Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Cyber Threats Strategy Standards & Benefits - October 15
1. October 2015
Cyber Security – Threats, Strategy, Standards & Benefits
An overview of the current threat landscape and the
options open to professional firms, their clients and
businesses generally.
What are you doing
to stop me?
2. Cyber Security – Threats, Strategy, Standards & Benefits
Threats
The latest PWC Information Security Breaches Survey (2015) commissioned by HM Government shows that
security breaches continue to grow in number and impact across large and small business alike.
The report sampled large and small business across the UK and in both size categories the rise in breaches
is significant. Some security commentators say that almost all
large business have suffered a breach but just don’t know
that they have – potentially a more worrying statistic.
Of those surveyed 59% expect the number of security
incidents to grow over the coming 12 months and will
continue to increase their spend to seek better protection
through technology and people skills.
The impact on businesses will inevitably be measured in terms
of additional costs, lost sales and reputational damage. The
smaller business often suffer disproportionately more and
with some businesses unable to sustain the damage caused
and never recover.
The nature of breaches are changing with attacks from
externals sources continue to grow. Larger businesses are
more prone to attack although smaller businesses may simply
not know that they have been attacked as the available
budget and resource to monitor attacks is not available. The ‘Denial of Service’ type of attack is continuing
to reduce from a high point in 2013.
Whilst external attacks continue to play a large part in the
breaches recorded, the Human Factor remains a big issue for
large businesses in particular. The need to ensure that a
security culture is developed and maintained within a
business is ever more present. The acceptance of
unexpected emails and the opening of their attachments is a
key contributor to a breach where malware is installed and
access to systems provided to cyber criminals.
The nature of Cyber Threats continues to evolve and the ‘defenders’ will be playing catch-up for many
months and probably years to come. Despite many larger businesses are focussing on this subject the
majority of the remaining business world is showing little focus and the necessary steps are not being
taken to improve the level of security provision to guard against attacks. Professional firms, especially this
holding client funds, are particularly vulnerable to attacks and by their nature, their business names,
locations, and people are nit dificult to identify.
3. Cyber Security – Threats, Strategy, Standards & Benefits
Strategy
In order that an improvement in security can be established a strategy needs to be adopted. The key
elements to a sucessful strategy include: -
• Ownership from the top
It is unlikely that any potential change
to an organisation that requires all
members to embrace the change will be
succesful without leadership and
commitment from the top!
• Understanding the organisation’s risks
In this instance the risk relates to the
nature of the data held and/or the
assets being held. The nature and
degree of risk will vary from one
organisation to another, for example,
from sensitive personal data to
Intellectual Property. Client data and/or client funds held are not only suspectible to attack, both
are readily identifable with firms of solicitors of any size.
• Assessing the organisation’s relevant skill set
IT skills are very helpful in developing the technical approach but as alluded to above to instigate
change and developing processes requires a different skill set. A successful strategy will require
both which may not be already present within the organisation – this has to be objectively
recognised.
• Deciding upon a standard to adopt or align to
The standards now available provide a solid framework for organisations to benchmark the
development of the security provision and those available are considered below.
• Developing a deployment and management plan
A plan that clearly identifies the goals of the security provision along with the necessary milestones
will be an essential element in achieving an effective security provision.
• Creating a robust security culture
An effective security provision will only be as good as its weakest link and this is usually the human
involvement within the organisation’s processes. The development of a security culture that all
members at every level of the organisation understand, live and encourage on a daily basis will
increase the effectiveness of of the security provision and costs very little to achieve but does
require a constant focus.
• Communication is vital
Establishing the security provision and the vital culture will require regular, informative and
understandable communication throughout the organisation and will need to extend to other
stakeholders including clients and suppliers.
4. Cyber Security – Threats, Strategy, Standards & Benefits
Security Standard landscape
Until 2011 the only established Security standard that businesses and organisations could adopt or align to
was ISO 27001 and because the cost of not only implementation but also maintenance the standard was
not taken up in great numbers by SMEs and even by many larger organisations.
The lack of accessible standards has now been addressed with the launch of IASME in 2011 and Cyber
Essentials in 2014. Both standards are accessible from a cost and implementation perspective.
The chart belows shows how each of the three standards cover the business and organisational
permutations that generally exist.
Each business or organisation should seek advice as to which standard would be the most appropriate and
one of the factors will always be cost. The details below give a generalised view of the costs involved.
• Cyber Essentials (Annual assessment) - Online assessment - £300.00
• Plus testing & assessment - £1,500.00 (depends upon scope)
• IASME (Annual assessment)
• Audited option varies depending on organisation size - £3-15,000
• ISO 27001:2013 & PCI:DSS (3 year external audit)
• Varies greatly and dependent upon scope involved
• Minimum - £10,000
It is likely that the largest expense will be getting prepared for the assessments or audits in each case
which may include technology changes as well as changing established processes.
5. Cyber Security – Threats, Strategy, Standards & Benefits
Business Benefits
As with any investment there needs to business benefits that are in proportion to the costs involved. Such
benefits should include the following: -
• Prompts a review of systems generally
Many IT systems are left running until something
goes wrong and the subject seldom appears on SME
management meeting agendas. A review of the
system can identify issues and establish a greater
understanding of what the system has become and
what it is actually used for. Both are often a
relevation to senior management.
• Generates a greater awareness of data value and risks
Identifying the data actually held on the IT systems whether on premise or in the Cloud will enable
a risk assessment to establish the nature of the risks the organisation may be exposed to. Processes
evolve over time and are not always reviewed in light of changing threats such Cyber Attacks, for
example, the routine of recording new client bank, passport and other indentifiaction details along
with other setup details in unsecured client document is not an uncommon and long established
routine.
• Promotes best practice
It is generally accepted that managing any business or organisation along the lines of best practice
will reduce the issues that can arise from day to day operations. There is a clear link in the case of
of IT security.
• Demonstrates data security focus
The Government Computer Emergency Response Team (CERT) included its predictions for 2015/6
that consumers will become more demanding of businesses to safeguard the data held about them
and this desire extends equally to commercial relationships. Achieving a recognised security
standard enables businesses to demonstrate their approach to data security to all their
stakeholders.
• Creates confidence in business systems
It is important for senior management and staff alike to have confidence in their business systems
not only from an operational perspective but also in respect of the security and integrity of the
system. The process to achieve accreditation to a security standard requires that the configuration
of the system is understood and is appropriate. Such a review will create greater understanding and
in turn confidence in the systems in place.
• Protects business reputation and value
Minimising the likelihood of a damaging security incident will help safeguard the business for all of
those involved, from ownership to staff, to clients and to the wider relationships the business has.