Whilst many companies, and in particular SMEs, have historically not recognised the requirement for investment in maintaining robust IT security measures, the following statistics make worrying reading:
- Earlier this year, the PwC Information Security Breaches Survey 2014 highlighted the fact that the cost of a breach to an organisation has almost doubled since the previous year. The average cost to a large organisation for the worst level of security breach is between £600k and £1.15m (up from £450 to £850k a year ago). The average cost to a small business for its worst security breach is between £65k and £115k (up from £35 to £65k a year ago)
- During the last year significant global brands have been impacted by Information security attacks. These include Ebay, Target, Sony, Evernote and WordPress; and
- According to the RSA monthly fraud reports the UK is the 4th most attacked country by volume after the United States, China and the Netherlands.
In response to this growing threat, the UK Government, in consultation with industry, launched the Cyber Essentials IT security standard in June 2014. Cyber Essentials, when fully implemented, will provide organisations with basic protection from the most prevalent forms of threats coming from the Internet. In particular, it focuses on threats which require low levels of attacker skill, and which are widely available online. One of the questions recently asked of us as an Information security consultancy is: “Would Cyber Essentials have protected our organisation from the Shellshock exploit?” Whilst the answer is “No” because it was a brand new technical vulnerability, the answer to the follow-up question “Would it have made it easier for us to address the impact from the Shellshock exploit?” is “Yes”. The five control areas of Cyber Essentials would have provided the following protection:
- Boundary Firewalls and Internet Gateways controls would have ensured that that a majority of your vulnerable systems were protected behind securely managed firewalls, thereby denying internet-based hackers easy access to these systems.
- Secure Configuration controls would have ensured that internet-facing systems are configured to provide only the services required for fulfilling their role, reducing the number of internet-facing systems that may be susceptible to the Shellshock vulnerability.
- User Access Controls would have minimised the opportunity for hackers to gain access to your network using an insecure privileged, inactive or default accounts to exploit the Shellshock vulnerability on your internal IT systems.
- Malware Protection would have reduced an attacker’s chances of deploying Shellshock-exploiting malware onto your company network through e-mail or web phishing.
- Patch management would have ensured that you applied the correct software patches to any vulnerable systems in the minimum amount of time, reducing a Shellshock attacker’s window of opportunity even further.
Exploits like Shellshock are rare, however the rate of cyber-attacks are rapidly increasing. Cyber Essentials provides a set of controls to mitigate the risk from common internet based threats. Whilst Cyber Essentials will not provide bullet-proof protection, it certainly reduces your company’s exposure to these threats and gives you the capability to respond to attacks quickly and efficiently.
Find out more about how we can help you achieve Cyber Essentials certification here.