(This is a copy of an article we wrote that was published in the Cyber Security supplement of the New Statesman 12-16 Feb 2015)
Cyber security starts with addressing what you can predict, and anticipating what you cannot
Cyber security risks are perceived to be unpredictable, a perception fed by media coverage of the latest major cyber attacks affecting large companies. However, if these attacks are examined more closely, more often than not the root cause of a successful attack was that cyber defences did not cover all vulnerabilities in the affected company’s IT systems. Many cyber attackers opportunistically exploit commonly known vulnerabilities in weak IT systems. That means some incidents could have been predicted and avoided, had the organisations in question taken steps to identify and address them.
Dealing with the predictable
The government has recognised this, and in July 2014 introduced the Cyber Essentials Scheme to provide all organisations with a basic framework of measures that can be put in place to deal with the predictable aspects of cyber security risk. So what are some of these cyber essentials?
First is boundary firewalls and internet gateways controls, which ensure that vulnerable systems are protected behind securely managed network firewalls, thereby denying internet-based hackers easy access to IT systems.
Second is secure configuration controls, which ensure that internet-facing systems are configured to provide only the services required for fulfilling their role.
Third is user access controls, which minimise the opportunity for hackers to gain network access using an insecure privileged, inactive or default account.
Fourth is malware protection, which reduces an attacker’s chances of deploying viruses on the company network through e-mail or web phishing, and fifth is patch management, which ensures that the correct software patches are applied to any vulnerable systems in the minimum amount of time.
While by no means a silver bullet against all cyber attacks, an organisation that follows the scheme can gain some comfort that it could be resilient against common, opportunistic attackers.
Coping with the unpredictable
Following a scheme such as Cyber Essentials allows a company time to focus on coping with the unpredictable side of cyber security, including targeted cyber attacks. The key is to be prepared for what you can’t predict. So what are some tips?
Identify the company information or systems that could have value to a cyber criminal, and might therefore be targeted in an attack. This could include personal information, intellectual property, or payment systems. Use this information to further bolster security measures in these areas. Maintain employees’ security awareness to keep them sharp and on the alert for potential security breaches.
Attackers often target employees directly as a means of gaining access to IT systems. Draw up and practice a plan to deal with cyber attacks when they occur. Knowing exactly what to do in the event of an attack puts you back in control of the situation and in a strong position to reduce the impact of the attack on the business.
Lastly, consider cyber insurance to provide support and cover financial losses in the event of an attack. Cyber insurance providers often reduce their premiums for Cyber Essentials certified companies.
Contact us on 0203 728 6555 for more information on how to follow the Cyber Essentials Scheme.
(link to download NS supplement, see page 21)