Some excellent advice from NCSC for small businesses, and I suspect there are also some larger organisations which would benefit from diligently implementing this advice.
“To err is human. Unfortunately, the lasting effects of a simple mistake in a digital world can be catastrophic.”
(IBM X-Force Threat Intelligence Index 2018)
Cyber security reports and surveys continue to find that, while sophisticated cyber attacks do happen, simple mistakes, errors of judgement and the exploitation of very basic security weaknesses are a bigger threat to most organisations. What do I mean by this? Examples from my own experience include the accidental deletion of a very large amount of company information during a hardware upgrade. And a dishonest individual who exploited poor password practices to bypass payment controls and steal a large amount of money from his employers.
Cyber security is an area that can be complex, technical, and expensive. And the marketing typically dwells on the worst-case outcomes if things go wrong. But it doesn’t have to be like that. The good news is that, while security can never be guaranteed, you can hugely reduce both the likelihood and the impact of a security incident with a small number of controls. And it won’t cost you a fortune – unlike a high-profile incident.
Keep it simple
- Make sure all IT users are aware of good security practice, especially how to use strong passwords and what to do when there is an incident
- Backup important information
- Ensure software is kept up-to-date
- Use firewalls to protect the network from the outside world
- Install and configure anti-malware software
- Encrypt sensitive information, especially on mobile devices
This approach to security is straightforward, affordable and effective. If you need a helping hand with any aspect of it, please get in touch.
When Cloud meets Cyber?
Cloud is a hot topic and so is cyber security. What happens when the two meet?
The popularity of cloud computing continues to grow. One recent report found that 92% of organisations now use at least one public cloud. Amongst the reasons for this are savings in time and money, and the ability to access systems from anywhere that is internet-connected.
In essence, cloud is a simple concept – running your systems on someone else’s computers. And thinking about it in these terms helps to clarify the cyber security issues, for example
- where is the data?
- how is the data accessed?
- who is responsible for security?
Where is the data?
It’s in a data centre “somewhere”. But that could potentially be anywhere in the world. It is important that cloud customers understand exactly where their data is, and also where it might be moved if its usual location were to become unavailable. Location may affect compliance with legislation, such as data protection, and the legal jurisdictions within which the cloud provider operates may also be a concern for some organisations.
Increasingly, cloud providers are offering assurances that data will remain within the UK, sometimes at an additional cost.
How is the data accessed?
Typically, customers access cloud services via the internet and this raises several questions. How stable and reliable are the connections between the business and the internet? Is there a risk that internet connectivity could be unavailable for a period of time? Would the business be able to operate during that time without its cloud-based applications?
It is also important, if access can be gained from anywhere with an internet connection, to ensure that user accounts, especially administrator accounts, are protected by passwords that are difficult to guess. Two factor authentication may also be appropriate. And file permissions are another area to consider. They need to be set correctly if private information is not to be accidentally made public.
Who is responsible for cyber security?
Every cloud provider operates a shared responsibility model for cyber security. The provider is responsible for some elements of security. The customer is responsible for other elements.
For example, in an Office 365 environment, Microsoft operates and secures the infrastructure. It also provides application controls to help customers protect their information. The customer in turn is responsible for configuring these controls to secure their data. The customer is also responsible for the security of the endpoints from which they access the data.
It is vital that the customers of any cloud provider have a clear understanding of where these responsibilities lie. This enables them to confirm both that the provider is meeting its commitments and also that they, the customer, are meeting theirs. I know of one business where security patches were not installed for a period of time because it had mistakenly been assumed that patching was the cloud provider’s responsibility.
What’s the bottom line?
In summary, the same cyber security principles should be applied to the cloud as to any other environment. Controls should be implemented based on an assessment of the risk, and checks made to ensure that security is correctly configured with nothing being overlooked or falling into a gap between supplier and customer.
The good news is most cloud providers present a wealth of information on their security accreditations, their certifications, and the controls they have in place. And many offer a level of cyber security well beyond what most of their customers could afford to implement in-house.
For most organisations, there is no reason why cyber security should prevent the adoption of cloud computing provided the issues described in this blog are acknowledged and addressed.
If you would like a security assessment of your current or planned cloud environment, please do not hesitate to contact us. We will be delighted to help.
The National Audit Office has published ‘Cyber security and information risk guidance for Audit Committees’. It provides a checklist of questions and issues covering:
- The overall approach to cyber security and risk management
- Capability needed to manage cyber security
- Specific aspects, such as information risk management, network security, user education, incident management, malware protection, monitoring, and home and mobile working
- Related areas, such as using cloud services and developing new services or technology
Organisations generally may wish to ask themselves the questions in this guide before their audit committees or auditors ask them (or they find themselves overtaken by events).
The UK Government has carried out research with UK registered charities to explore their awareness, attitudes and experiences around cyber security.
The research found that charities often see cyber security as important. However, it “also flags the many barriers that charities face when it comes to engaging with the issue, including competing priorities for time and resources, and staff not necessarily equipped with the knowledge and skills to deal with the issue.”
The report concludes “There is a need for basic awareness raising among staff and trustees, and upskilling of those responsible for cyber security – so they know the basic technical controls they can put in place. It may also help to disseminate Government information and support via the organisations with which charities already have established relationships, such as the Charity Commission. Finally, making use of private sector expertise among trustees may also help individuals within charities to champion the issue.”
The latest data security incident figures from the Information Commissioner’s Office are a reminder that, although cyber receives a lot of airtime, organisations need to be mindful of all aspects of information security. The figures cover the period January to March 2017. There were 119 cyber security incidents, making cyber the second most frequently reported type of incident. However, cyber incidents account for only 18% of the 678 incidents reported in total.
Some interesting findings with implications for cyber security from the recent NAO report on online fraud
- Fraud is now the most commonly experienced crime in England and Wales, and most takes place online.
- There is a lack of co-ordination and consistency in education campaigns to improve citizens’ and businesses’ cyber security.
- Although educating people to stay safe online is sensible… government and industry have responsibility to protect citizens and businesses.