in Features

Locking into cyber security

Posted 24 October 2017 · Add Comment

With cyber attacks and ransomware demands increasing, Steve Borwell-Fox, owner/manager of software house borwell, examines various cyber security regimes for businesses of differing sizes.

There are several UK and international standards for cyber security. These are specifically called information security standards.

Information security standards help articulate to a customer the maturity of a supplier’s management and control of data and information.

Certification to a standard displays a supplier benchmark of its operations. This helps customers understand what they should expect from a supplier in terms of product or service quality. However, it pays to be wary – particularly as the terms accreditation and certification are sometimes incorrectly used by customers and suppliers.

Let’s be clear. Accreditation provides a means of determining, formally recognising and promoting the competence of facilities to perform specific types of testing, inspection, calibration, and other related activities; certification is an organisation’s overall compliance with systems and product standards rather than its technical competence.

While I’m clearing up definitions, let’s look at the phrase cyber security, which can certainly by confusing – I’m not surprised why so many nontechnical people are baffled in this area. To clarify, cyber security is the combination of controls and activities in computer security – the physical, like devices and data, and the intangible used in information assurance like policies and procedures that people follow and use.

Now we’ve got that clear, the good news is that there is a standard for any business size or sector. Businesses now have a route to make themselves more cyber resilient. Of course, it might not always be a business looking to certify to a standard – public sector bodies and charities are also securing their organisations, especially as they often hold personal data, patient data and manage money online too.

One of the first information management standards was actually launched as far back as 1995. This was the British Standard (BS) 7799. I first came across it when working alongside a Serco team in Malvern, who knew this standard inside out, and were advising businesses on how to secure their operations before we even used the term ‘cyber’.

As with many British Standards, BS7799 evolved into ISO 27001 – an information security management system (ISMS) standard last published in October 2013 by the International Organization for Standardization (ISO). ISO 27002 is an information security standard that was donated by Shell to a UK Government initiative in the 1990s. It provides best practice recommendations on information security management for people responsible for implementing an ISMS like ISO 27001.

As many smaller businesses sometimes struggle to justify the time and cost of ISO 27001 certification, a few years back the government stepped in to assist. Before it was subsumed into the National Cyber Security Centre (NSCS), the government’s national technical authority for information assurance – the CESG – looked at the top cyber-attacks to businesses and produced an ‘essential’, bare-minimum list of actions that aimed to prevent many of the main vulnerabilities that hackers exploit.

This essentials list became the cyber essentials scheme (CES) standard. It is also a really good stepping-stone towards ISO 27001.

The key five areas covered by CES are:

  • Boundary firewalls and internet gateways – these are devices designed to prevent unauthorised access to or from private networks. Correct configuration of these devices in hardware or software form is important for them to be fully effective. Buying the right firewall and configuring it properly needs a specialist supplier or training;
  • Secure configuration – ensure that systems are configured in the most secure way for the needs of the business. Monitor and test this through vulnerability scanning;
  • Access control – ensuring only authorised users have access to systems and at the appropriate level. A penetration test will try and access systems as an existing user and then try and escalate privileges to gain further access;
  • Malware protection – ensuring that virus and malware protection is installed and is up to date. Regular scanning of all computers is essential;
  • Patch management – ensure that the latest version of applications is used, and all the necessary patches supplied by the vendor have been applied

Canada has recently adopted the CES standard, which is great news. It means that, rather than reinventing the wheel, we have the potential to roll-out CES as an international standard for SMEs.

Above and beyond cyber essentials is cyber essentials+, which is the CES standard with a penetration test on your systems and an external auditor to review policies and procedures. Some prime contractors are starting to ask for CES+ from their supply chain partners for UK Government-related projects and the MoD has also stipulated that it will only enter into contracts with companies who are CESaccredited from October 2017.

There are a couple of other standards to note. The first is IA for SMEs (IASME), which builds on the basics of CES and cleverly brings in the people side of cyber risk. This is not covered at all by CES.

In the US, the National Institute of Standards and Technology (NIST), a bit like the BSI in the UK, produced the NIST cyber security framework (CSF) in 2014. It is very similar in its aims and approach to CES.

So, how does all this translate for various businesses and sectors?

Businesses of all sizes should be assessing their risk. Creating a risk register allows you to capture risks, assign them to a risk owner, and to record mitigating (preventative) and containment (incident management) actions.

Small businesses should aim to achieve CES certification. They need this to work on MoD projects, either in a prime role or as a subcontractor. If they work with large enterprises in their supply chain outside of the defence sector, then CES certification will help demonstrate that they will be a low-risk partner.

Growing small businesses should achieve CES+ and strive to achieve ISO 27001 to show customers that they are an ambitious supplier investing and growing, and taking their digital responsibilities in the supply chain very seriously.

Medium businesses should achieve CES+ certification and also ISO 27001. They need to actively promote a member of staff to be their IA champion and give them time and resources to maintain CES+ and ISO 27001. These people will need help with internal audits, arranging staff security refresher training, time to liaise with the internal and external IT teams to ensure the business is investing coherently in people, processes and the technology to keep ahead of the hackers.

Large businesses should appoint a chief information security officer (CISO) or chief information officer (CIO) to be responsible for information-related risk and data protection.

The network management team and IA representatives should be meeting monthly to review internal and external risks. They should be reporting cyber risk to the CISO in a onepage report for board meetings. Cyber risk should be on the agenda. There should be a budget in place for all aspects of security – physical security, CCTV, access control, staff vetting, supplier vetting, hardware, software and training.

With the replacement of the UK Data Protection Act (DPA) with the new EU General Data Protection Regulation (GDPR) in May 2018, now is a good time to improve your understanding of your data and information assets, their pathway in, through and out of your business and what is being done to protect them – at rest and in transit.

Certification to one of the standards outlined would be a positive and proactive step forward to showing compliance to GDPR.

Finally, seek advice from your current suppliers, asking them how they can help you improve your cyber resilience.

Also, talk to customers openly about your plans to keep your business secure. They may well have the same challenges, maybe at a different scale and should welcome the discussions.


* required field

Post a comment

Other Stories
Latest News

Skyrora opens engine test facility

One of Europeís leading launch vehicle companies, Skyrora, has announced the opening of a European engine test facility and the completion of the first phase of tests for its 30kN rocket engine.

Air Austral signs for three A220s

Air Austral, Franceís Réunion Island-based airline, has signed a firm order for three A220 aircraft, Airbusí newest family member.

Rolls-Royce RR300 engine tops a million flight hours

The Rolls-Royce RR300 engine has moved past the one million flight hour milestone, providing Robinson R66 helicopter operators nearly a decade of service.

Global armoured vehicles market set to reach US$25.7bn by 2029

The global armoured vehicles market worth US$19.5 billion in 2019 is set to reach up to US$25.7 billion in 2029, growing at a compound annual growth rate (CAGR) of 2.76%, according to data and analytics company, GlobalData.

First UK fighter jets land onboard HMS Queen Elizabeth

UK F-35 Lightning jets have been landing, taking off and hovering onboard Britainís next generation aircraft carrier, HMS Queen Elizabeth, for the first time.

Jumpstart rebranded as ABGi UK

Jumpstart has rebranded as ABGi UK, becoming an integral part of tax incentive and innovation management consultancy ABGi Group and will be headed by UK MD, Scott Henderson.

ODU 0201311219
See us at
FIL20BT010819260720VIDSE BT1605060320DSEI JP BT1605201119ADSS1000DBT1706171019SMI ActiveP BT1206121119SMI GMS BT1906071119SMI FAV BT1006141119