Security.FYI: Cyber Essentials – Getting the Basics Right
In the latest Security.FYI column, Ian McGowan, the managing consultant for Barrier Networks gets back to basics and explores why every company should be thinking about their Cyber Essentials.
In my last couple of cyber security columns for DIGIT, I have talked about the importance of Web Application Security and why organisations should look to their employees when it comes to reducing the risk of Phishing attacks. In this column, I am going to strip cyber security back to basics and focus on what I believe organisations should be doing, as a minimum, to protect themselves from cyber threats.
There is a general feeling that cyber security is a high-level service aimed at protecting large organisations from advanced attacks. While that can be true, the reality is that all organisations need to be protected against the basic and opportunistic threats that are much more frequent and likely to affect them on a day-to-day basis.
Think back to May 2017 when the WannaCry ransomware attack impacted many areas of the NHS. It was high profile and the media was initially reporting that the NHS were being targeted by an advanced attacker, but the attack vector later transpired to be unsophisticated and the impact much wider than the NHS.
93% of Breaches Avoidable
In a recent article, Online Trust Alliance reported that a staggering 93% of breaches in 2017 could have been avoided with simple cyber hygiene practices, such as regularly updating software, blocking fake email messages and training employees to recognise phishing attacks.
This serves as a timely reminder that there is value to be gleaned in deploying the rudimentary cyber security controls and keeping them functional.
A great way to ensure that you have the cyber security basics, is with Cyber Essentials.
Cyber Essentials is a government backed and industry supported scheme to help protect your organisation from the most common cyber attacks and to demonstrate your organisations commitment to cyber security. It defines a set of five key security controls that organisations should implement as a minimum to reduce the risk of cyber threats.
The five key controls are:
- Boundary Firewalls & Gateways
- Secure Configuration
- Access Control
- Malware Protection
- Patch Management
Cyber Essentials offers two levels of certification:
- Cyber Essentials: basic level of certification is awarded based on the completion of a self-service questionnaire
- Cyber Essentials Plus: a higher level of assurance is provided by validating the five key controls through simulated hacking and phishing attacks
I am a strong advocate of the Cyber Essentials scheme as it helps establish a good cyber security baseline which paves the way for organisations to decide what their next step should be. Cyber Essentials provides a level of assurance that an organisation is managing the fundamentals of cyber security.
I have summarised below how the five key controls can provide basic, but much-needed protection for your organisation:
Boundary Firewalls & Gateways
Block insecure or unnecessary services, maintain a list of known bad websites and establish network perimeter defences.
Minimises the information that Internet-facing devices release about their configuration and software versions, and ensures they cannot be probed for any vulnerabilities.
Will restrict the applications, privileges and data that users can access.
Will protect you from a broad range of malware and often includes options for virus removal that will protect your computer, your privacy and your important documents from attack.
Ensures that patches are applied at the earliest opportunity, limiting the time your organisation is exposed to known software vulnerabilities. This might seem be assumed but again consider the WannaCry ransomware attack – they exploited known Microsoft vulnerabilities which organisations could have patched in many cases.
Since the start of 2018, I have seen an increase in awareness and adoption of Cyber Essentials and I am pleased to say that at Barrier Networks, we are speaking to all kinds of businesses on a weekly basis about the Cyber Essentials programme.
Here are some of the reasons that I hear when they looking to become certified:
The Scottish Government Cyber Resilience Strategy
In November 2017, the Scottish Government published A Cyber Resilience Strategy for Scotland: Public Sector Action Plan. This has been the catalyst for Cyber Essentials in the public sector as, per Key Action 4, the Scottish Government expects all public bodies to be Cyber Essentials Plus certified by the end of October 2018. Funding has been made available to support all public bodies to undergo a Cyber Essentials ‘pre-assessment’ by the end of March 2018.
Although the Action Plan focuses primarily on the public sector, it should resonate with organisations in the private sector and I encourage business in the private sector to consider how they could implement a similar cyber resilience strategy.
What’s that coming over the hill, is it GDPR?
First of all, let me be clear, becoming Cyber Essentials certified does not mean you are GDPR compliant. However, Cyber Essentials is a great first step to your GDPR strategy as it serves as evidence that you have carried out basic steps towards protecting your business and your data from attacks. The Information Commissioner has noted publicly that achieving Cyber Essentials accreditation can assist with preparing for GDPR. So, if you are behind on your GDPR work perhaps it is worth considering Cyber Essentials as a starting point.
Cyber criminals target will ANY organisation
Cyber criminals do not just target large organisations, they target any organisation – regardless of size and the industry in which they operate – by exploiting basic IT systems and vulnerabilities. Unfortunately, smaller businesses are arguably at greater risk because hackers recognise that they often have limited cyber security resources at their disposal, making them an easier target. Don’t forget, Cyber Essentials is designed to protect organisations of all sizes from cyber security threats.
To summarise, Cyber Essentials provides a basic set of controls to protect against cyber attacks which in themselves are not sophisticated but can still cause damage. Cyber Essentials will protect organisations from up to 80% of cyber attacks, making them less likely to suffer a breach which could have a significant impact due to lost revenue, reputational damage, or fines and prosecution.
If you would like to speak to someone about Cyber Essentials, please give us a call on 0141 356 0101 or email firstname.lastname@example.org.