CST

Call us on +44 (0)20 7621 7836 LinkedInTwitter

Call +44 (0)20 7621 7836 LinkedInTwitter

CST have been specialising in Information Protection and Cyber Defence for 20 years. Our aim is to help organisations manage cyber security with the least amount of disruption, and for organisations who strive to improve their security posture but don’t have the correct resource in place.

We would be happy to discuss your requirements over the phone or meet with you at your office.

Get in touch

CST 20 years experience

There are many scenarios regarding cyber threats that pose many questions as to the best defence, the best response, and best way to manage Cyber Security.

Click on the questions to find out the answers or use the registration on the right to become cyber resillient.

What is Cyber Security?

Cyber Security is nothing more than a subcategory of the larger Information Protection and Cyber Defence topic; it’s not new or novel. It is though; a symptom of today’s businesses suffering at the hands of cyber criminals.

Cyber Security has gained recognition purely because businesses are experiencing a commercial loss, and quite rightly so business managers have moved this topic up their agenda. You only have to look at the daily press to see yet another story of a business being hacked.

Why is Cyber Security now so topical?

To put this into perspective, Cyber Security is becoming a problem for all businesses due to a perfect storm of events that singularly would not cause too much concern, together though they have created the current situation that has led to so many cyberattacks. This perfect storm of events has come about for three reasons:

  1. Rapid and reliant IT evolution Businesses are relying on and trusting IT systems more than ever, and such systems are now considered a ’must have‘ as opposed to a ’good to have’. Ask yourself. Does your business use internet banking? Was it used five years ago? Would the business do without it now? Surprising how things can change so quickly! The doctrine of ‘productivity over security’ prevails as the business wants to make profits; the unintended consequences though, are opportunities for cyber criminals.

  2. Interconnected world The traditional boundaries of a business tended to stop at its walls, and to some part its internet gateway, todays perimeters extend the business’ network into third parties, such as suppliers, business partners, and unmanaged devices of staff. These borderless networks create greater complexity, and complexity is an enemy of security! In this instance it is the ability to manage security across and into these new borderless realms of inter-connection.

  3. Multiple threats The traditional and largely benign threat has been replaced with well-resourced internet based attacks that are motivated by either: fraud, espionage, or hacktivisim. They use multiple, in-depth, and skilful techniques to avoid detection and assure success, they do not seek the old style glory of notoriety; rather they prefer to be inconspicuous. As a result traditional security methods are not dealing with these new types of ingenious targeted threats. And conversely whereas before the access to cyberattack tools were limited to a clever few, their proliferation has meant just about any criminal can now become a cyber-criminal; the entry bar has all but dropped to anyone who wants to try.

What type of organisations are at risk from cyber threats?

This year alone saw a huge increase in cyberattacks, and those are just the reported attacks, many more remain undisclosed. For instance ‘Staysure’ a UK travel and medical insurance company, was hacked leading to 90,000 of their customer’s credit card details being stolen. This was a large reputable insurance company being hacked.

Is it safe to assume that small business are somehow immune to Cyber Security, that they are insulated from such attacks, and that it’s only a ’large company’ problem? This is not the case, a reason for the surge in Cyber Security is that small businesses have just as much to lose, and lack the defences of larger business, making them easy targets. For instance in 2013, Birkenhead based varnish producer AEV Ltd lost £100,000 when their banking codes were stolen.

A similar loss was experienced by a small bakery ‘Truffles Bakery’ losing some £20,000. These are just a couple of examples of seemingly low profile, small businesses that never thought they would be worth targeting by cyber criminals, discovering the hard way that anyone with an online business account is a target! Another misnomer is that the banks will cover cyber attack losses. The businesses used in these examples had banks that were sympathetic to their loss, but were not able to refund all of the money stolen.

Banks have also had a bad time of late; with both Santander and Barclays being subject to highly developed attacks. Outlying branches were targeted with a bogus telephone engineer tricking their way past reception staff to install equipment on PC’s, that in turn allowed the attackers to remotely control and access the banks finance system, in Barclays case over £1.3 million was lost.

What is the Cyber Essentials Scheme?

To ensure the UK economy is as robust as possible, the UK Government over the last few years has been pushing ahead with initiatives to educate business and commerce about the risks from cyber criminals.

The latest initiative is called ‘Cyber Essentials’, and the goal is to lay down key controls that if adopted would place an organisation in a position of resilience to the majority of typical attacks. The previous initiative to the UK Governments’Cyber Essentials’ was termed ’10 step to Cyber Security’, and consisted of the following 10 suggested controls:

  1. Information management regime
  2. Network security
  3. Secure configuration
  4. Manage user privileges
  5. End user awareness
  6. Incident management
  7. Malware protection
  8. Monitoring
  9. Removable media
  10. Home and mobile working

The most recent initiative ’Cyber Essentials’ has mandated the following 5 controls:

  1. Boundary firewalls and internet gateways
  2. Secure configuration
  3. Access control
  4. Malware protection
  5. Patch management

And lastly the SANS (System Administration, Networking, and Security) Institute, is an organisation that is dedicated to system and information security. They are highly regarded and respected specialists who have published the following top 20 controls, we think of them as the best practises for cyber defence and management:

  1. Inventory of authorised and unauthorised devices
  2. Inventory of authorised and unauthorised software
  3. Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers
  4. Continuous vulnerability assessment and remediation
  5. Malware defences
  6. Application software security
  7. Wireless access control
  8. Data recovery capability
  9. Security skills assessment and appropriate training to fill gaps
  10. Secure configurations for network devices such as firewalls, routers, and switches
  11. Limitation and control of network ports, protocols, and services
  12. Controlled use of administrative privileges
  13. Boundary defence
  14. Maintenance, monitoring, and analysis of audit logs
  15. Controlled access based on ‘need to know’
  16. Account monitoring and control
  17. Data protection
  18. Incident response and management
  19. Secure network engineering
  20. Penetration tests and red team exercises

Critical Security Controls information can be found on the SANS wesbite.

The three lists above have an obvious overlap, the SANS have the most in-depth and rigorous requirements, and the Cyber Essentials that has the least. You may be wondering why the Cyber Essentials has the least, yet is the most recent? This is due to the UK Government wanting to promote the wider adoption of cyber defence, and deliberately lowering the entry bar to promote take-up. The possibility and likelihood is that over time, the 5 controls will grow and expand to strengthen the protection it affords. Right now the entry requirements have been designed to deal with the most common type of attacks (but not all!), and to make the entry level as simple as possible.

What is the link between Cyber Security and the new EU data laws?

The existing laws governing IT Security reside with the Data Protection Act (DPA) and the Computer Misuse Act (CMA). The CMA is the law used to prosecute hackers and virus writers. Whereas the DPA is the law that describe how businesses and organisations should treat and control information relating to individuals within the EU. The DPA is an interpretation of the EU Data Protection Regulation, each member state making their own native parochial interpretation; the revised law will be a ‘regulation’ rather than a ‘directive’. As such the implementation will be common to all, with more stringent requirements and penalties.
Key summary of change:

  • Disclosure - the requirement to formally advise the authorities where a data breach occurs.
  • Staff – the need to have a data protection officer.
  • Fines – up to 100 million Euros or 5% of annual turnover (whichever is greater).
  • Due to be implemented 2016, with various readings, and likely amendments.

How can I measure my cyber resilience?

The easiest way to measure your cyber resilience is to do a Cyber Risk Assessment such as CyberV, which includes a review and analysis against the top advocated controls and good practises that make for a robust cyber defence. These controls are based on what the SANs institute recommend along with suggestions made by the UK Government for critical national cyber security. The CyberV service focuses on key areas of cyber security addressed collectively to deliver a report that is bespoke to your organisation. This encompasses a prioritised report of risks, an interactive workshop, and review of the following cyber topics:

  1. Leadership and governance

  2. Assessment against industry best practises and doctrines.

  3. Threat intelligence and cyber visibility.

  4. Cyber protection and response.

How can I determine the right controls and policies for our system?

Systems and host platforms are the typical targets for cyber attacks. It is via the penetration of these, that cyber threats succeed. The solution is a service designed to measure and report on the strength of a systems configuration, and its ability to resist an attack. Typically suited to high risk (public facing) or high value (key assets) systems or platforms, where a tangible objective security measurement is needed, either to:

  1. Confirm that existing controls are implemented and operational, as per prescribed policies.
  2. Identify security improvements to host systems.

How can I protect my confidential data?

Identifying how sensitive information is being passed, stored, and distributed are the first steps to evaluating your risk to a data breach. We would suggest an ’Information Risk Audit’ (IRA) which assists in equating the actual risk of an accidental or malicious disclosure.

This service is designed for organisations that are concerned about data leakage and those that have anxieties concerning information being disclosed by unauthorised parties. Most organisations will have information that is deemed to be confidential, privileged, and of high value; where if it were to fall into the wrong hands the consequences would include:

  • Embarrassment and loss of professional standing.
  • Loss of customer confidence and business.
  • Regulatory and compliance penalties.
  • Competitor advantage and intellectual property loss.

The service is specifically tailored to the exact needs of the organisation, with a focus on data loss across access points on the network that are unmanaged or uncontrolled, along with the internal data governance policies that mandate access, retention, and duplication.

Call or email if you would like to know more, we would be happy to arrange an informal time with one of our scheme consultants for a more in-depth discussion.

Opinion & Resources







Business leaders will benefit from the access to helpful and authoritative cyber security guidance. Encouraging firms to adopt this scheme is a positive step towards greater awareness of cyber security and more widespread action to manage the risks. John Cridland, Director General of the CBI Cyber Essentials

The Cyber Essentials scheme is a cyber security standard, which organisations can be assessed and certified against. It identifies the security controls that an organisation must have in place within their IT systems in order to have confidence that they are addressing cyber security effectively and mitigating the risk from Internet-based threats.

Nigel Lewis