The essential security protection that many organisations ignore
February 28, 2019
Aftab Ahmed, head of sales and marketing, Fordway describes how many organisations ignore the already existing security protection tools, and what they consist of.
As we hear about new security breaches every day, it seems odd that so many organisations are ignoring an effective and widely security tool provided by the UK’s National Cyber Security Centre (part of GCHQ).
This is the Government’s Cyber Essentials scheme, which was launched almost five years ago to help organisations protect themselves against the most common cyber threats and demonstrate to their customers that they take cyber security seriously.
The most high profile example is the NHS, which said in November 2018 that Cyber Essentials Plus was not value for money when it realised how much implementation would cost – even though the standard was recommended by the National Cyber Security Centre after the NHS was badly hit by the WannaCry attack.
Cyber Essentials Plus certification is also considered essential for any healthcare institution that hopes to win NHS contracts, which is somewhat inconsistent.
As the fifth largest employer in the world, the NHS is not representative of most organisations. However, take-up of Cyber Essentials has been slow: just 15,826 certificates have been issued since the scheme was introduced in 2014, according to the NCSC’s Annual Review 2018. If you ignore micro-businesses (those with 9 or fewer employees), that’s less than 7% of businesses in the UK.
Having become certified to Cyber Essentials Plus ourselves, we believe the scheme has a vital role to play in giving every organisation a solid security baseline which will mitigate the majority of cyber attacks. It is also becoming an essential requirement for pitching for public sector contracts, so any business which intends to provide goods or services to the public sector should be implementing it as a matter of priority.
Cyber Essentials is designed to help organisations protect themselves against the most common cyber threats.
The five controls recommended are those which should most directly and measurably mitigate the risk of attack: those which will make a tangible difference to an organisation’s cyber security, and would, for example, minimise the damage caused if someone mistakenly opens a malicious attachment or clicks on a link. The scheme also covers mobile device protection and touches on basic security policies.
The five controls are:
Ensuring that firewalls are implemented, either for an individual device’s internet connection or for the organisation’s network as a whole.
Configuring equipment securely, including setting effective passwords and, where appropriate, using two-factor authentication. We recommend also educating users about good password practice, and for two-factor authentication find that solutions that allow use of a hardware or software token and/or mobile application with a one-time password are preferable, as those that ring or send a text message to a mobile phone are easier for someone with malicious intent to circumvent.
Controlling who has access to the organisation’s data and service. This includes limiting the number of people who have administrator access, something which we find is given out far too easily. This should ideally be addressed at the design stage of any new IT system, so that security is embedded from the outset.
Implementing malware protection, such as antivirus software (e.g. Windows Defender, MacOS XProtect), whitelisting and sandboxing. Any member of staff could bring in a virus from their home computer, but it can quickly be quarantined by local antivirus software.
Keeping devices and systems up to date with patching – an area which we find many organisations let slip down their ‘to-do’ list. One option is to automate patching, using tools such as SCCM which many organisations will already have within their existing software. For those with limited time or expertise, patching can be provided via a third party managed service and is is even available through the cloud (patching as a service).
There are two different levels of accreditation. Cyber Essentials is an independently verified self-assessment in which organisations assess themselves against five basic security controls and a qualified assessor verifies the information provided.
Cyber Essentials Plus is a higher level of assurance in which a qualified and independent assessor examines the same five controls, testing that they work in practice by simulating basic hacking and phishing attacks.
The five controls outlined above may seem like obvious security measures. However, they are an essential part of ensuring that an organisation is protected against common threats. Too often we have seen companies jumping ahead of themselves and looking at expensive security technology before getting the basics right.
Achieving Cyber Essentials certification gives an organisation confidence that it has put the core measures in place to protect its business and its staff against the majority of common cyber attacks. It will assist with GDPR compliance by demonstrating that the organisation has clearly defined security processes in place, and can be used as a bridge to a more comprehensive standard, such as ISO 27001.
Another benefit of implementing Cyber Essentials is that it reminds everyone in the organisation, from the most junior member of staff to the board, of their own security responsibilities.
No security policy will be successful unless employees adhere to it, so organisations need to develop a security-conscious culture in which everyone follows clearly defined policies and procedures. Going through the process of certification to an external standard is a timely check and reminder of what everyone needs to do.
Users need to understand why security is important and the consequences of getting it wrong. They are much more likely to comply if they understand the risks rather than simply seeing security as a set of annoying rules which prevent them working as they wish.
Security policies should be enforceable, realistic, acceptable to users and should not violate personal privacy laws. There should be no ambiguity and everyone should be clear on exactly what is and is not allowed, as well as the penalties for policy violations.
One effective policy which we recommend as part of educating users is to have Security Champions in all departments.
This ensures that security is embedded in day-to day activities and reminds everyone of their personal security responsibilities, while sharing knowledge and best practice and providing a channel for feedback to the IT team. Fordway’s Security Team also runs security awareness courses across the company to advise our users on the latest threats and how they should be recognised and managed.
As well as implementing effective cyber security protection, every organisation should ensure that it has an appropriate level of security monitoring, so it knows if has been breached and to what extent.
As a minimum, this means monitoring and analysing internet traffic flowing out of the organisation to help identify any potential compromises on internal systems. We also recommend monitoring for ‘shadow IT’ – services not sanctioned by the organisation but used by staff.
Finally, every organisation should adopt the mentality that one day it will be breached and as a minimum ensure it has a cyber security incident response procedure in place, a back-up of all business critical systems and a disaster recovery plan.
NHS Digital, the organisation entrusted with using digital technology to transform the NHS and social care, recently deemed an NCSC-recommended Cyber Essentials Plus standard for hospitals and GPs as ‘not …