Training

Official cyber guidance

by Mark Rowe

Put cyber security on your agenda before it becomes the agenda, the authorities suggest. CPNI, GCHQ, BIS and the Cabinet Office have updated the two-year-old ‘10 Steps to Cyber Security‘. Aimed at businesses, the steps are for IT users to improve the security of their networks and the data carried on them.

The authorities urge a risk management approach. Companies need to be on the front foot in terms of their cyber preparedness. Cyber security is all too often thought of as an IT issue, rather than the strategic risk management issue it actually is. The official advice stresses the business sense behind such an approach: a corporate can make better decisions, reduce losses, and be prepared for most eventualities, it’s suggested.

Robert Hannigan, Director of GCHQ, the official security and intelligence body, pointed to recent cases of cyber-fraud and the 2014 attack on Sony Pictures in the US, ‘which resulted in the leaking of sensitive data as well as a number of the studio’s unreleased films’. He singled out as a concern ‘hostile activity’ on the computer networks of companies that own and run the UK’s critical infrastructure, such as utilities. He said: “In GCHQ we continue to see real threats to the UK on a daily basis, and I’m afraid the scale and rate of these attacks shows little sign of abating. The good news is that, despite the increase in sophistication and volume, it remains as true today as it did two years ago there is much you can do to protect your organisation by adopting the basic cyber security procedures in this guidance.”

Some questions

How confident are you that your company’s most important information is being properly managed and is safe from cyber threats?
Are you clear that the board are likely to be key targets?
Do you have a full and accurate picture of:
the impact on our company’s reputation, share price or existence if sensitive internal or customer information held by the company were to be lost or stolen?
the impact on the business if our online services were disrupted for a short or sustained period?
Do you receive regular intelligence from the Chief Information Officer/Head of Security on who may be targeting your company, their methods and their motivations?
Do you encourage your technical staff to enter into information-sharing exchanges with other companies in your sector and/or across the economy, to benchmark, learn from others and help identify emerging threats?

As the guidance points out, compromise of information need not come about through a malicious outsider; it could be staff error that loses you intellectual property, for instance: or industrial competitors and (unspecified) foreign intelligence services, hackers who like to interfere with your computers, hactivists hacking for a cause, or staff with a grudge. Do you know what information assets are critical, and who are the likely adversaries? Who needs training? Are policies reviewed? Do security measures work? The guidance warns that cyber damage can be tangible: “Your business is not immune to such attacks.” The advice also touches on social engineering, ‘or the skilful manipulation of people and human nature’. For example a hacker might persuade IT support staff over the phone to reset passwords. The key, it’s suggested, is to be aware of potential threats, ‘a normal part of risk management’, like any other risk.

The authorities make the point that time and again attackers are exploiting basic weaknesses. Hence the Cyber Essentials scheme launched last year, which defines minimum security controls. Government has mandated it for some of its procurement. At its most basic, you do a self-assessment questionnaire, which is reviewed by an external certifying body; or, you have your IT systems tested by a certifying body.

Visit https://www.cyberstreetwise.com/cyberessentials/.

CESG, the information security arm of GCHQ, has with Cert UK (the official UK computer emergency response body, launched last year and featured in our January issue) published Common Cyber Attacks: Reducing The Impact. That 17-page report details common attacks used by cyber criminals. The report details three case studies – espionage against UK energy firms; computers infected by remote access malware; and spear-phishing against a system administrator, who unknowingly installed a remote access tool, malware that an attacker could use, perhaps to capture keystrokes on a computer keyboard, to learn passwords, or to take screenshots. That last case shows how threats aren’t all high-tech; a crafted email went to the admin guy’s personal email address, and looked genuine enough for him to read and inadvertently download some malware. CESG report that the malware was detected before any significant damage; but (in a parallel with a ram-raid or a theft from a shop?) the investigation and clean-up did bring disruption. As the document pointed out, cyber security controls should include user awareness – so that staff are suspicious of unsolicited email, and unexpected attachments.

That document covers the ‘threat landscape’, how you should understand your IT vulnerabilities, what the common stages and patterns of cyber attack are, and how to reduce your exposure to cyber attack. The document admits there’s no such thing as 100 per cent security. So what to do when you’ve been attacked? Have a ‘security incident response plan’. Look to CESG, CPNI and Cert-UK. The parting word? “Doing nothing is no longer an option.”

Also offered by CESG are guidance documents on for instance Bring Your Own Device (BYOD), and, if you are handling official Government information, cloud security.

To read the pdf of Common Cyber Attacks – Reducing the Impact, visit – https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/395718/Common_Cyber_Attacks-Reducing_The_Impact.pdf

And a June 2013 CPNI document on ‘influencing company boards’ covers how to gain buy-in from management boards on cyber threats and the need to consider such threats as part of corporate risk and business decisions.

The advice is that there is no set formula which gains the board’s support. To achieve a successful outcome it is important to gain a clear understanding of the board’s understanding of the threat and of their risk appetite.

Visit http://www.cpni.gov.uk/documents/publications/2013/2013009-influencing_company_boards.pdf?epslanguage=en-gb

Related News

  • Training

    Cadet leader appeal

    by Mark Rowe

    City of London Police are looking for Volunteer Cadet Leaders to teach young people life skills, how to support policing initiatives and…

  • Training

    Training and standards

    by Mark Rowe

    As of April 2021 new training requirements will be introduced for all SIA licensed sectors except vehicle immobilisation and close protection where…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing