Back to the basics with Cyber Essentials
Four years is a long time in cyber security; a lot can change in that time. But surprisingly, a lot also stays the same.
Back in 2016, the National Cyber Security Centre released a white paper on Common Cyber Attacks: Reducing the Impact. The paper described what a common cyber-attack looked like and advised that organisations should implement basic security controls to protect themselves.
NCSC’s report directed businesses to implement schemes such as Cyber Essentials, which had been introduced to allow businesses of any size to implement a standard set of technical controls to provide protection against commodity attacks.
Another report, released in the same year by the UK Government’s Department for Digital, Culture, Media & Sport (DCMS) – The Cyber Security Breaches Survey 2016 listed the top 3 breaches experienced by businesses as:
- Viruses, spyware, and malware.
- Others impersonating organisation in emails or online.
- Denial of service attacks.
Fast forward to the present day and the attacks still follow the same pattern. The 2020 version of the Cyber Security Breaches Survey lists the top 3 attacks as:
- Fraudulent emails or being directed to fraudulent websites.
- Others impersonating organisations in emails or online.
- Viruses, spyware, and malware.
So, in a four-year period, two of the top 3 attacks remain the same. Why might this be? Attackers will only continue to use methods that are effective and get the required results. The report also provides another concerning statistic. In 2016, the number of businesses reporting a cyber breach in the previous 12-month period was 24%; in 2020, that number had almost doubled to 46%.
What has changed?
Every business is susceptible to a cyber-attack. It is no longer if, but when. Attacks are not solely made against large corporations. Businesses of any size can be a target. All businesses have something of value to an attacker, whether that be confidential company data, financial information, or intellectual property – information assets of any kind are of use to someone. If your business fails to protect its information assets by implementing even the simplest of controls, it is only a matter of time before you too fall victim to a cyber-attack.
So, what can we do?
The odds don’t have to be stacked in the attacker’s favour though. There are simple and cost-effective measures that businesses of any size can implement. The advice provided by NCSC in 2016 still stands. By implementing the following controls in the Cyber Essentials standard, businesses can mitigate a significant percentage of commodity attacks.
What does it involve?
Cyber Essentials covers 5 areas of controls that should be implemented:
- Firewalls – ensure you have adequate protection at your network perimeter. Make sure your firewall policies are effective and only allow network traffic required for your business.
- Malware protection – ensure all your devices have malware protection installed and that this is kept up to date on a regular basis.
- Patch management – patching your software to the latest version will prevent cyber attackers attempting to exploit known vulnerabilities and gain access to your information assets
- Secure configuration – ensure your devices have any unused functionality removed; this includes the removal of unused accounts and software
- Access control – ensure that all the user accounts on your network operate on the principle of “least privilege.” This means that your users only have enough permissions to carry out the duties they are assigned.
These controls apply to the areas of your business which you determine to be in scope of the assessment. One consideration, especially with the increase in remote working experienced in the UK at the current time, is that your home workers extend the boundaries of your network, therefore it is imperative that the controls you implement as part of Cyber Essentials include the equipment your users have at home.
Surely, I need to do more to protect my business?
Of course, there are a large number of controls you may wish to implement to protect your business. However, it is of utmost importance that you get the basics right and starting with Cyber Essentials is certainly a step in the right direction. Cyber Essentials can be applied to any business size, from micro up to global corporations.
And this is an example of what can happen:
Cathay Pacific were fined £500,000 by the UK’s Information Commissioner’s Office for security lapses which exposed around 9.4 million customer details. The ICO carried out a full investigation into the breach and discovered a catalogue of errors with some serious deficiencies in the expected processes. Included in the ICO’s statement of the breach “At its most basic, the airline failed to satisfy four out of the five basic Cyber Essentials guidance”.
How Nexor can help
Nexor assists our clients by providing a full range of cyber security services including the implementation of standards ranging from Cyber Essentials to ISO 27001. Our approach starts and ends with people. Our People, Process and Technology methodology ensures business outcomes support the organisational objectives in a way that builds a trust culture and provides a technological environment to help people to succeed. Our consultants will work with you to ascertain the risks to your business, and to determine the best course of action by offering an individual tailored and bespoke service to protect your key information assets.
Author Bio – Sarah Knowles
Sarah Knowles is Nexor’s Senior Security Consultant. Her formal credentials include being an NCSC certified Senior Security and Information Risk Adviser, an ISC2 Certified Information Systems Security Professional (CISSP), ISO 27001 Lead Auditor and a Member of the Chartered Institute of IT. She has a technical background primarily in Microsoft technologies and has provided security governance, compliance and risk management to both HMG and private sector clients.
Be the first to know about developments in secure information exchange