeting by cyber criminals, discovering the hard way that anyone with an online business account is a target! Another misnomer is that the banks will cover cyber attack losses. The businesses used in these examples had banks that were sympathetic to their loss, but were not able to refund all of the money stolen.
Banks have also had a bad time of late; with both Santander and Barclays being subject to highly developed attacks. Outlying branches were targeted with a bogus telephone engineer tricking their way past reception staff to install equipment on PC’s, that in turn allowed the attackers to remotely control and access the banks finance system, in Barclays case over £1.3 million was lost.
To ensure the UK economy is as robust as possible, the UK Government over the last few years has been pushing ahead with initiatives to educate business and commerce about the risks from cyber criminals.
The latest initiative is called ‘Cyber Essentials’, and the goal is to lay down key controls that if adopted would place an organisation in a position of resilience to the majority of typical attacks. The previous initiative to the UK Governments’Cyber Essentials’ was termed ’10 step to Cyber Security’, and consisted of the following 10 suggested controls:
The most recent initiative ’Cyber Essentials’ has mandated the following 5 controls:
And lastly the SANS (System Administration, Networking, and Security) Institute, is an organisation that is dedicated to system and information security. They are highly regarded and respected specialists who have published the following top 20 controls, we think of them as the best practises for cyber defence and management:
Critical Security Controls information can be found on the SANS wesbite.
The three lists above have an obvious overlap, the SANS have the most in-depth and rigorous requirements, and the Cyber Essentials that has the least. You may be wondering why the Cyber Essentials has the least, yet is the most recent? This is due to the UK Government wanting to promote the wider adoption of cyber defence, and deliberately lowering the entry bar to promote take-up. The possibility and likelihood is that over time, the 5 controls will grow and expand to strengthen the protection it affords. Right now the entry requirements have been designed to deal with the most common type of attacks (but not all!), and to make the entry level as simple as possible.
The existing laws governing IT Security reside with the Data Protection Act (DPA) and the Computer Misuse Act (CMA). The CMA is the law used to prosecute hackers and virus writers. Whereas the DPA is the law that describe how businesses and organisations should treat and control information relating to individuals within the EU. The DPA is an interpretation of the EU Data Protection Regulation, each member state making their own native parochial interpretation; the revised law will be a ‘regulation’ rather than a ‘directive’. As such the implementation will be common to all, with more stringent requirements and penalties.
Key summary of change:
The easiest way to measure your cyber resilience is to do a Cyber Risk Assessment such as CyberV, which includes a review and analysis against the top advocated controls and good practises that make for a robust cyber defence. These controls are based on what the SANs institute recommend along with suggestions made by the UK Government for critical national cyber security. The CyberV service focuses on key areas of cyber security addressed collectively to deliver a report that is bespoke to your organisation. This encompasses a prioritised report of risks, an interactive workshop, and review of the following cyber topics:
Systems and host platforms are the typical targets for cyber attacks. It is via the penetration of these, that cyber threats succeed. The solution is a service designed to measure and report on the strength of a systems configuration, and its ability to resist an attack. Typically suited to high risk (public facing) or high value (key assets) systems or platforms, where a tangible objective security measurement is needed, either to:
Identifying how sensitive information is being passed, stored, and distributed are the first steps to evaluating your risk to a data breach. We would suggest an ’Information Risk Audit’ (IRA) which assists in equating the actual risk of an accidental or malicious disclosure.
This service is designed for organisations that are concerned about data leakage and those that have anxieties concerning information being disclosed by unauthorised parties. Most organisations will have information that is deemed to be confidential, privileged, and of high value; where if it were to fall into the wrong hands the consequences would include:
The service is specifically tailored to the exact needs of the organisation, with a focus on data loss across access points on the network that are unmanaged or uncontrolled, along with the internal data governance policies that mandate access, retention, and duplication.
Call or email if you would like to know more, we would be happy to arrange an informal time with one of our scheme consultants for a more in-depth discussion.
Opinion & Resources
Business leaders will benefit from the access to helpful and authoritative cyber security guidance. Encouraging firms to adopt this scheme is a positive step towards greater awareness of cyber security and more widespread action to manage the risks. John Cridland, Director General of the CBI
The Cyber Essentials scheme is a cyber security standard, which organisations can be assessed and certified against. It identifies the security controls that an organisation must have in place within their IT systems in order to have confidence that they are addressing cyber security effectively and mitigating the risk from Internet-based threats.