British National Cyber Security Guidance

Most organisations rely on their IT systems to carry out business and to control critical functions, using various types of digital technology to manage their safety, security and engineering systems. As a result, businesses can become vulnerable to hacking and threats that undermine their confidentiality, integrity or accessibility. 

The consequences of such incidents can be significant to organisations, leading to loss of reputation, damage to assets, regulatory fines or result in physical injury.

To understand the cyber risk to your business, you should conduct a Cyber Risk Assessment. This will help to ensure that your approach to cyber security is proportionate.  Here is the UK Government’s outline of cyber security information for organisations:

Whilst there is no prescribed format for this, it should be based on the Risk Management processes detailed below. Note that the risk assessing is a continuous, on-going process which you will need to revisit as your business changes and / or threats evolve.

Assessing The Risk

The following three step process will help you identify:

  • The digital technologies and systems which are critical to your business
  • Who might attack them
  • How they might be vulnerable

This information will allow you to narrow down what you must protect.

Impact: What Your Want To Avoid

Your approach to cyber risk management should be driven by the ‘Impacts’ you are trying to avoid. Start by identifying the systems, data and technologies on which your business relies. The type of questions you might want to ask are:

  • Is there technology that must be available for the business to function? (e.g. payment systems, access controls)
  • Do physical security systems rely on digital technology? How are they protected?
  • Are you processing sensitive data? (personal, financial) If so, what if this data is lost, stolen or unavailable?
  • Are you reliant on third-party systems? If so, which systems are central to your business?

If you take a systematic approach, you should be able to produce a prioritised list. You then need to consider the impact of these systems being compromised or becoming unavailable. This basic understanding of what you care about and why it’s important, will help you identify what you must protect.

Threats: What Type of Attacks To Expect

A ‘Threat’ is the individual, group or circumstance, which could cause a given impact to occur. It can be challenging to develop an accurate assessment of the threat to your business without undertaking an appropriate analysis. The following will help you develop a baseline threat picture:

  • Commodity Attacks: All organisations and events, regardless of profile and size, are at risk from commodity attacks that exploit basic vulnerabilities using readily available hacking tools and techniques. Mass phishing campaigns are one example of such an attack.
  • Targeted Attacks: Some businesses will be targeted by cyber criminals who, for example, intend to steal financial or personal information e.g. spear phishing.
  • Methodology: Most attacks are preventable and use well-known techniques.
  • Insider Threat: Not all threats are external. It is essential that internal threats are incorporated into your assessment.
  • Learn from Experience: Has your business or similar businesses previously experienced cyber-attacks? How could those attacks have been prevented?
  • With some research, you should be able to develop a baseline threat assessment. For example, you may decide that your business is unlikely to be deliberately targeted, therefore commodity attacks exploiting basic vulnerabilities are the main threat.
  • Alternatively, you may discover that businesses of similar profile have been targeted by organised crime groups, therefore the threat is heightened and specific defensive measures are required.
  • It should be noted that most targeted attacks still use basic techniques, such as phishing emails, to enable attacks. Good basics are always the first layer of defence 

Vulnerabilities: How Secure Are The Networks & Systems That You Rely On?

A ‘Vulnerability’ is a weakness that would enable an impact to be realised, either deliberately, or by accident. The final stage of the process is identifying your vulnerabilities. You should start by overlaying your critical systems (see ‘Impact’, above), with the expected capabilities of any attackers.

Next, focus on establishing whether the security controls for each critical system are appropriate for the threat. Remember, most cyber-attacks are preventable if basic controls are in place. Identify who is supplying your critical systems and establish a clear picture of each supplier’s cyber security posture.

A good starting point is to ask whether your suppliers hold any existing security certifications (e.g. Cyber Essentials, Cyber Essentials Plus, ISO 27001). Holding a certification indicates that the supplier has a proactive approach to cyber security. If suppliers do not hold any certifications you will need to invest time to understand more about their security posture.

From an IT infrastructure perspective, you may wish to use the Cyber Essentials themes as discussion points:

  • Firewalls
  • Secure Configuration
  • User Access Control
  • Malware Protection
  • Patch Management

For providers of online services, you may wish to focus your discussion on the common web application security issues and for further information:

Almost every business relies on the confidentiality, integrity and availability of its data and cyber security measures should form a critical part of a multi-layered approach that includes physical and personnel security. 

GovUK:          Centre for Protection of National Infrastructure:

For cost effective advice and recommendation on Cyber Security and Training for your organisation, please contact Cyber Security Intelligence.

You Might Also Read: 

Directors Must Understand Their Organisation’s Cyber Risks:

 

« The Data Center Containment Solution Market is Growing
Fake PayPal Emails Cost £8million In Theft »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Vertical Structure

Vertical Structure

Vertical Structure services include Security & Penetration Testing, Information Assurance, Bespoke Training Programs and Secure Hosting.

Cyber Conflict Studies Association (CCSA)

Cyber Conflict Studies Association (CCSA)

Cyber Conflict Studies Association (CCSA) is a non-profit organization dedicated to leading a diversified research agenda in the field of cyber conflict.

OCERT

OCERT

OCERT is the National Computer Emergency Response Team of Oman.

NRD Cyber Security

NRD Cyber Security

NRD Cyber Security create a secure digital environment for countries, governments, and organisations and implement cybersecurity resilience enhancement projects around the world.

National Cybersecurity Institute (NCI) - Excelsior College

National Cybersecurity Institute (NCI) - Excelsior College

NCI is Excelsior College’s research center dedicated to assisting government, industry, military and academic sectors meet the challenges in cybersecurity policy, technology and education.

CloudAlly

CloudAlly

CloudAlly provides online cloud to cloud backup and recovery solutions, which backs up daily changes in your SaaS to unlimited Amazon S3 storage and makes it available for restore or export.

Crashtest Security

Crashtest Security

Crashtest Security is a cyber security company that helps digital companies to continuously create secure software with the help of automated vulnerability assessments.

Knowledge Transfer Network (KTN)

Knowledge Transfer Network (KTN)

KTN links new ideas and opportunities with expertise, markets and finance through our network of businesses, universities, funders and investors.

Cybeta

Cybeta

Cybeta's actionable cybersecurity intelligence keeps your business safe with strategic and operational security recommendations that prevent breaches.

Intracom Telecom

Intracom Telecom

Intracom Telecom is a global telecommunication systems & solutions vendor offering a complete range of professional services and solutions including Information Security.

Canonic Security

Canonic Security

Canonic streamlines app review, continuously monitors apps, and reduces the risks involved in third-party access to your data.

Frontal

Frontal

Frontal is a specialized unit in Blockchain and Web3.0 cybersecurity. Securing Digital Assets, Cryptocurrency, DeFi, Blockchain and Web3.0 ecosystem.

Recast Software

Recast Software

Recast Software exists to simplify the work of IT teams and enable them to create highly secure and compliant environments.

TeKnowledge

TeKnowledge

TeKnowledge enables governments and enterprises around the world to navigate the challenges with digital transformation today and tomorrow with elite cybersecurity protection and managed services.

Intelidata Techedge Pvt. Ltd.

Intelidata Techedge Pvt. Ltd.

Intelidata are a Global Cyber Security Consultancy and Services firm that helps companies drive growth by minimizing risk and maximizing potential.

GoCloud Systems

GoCloud Systems

GoCloud is an IT consulting firm. We provide IT strategy and cloud adoption services to the New Zealand Government, Non-Profit Organisations and private industry.