In the wake of the recent Sony hack, cyber security risks are as apparent as ever. The need to take proactive steps to ensure a business is adequately protected is likely to be a key feature on many board meeting agendas in the coming year. While the security measures taken will differ depending on the size and nature of a business, every company, whatever the size, should be implementing relevant procedures to guard itself against cyber security risks. The Department for Business, Innovation and Skills (BIS) launched the Cyber Essentials Scheme in 2014, highlighting controls to implement to help secure IT systems and mitigate cyber security risks. The Cyber Essentials Scheme focuses on five basic qualifications of the 10 steps to cyber security launched in 2012 jointly by BIS, the Centre for Protection of National Infrastructure (CPNI) and Government Communications Headquarters (GCHQ). We explore these recommendations and set out the essential steps to take to safeguard a business.
The Cyber Essentials Scheme (Scheme) – 5 basic controls to implement
Clearly identifying information assets and systems that are susceptible to cyber security challenges is crucial to ensuring effective controls. The Scheme highlights five basic controls to put into place:
1. Boundary firewalls and internet gateways
Boundary firewalls, internet gateways or comparable network mechanisms should be in place to protect systems, applications, information and devices against unauthorised access andexposure to the internet. Without these, systems are at risk of being easily accessed, leaving information exposed and at risk of deletion. A boundary firewall acts as a defence by regulating inbound and outbound network traffic, blocking those common cyber threats that are created easily from widely and freely available tools on the internet.
The Scheme also recommends that:
- the password to the firewall should be strong and not the default option;
- an authorised individual should approve each rule that allows network traffic to pass through the firewall, which should be documented;
- routinely susceptible services and unapproved services should be locked at the boundary by default;
- the firewall should be kept up to date so that out of date rules are deleted; and
- it should not be possible to access the dashboard to manage the firewalls from the internet.
2. Secure configuration
Devices connected to a network must be configured to ensure that they can only provide the services required and are not given access to surplus networks or systems. This will help to reduce characteristic vulnerabilities of some devices. The default settings and applications on many devices can serve as a route for cyber attackers to gain easy access to the information on these network devices. The Scheme suggests that when installing network devices, some basic controls should be employed such as:
- user accounts that are not needed should be deleted;
- passwords should be changed from default at installation and must be strong;
- redundant software should be removed or disabled;
- software settings such as auto-run should be disabled to prevent software being active when accessing network folders and where removable storage is used; and
- a personal firewall should be enabled on computers and set to block unapproved connections by default - this may often be installed on a computer as part of an operating system.
Passwords act as a first line of defence and should, therefore, be made as strong as possible. It is recommended to include:
- three or more words;
- upper and lower cases; and
It is also wise to avoid using common passwords; it is sometimes possible for cyber hackers to guess passwords from information displayed publically on social media accounts and other areas of public information and as a result it is recommended to avoid using:
- date of birth;
- name, family member's name or current partner's name;
- favourite holiday;
- significant dates;
- place of birth; and
- number sequences.
Compromised passwords can lead to vast amounts of information being easily accessed by cyber attackers. A concise policy on passwords setting out some top tips will help to communicate the importance of strong passwords to employees.
3. Access control
User accounts should allow for the minimum level of access required for applications, devices and networks. Users requiring special privileges to manage controls must be authorised individuals. To help control access, the Scheme suggests:
- inception of each user account must be approved in a formalised process;
- users with special privileges should be limited and details about those with special privileges should be documented and kept in a secure location;
- any administrative accounts should serve only that administrative purpose for which they are created;
- usernames and passwords should be unique and strong with passwords for access to devices, applications, email or the internet. Passwords should be changed regularly at least every 60 days; and
- when user accounts are no longer required or are inactive for a pre-defined period (e.g. three months), they should be removed or disabled, especially when special privileges are granted to user accounts.
4. Malware protection
Where computers are connected to the internet, malware protection software should be installed to protect against malicious software such as viruses, worms and spyware that serve to perform unauthorised functions on computers. Malware protection software can protect against malware which can be easily transmitted by a number of means including emails, websites or files on storage media. This may seem an obvious protection but it will help ensure greater protection from potential cyber attacks. The protection software should be kept up to date and configured to automatically scan files once accessed and perform regular general scans. It should also be set up to block access to malicious websites.
The Scheme recommends that as well as the more established use of malware protection for desktop PCs, laptops and servers, devices such as tablets and smartphones are also likely to need malware protection.
5. Patch management
Devices like computers or other devices connected to a network are at risk of being exposed to weaknesses contained in software that such devices run. Once these flaws are exposed, which is often on a daily basis, they can quickly be exploited for misuse. Software producers will monitor flaws and release software updates known as patches. An organisation should formalise the patch management process so that updates can be monitored effectively and installed efficiently, forming a strategy detailing the type of patches that should be applied to each software/system and at what time. Updates to software should be installed promptly; the Scheme suggests doing so as soon as updates are available or, at the latest, within 30 days of release. For security patches the recommended implementation time is immediately or within 14 days of release. In addition, any software used should be licenced and supported by the supplier or vendor of the software to ensure that the relevant security patches are provided. Software that is no longer supported should be removed from those network connected devices.
It is important to note that if an organisation has chosen not to implement a certain control as set out by the Scheme, due to reasonable business grounds that mean it is not practical or possible to install, alternative controls should be put in place and this should be detailed.
As well as providing guidelines on measures that organisations should take, the Scheme also offers a mechanism, through the Assurance Framework, for certification for organisations either of 'Cyber Essentials' or 'Cyber Essentials Plus'.
Read more on the Scheme here.
The other themes in the 10 Steps to Cyber Security are:
- an information risk management regime;
- user education and awareness;
- incident management;
- removable media controls; and
- home and mobile working
Read more on the 10 steps to cyber security.
The Information Commissioner (IC) commented on the launch of the Scheme that it "enables businesses to demonstrate that they are taking action to control the risks". He also noted the important role that cyber security plays in protecting personal data especially as the challenge to safeguard personal data is made increasingly difficult due to more sophisticated cyber threats and as businesses often fail to address the basics.
Information Security is the seventh principle of the Data Protection Act 1998, which requires that appropriate technical and organisational measures be taken by businesses to protect against unauthorised and unlawful processing of personal data as well as safeguarding against damage to, and destruction or accidental loss of, personal data. Practically, to comply with this principle, suitable security procedures must be installed by businesses and the Scheme helps to identify those basic essential security controls to consider.
The IC has further set out that organisations should adopt a risk-based approach in making decisions about levels of security needed to protect a business and has highlighted, in general, guidelines that businesses should consider, ensuring that:
- security is constructed to be appropriate to the type of personal data collected and the harm that could result if that information was compromised;
- it is clear who in an organisation is responsible for information security;
- physical and technical security should be suitable for the nature of the business and back up and security policies are in place as well as well-trained staff to ensure security is managed appropriately; and
- a breach incident policy is in place to ensure that any breach can be dealt with efficiently and effectively.
There can be no doubt that cyber security is becoming increasingly important, no matter what the size of the organisation or the industry it's in. Cyber security is increasingly being handled at board level and all organisations should take advice issued by the government and the IC on the subject seriously.