British National Cyber Security Guidance

Uploaded on 2020-11-17 in GOVERNMENT-National, FREE TO VIEW

Most organisations rely on their IT systems to carry out business and to control critical functions, using various types of digital technology to manage their safety, security and engineering systems. As a result, businesses can become vulnerable to hacking and threats that undermine their confidentiality, integrity or accessibility. 

The consequences of such incidents can be significant to organisations, leading to loss of reputation, damage to assets, regulatory fines or result in physical injury.

To understand the cyber risk to your business, you should conduct a Cyber Risk Assessment. This will help to ensure that your approach to cyber security is proportionate.  Here is the UK Government’s outline of cyber security information for organisations:

Whilst there is no prescribed format for this, it should be based on the Risk Management processes detailed below. Note that the risk assessing is a continuous, on-going process which you will need to revisit as your business changes and / or threats evolve.

Assessing The Risk

The following three step process will help you identify:

  • The digital technologies and systems which are critical to your business
  • Who might attack them
  • How they might be vulnerable

This information will allow you to narrow down what you must protect.

Impact: What Your Want To Avoid

Your approach to cyber risk management should be driven by the ‘Impacts’ you are trying to avoid. Start by identifying the systems, data and technologies on which your business relies. The type of questions you might want to ask are:

  • Is there technology that must be available for the business to function? (e.g. payment systems, access controls)
  • Do physical security systems rely on digital technology? How are they protected?
  • Are you processing sensitive data? (personal, financial) If so, what if this data is lost, stolen or unavailable?
  • Are you reliant on third-party systems? If so, which systems are central to your business?

If you take a systematic approach, you should be able to produce a prioritised list. You then need to consider the impact of these systems being compromised or becoming unavailable. This basic understanding of what you care about and why it’s important, will help you identify what you must protect.

Threats: What Type of Attacks To Expect

A ‘Threat’ is the individual, group or circumstance, which could cause a given impact to occur. It can be challenging to develop an accurate assessment of the threat to your business without undertaking an appropriate analysis. The following will help you develop a baseline threat picture:

  • Commodity Attacks: All organisations and events, regardless of profile and size, are at risk from commodity attacks that exploit basic vulnerabilities using readily available hacking tools and techniques. Mass phishing campaigns are one example of such an attack.
  • Targeted Attacks: Some businesses will be targeted by cyber criminals who, for example, intend to steal financial or personal information e.g. spear phishing.
  • Methodology: Most attacks are preventable and use well-known techniques.
  • Insider Threat: Not all threats are external. It is essential that internal threats are incorporated into your assessment.
  • Learn from Experience: Has your business or similar businesses previously experienced cyber-attacks? How could those attacks have been prevented?
  • With some research, you should be able to develop a baseline threat assessment. For example, you may decide that your business is unlikely to be deliberately targeted, therefore commodity attacks exploiting basic vulnerabilities are the main threat.
  • Alternatively, you may discover that businesses of similar profile have been targeted by organised crime groups, therefore the threat is heightened and specific defensive measures are required.
  • It should be noted that most targeted attacks still use basic techniques, such as phishing emails, to enable attacks. Good basics are always the first layer of defence 

Vulnerabilities: How Secure Are The Networks & Systems That You Rely On?

A ‘Vulnerability’ is a weakness that would enable an impact to be realised, either deliberately, or by accident. The final stage of the process is identifying your vulnerabilities. You should start by overlaying your critical systems (see ‘Impact’, above), with the expected capabilities of any attackers.

Next, focus on establishing whether the security controls for each critical system are appropriate for the threat. Remember, most cyber-attacks are preventable if basic controls are in place. Identify who is supplying your critical systems and establish a clear picture of each supplier’s cyber security posture.

A good starting point is to ask whether your suppliers hold any existing security certifications (e.g. Cyber Essentials, Cyber Essentials Plus, ISO 27001). Holding a certification indicates that the supplier has a proactive approach to cyber security. If suppliers do not hold any certifications you will need to invest time to understand more about their security posture.

From an IT infrastructure perspective, you may wish to use the Cyber Essentials themes as discussion points:

  • Firewalls
  • Secure Configuration
  • User Access Control
  • Malware Protection
  • Patch Management

For providers of online services, you may wish to focus your discussion on the common web application security issues and for further information:

Almost every business relies on the confidentiality, integrity and availability of its data and cyber security measures should form a critical part of a multi-layered approach that includes physical and personnel security. 

GovUK:          Centre for Protection of National Infrastructure:

For cost effective advice and recommendation on Cyber Security and Training for your organisation, please contact Cyber Security Intelligence.

You Might Also Read: 

Directors Must Understand Their Organisation’s Cyber Risks:

 

« The Data Center Containment Solution Market is Growing
Fake PayPal Emails Cost £8million In Theft »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Allen & Overy

Allen & Overy

Allen & Overy is an international law firm. Practice areas include Cybersecurity and Data Protection.

Axiomatics

Axiomatics

Axiomatics provides dynamic authorization and access control solutions to protect critical data assets.

Cloudmark

Cloudmark

Cloudmark is a trusted leader in intelligent threat protection against known and future attacks, safeguarding 12 percent of the world’s inboxes from wide-scale and targeted email threats.

Rewertz

Rewertz

Rewterz is a cyber security company based out of Dubai, serving customers in UAE, Oman, Qatar, Bahrain, Saudi Arabia, and Pakistan.

Arcanum Information Security (AIS)

Arcanum Information Security (AIS)

Arcanum Information Security is a specialist Information Assurance Consultancy and a leading provider of Cyber Security services to UK Defence, UK Government, Enterprise businesses and SMEs.

Sandia National Laboratories

Sandia National Laboratories

Sandia National Laboratories is a premier science and engineering lab for national security and technology innovation. Activity areas include Cyber and Infrastructure Security.

Devel

Devel

Devel is a LATAM cybersecurity company specialized in providing red, blue and purple team services for the financial sector.

Armis

Armis

Armis offers the markets leading asset intelligence platform designed to address the new threat landscape that connected devices create.

IoT M2M Council (IMC)

IoT M2M Council (IMC)

The IMC is the largest and fastest-growing trade organisation in the IoT/M2M sector.

972VC

972VC

972VC was created to help entrepreneurs find potential funding for their startups. Your guide to the Israeli startup funding ecosystem.

High Security Center (HSC)

High Security Center (HSC)

High Security Center provide real-time threat protection. We protect your company from targeted and persistent attacks using technologies such as Machine Learning and Behavioral Analysis.

Private Machines

Private Machines

Private Machines develops unique patent-pending technology protects cloud and data center workloads.

United Network Technologies

United Network Technologies

United Network Technologies is a leading Managed Services Provider, distributor and developer of specialised cyber security components and technologies.

Syracom

Syracom

syracom is a consultancy firm specialized in development of efficient business processes. With our expertise and IT competence, we develop tailored solutions for customers in various industries.

RMRF Tech

RMRF Tech

RMRF is a team of cybersecurity engineers and penetration testers which specializes in the development of solutions for early cyber threat detection and prevention.

Debevoise & Plimpton

Debevoise & Plimpton

Debevoise & Plimpton LLP is a premier law firm with market-leading practices in areas including Data Strategy & Security.