Understanding the basic essentials of cyber security
04 November 2017
Cyber criminals don’t just target large organisations, they can target any organisation that isn’t properly protected, exploiting basic IT systems and vulnerabilities. The UK Government’s Cyber Essentials programme is designed to protect organisations from these basic cyber security threats.
According to research carried out by Beaming Ltd, one in eight UK businesses have suffered damage to their IT infrastructure by malware (malicious software). Each of these incidents cost an average of £10,516, incorporating downtime costs, repair costs and any ransoms that had to be paid.
In order to encourage more people to look at cyber security, the UK Government put together the Cyber Essentials programme. The programme has two functions; provide a clear outline of the necessary actions that mitigate the risk from internet based threats and offer a way for organisations to demonstrate they have taken these precautions. The programme offers two levels of certification; Cyber Essentials is awarded on the basis of a verified self-assessment, which can be taken via a questionnaire available online, and Cyber Essentials Plus is offered at a higher level after internal/external testing of an organisation’s IT infrastructure and cyber security approach. The test involves an outside security expert visiting an organisation to test for vulnerabilities in the IT infrastructure and simulating a security breach to see what protocols are currently in place.
The Cyber Essentials standard covers five key areas:
1. Secure configuration – security measures that are implemented when building and installing computers and network devices in order to reduce unnecessary cyber vulnerabilities
2. Boundary firewalls and internet gateways – provide a basic level of protection where a user connects to the internet
3. Access control and administrative privilege management – protects user accounts and helps to prevent misuse of privileged accounts
4. Patch management – ensures that software on computers and network devices is up-to-date and capable of resisting low-level cyber attacks
5. Malware protection – protects against a broad range of malware (including computer viruses, worms, spyware, botnets and ransomware)
Cyber Essentials is now mandatory for suppliers of Government contracts, which involve handling personal information, and providing ICT products and services. It will also enable organisations to prove they have taken appropriate risk mitigation steps which will help demonstrate compliance with the new General Data Protection Regulations (GDPR). Organisations in non-compliance with the GDPR after 25 May 2018 could face heavy fines of up to €20 million or four percent of annual global turnover in the event of a data breach.
DPA spoke with Ewan Fisher, Shared Services Centre Performance & Operations Manager at TÜV SÜD UK, as the company achieved Certified Body status for the Cyber Essentials programme.
As a provider of independent testing, inspection and certification, TÜV SÜD is an ideal partner for an organisation that wishes to become Cyber Essentials certified. As an appointed Certification Body for the programme, organisations certified by TÜV SÜD can promote that their IT systems comply with a Government-endorsed standard, demonstrating that they are protecting their own and their customers data by having a robust and secure IT environment.
Fisher emphasises that cyber criminals target every size of organisation, both large and small. There is a general feeling across industry that ‘cyber security’ is a high-level service aimed at protecting against high-level attacks, and while that is true for some high risk targets, all organisations need to be protected against the opportunistic and indiscriminate threats that are much more likely to affect them on a day-to-day basis. For example, the recent WannaCry ransomware attack that hit the NHS was very high profile and wide scale, but the attack itself was unsophisticated and could have been prevented by a simple patch being put in place at a relatively low cost per user.
He also reiterates the design of the Cyber Essentials programme; it provides a very basic set of controls to protect against breaches which in themselves aren’t sophisticated but can still cause damage. By making it easier for organisations to protect themselves, they are less likely to suffer data loss, which could have a significant impact in terms of lost revenue or reputation, as well as result in fines or prosecution.
To assess how cyber secure your organisation is, take the self-assessment questionnaire available on the Cyber Essentials website.
For more information on how TÜV SÜD can help you on your journey to becoming Cyber Essentials certified, visit https://www.tuv-sud.co.uk/uk-en/auditing-systems-certification/cyber-essentials.
Contact Details and Archive...