Locking into cyber security
There are several UK and international standards for cyber security. These are specifically called information security standards.
Information security standards help articulate to a customer the maturity of a supplier’s management and control of data and information.
Certification to a standard displays a supplier benchmark of its operations. This helps customers understand what they should expect from a supplier in terms of product or service quality. However, it pays to be wary – particularly as the terms accreditation and certification are sometimes incorrectly used by customers and suppliers.
Let’s be clear. Accreditation provides a means of determining, formally recognising and promoting the competence of facilities to perform specific types of testing, inspection, calibration, and other related activities; certification is an organisation’s overall compliance with systems and product standards rather than its technical competence.
While I’m clearing up definitions, let’s look at the phrase cyber security, which can certainly by confusing – I’m not surprised why so many nontechnical people are baffled in this area. To clarify, cyber security is the combination of controls and activities in computer security – the physical, like devices and data, and the intangible used in information assurance like policies and procedures that people follow and use.
Now we’ve got that clear, the good news is that there is a standard for any business size or sector. Businesses now have a route to make themselves more cyber resilient. Of course, it might not always be a business looking to certify to a standard – public sector bodies and charities are also securing their organisations, especially as they often hold personal data, patient data and manage money online too.
One of the first information management standards was actually launched as far back as 1995. This was the British Standard (BS) 7799. I first came across it when working alongside a Serco team in Malvern, who knew this standard inside out, and were advising businesses on how to secure their operations before we even used the term ‘cyber’.
As with many British Standards, BS7799 evolved into ISO 27001 – an information security management system (ISMS) standard last published in October 2013 by the International Organization for Standardization (ISO). ISO 27002 is an information security standard that was donated by Shell to a UK Government initiative in the 1990s. It provides best practice recommendations on information security management for people responsible for implementing an ISMS like ISO 27001.
As many smaller businesses sometimes struggle to justify the time and cost of ISO 27001 certification, a few years back the government stepped in to assist. Before it was subsumed into the National Cyber Security Centre (NSCS), the government’s national technical authority for information assurance – the CESG – looked at the top cyber-attacks to businesses and produced an ‘essential’, bare-minimum list of actions that aimed to prevent many of the main vulnerabilities that hackers exploit.
This essentials list became the cyber essentials scheme (CES) standard. It is also a really good stepping-stone towards ISO 27001.
The key five areas covered by CES are:
- Boundary firewalls and internet gateways – these are devices designed to prevent unauthorised access to or from private networks. Correct configuration of these devices in hardware or software form is important for them to be fully effective. Buying the right firewall and configuring it properly needs a specialist supplier or training;
- Secure configuration – ensure that systems are configured in the most secure way for the needs of the business. Monitor and test this through vulnerability scanning;
- Access control – ensuring only authorised users have access to systems and at the appropriate level. A penetration test will try and access systems as an existing user and then try and escalate privileges to gain further access;
- Malware protection – ensuring that virus and malware protection is installed and is up to date. Regular scanning of all computers is essential;
- Patch management – ensure that the latest version of applications is used, and all the necessary patches supplied by the vendor have been applied
Canada has recently adopted the CES standard, which is great news. It means that, rather than reinventing the wheel, we have the potential to roll-out CES as an international standard for SMEs.
Above and beyond cyber essentials is cyber essentials+, which is the CES standard with a penetration test on your systems and an external auditor to review policies and procedures. Some prime contractors are starting to ask for CES+ from their supply chain partners for UK Government-related projects and the MoD has also stipulated that it will only enter into contracts with companies who are CESaccredited from October 2017.
There are a couple of other standards to note. The first is IA for SMEs (IASME), which builds on the basics of CES and cleverly brings in the people side of cyber risk. This is not covered at all by CES.
In the US, the National Institute of Standards and Technology (NIST), a bit like the BSI in the UK, produced the NIST cyber security framework (CSF) in 2014. It is very similar in its aims and approach to CES.
So, how does all this translate for various businesses and sectors?
Businesses of all sizes should be assessing their risk. Creating a risk register allows you to capture risks, assign them to a risk owner, and to record mitigating (preventative) and containment (incident management) actions.
Small businesses should aim to achieve CES certification. They need this to work on MoD projects, either in a prime role or as a subcontractor. If they work with large enterprises in their supply chain outside of the defence sector, then CES certification will help demonstrate that they will be a low-risk partner.
Growing small businesses should achieve CES+ and strive to achieve ISO 27001 to show customers that they are an ambitious supplier investing and growing, and taking their digital responsibilities in the supply chain very seriously.
Medium businesses should achieve CES+ certification and also ISO 27001. They need to actively promote a member of staff to be their IA champion and give them time and resources to maintain CES+ and ISO 27001. These people will need help with internal audits, arranging staff security refresher training, time to liaise with the internal and external IT teams to ensure the business is investing coherently in people, processes and the technology to keep ahead of the hackers.
Large businesses should appoint a chief information security officer (CISO) or chief information officer (CIO) to be responsible for information-related risk and data protection.
The network management team and IA representatives should be meeting monthly to review internal and external risks. They should be reporting cyber risk to the CISO in a onepage report for board meetings. Cyber risk should be on the agenda. There should be a budget in place for all aspects of security – physical security, CCTV, access control, staff vetting, supplier vetting, hardware, software and training.
With the replacement of the UK Data Protection Act (DPA) with the new EU General Data Protection Regulation (GDPR) in May 2018, now is a good time to improve your understanding of your data and information assets, their pathway in, through and out of your business and what is being done to protect them – at rest and in transit.
Certification to one of the standards outlined would be a positive and proactive step forward to showing compliance to GDPR.
Finally, seek advice from your current suppliers, asking them how they can help you improve your cyber resilience.
Also, talk to customers openly about your plans to keep your business secure. They may well have the same challenges, maybe at a different scale and should welcome the discussions.
