Cyber security

Does your business have effective policies and practices in place to prevent and address a cyber breach?

EXCELLENT Answers

No EXCELLENT answers have been published for this question.

GOOD Answers

No GOOD answers have been published for this question.

OKAY Answers

No OKAY answers have been published for this question.

POOR Answers

No POOR answers have been published for this question.

The internet has become a crucial part of daily life for individuals and business. As such, cyber security is crucial to all businesses, regardless of size or sector. Without adequate cyber security measures embedded into culture and operations, businesses are taking huge risks. Events throughout 2017, such as the WannaCry ransomware attacks, the Equifax breach and the leaking of thousands of personal emails have received global media attention and exemplified the importance of protecting information which is sensitive both to businesses and their customers.

Understanding and recognising the evolving landscape of cyber threats at board level is essential to the sustainability and competitiveness of businesses. Acting on cyber security requires being prepared for and responding to breaches, and concerns intellectual property, customer information, resources, financial data, employee records, and much more. From coffee machines to driverless cars, everything that is linked to a network has the potential to be accessed by hackers. This increase in interconnectivity is becoming more prevalent with the growth of the ‘Internet of Things’, and the ability to collect much more data, from more individuals, and more sensitive data. The security built into all products and services is becoming even more important, as well as that used by companies in their business practices.

A business’s preparedness for a cyber attack, and how it responds in the event of an attack, can have profound impacts up to and including complete organisational failure. The 2017 Information Security Breaches Survey reported that 68% of large organisations had experienced a security breach of some sort. A FSB report published in June 2016 notes that 66% of small businesses have been victim to cybercrime, often more than once. Each of these crimes reportedly cost small businesses, on average, nearly £3,000. Given the impact of these breaches, cyber security is not exclusively an issue for large multinationals.

Businesses of all sizes increasingly hold enormous amounts of customers’ and employees’ private data, including ‘big data’ and ‘metadata’ on members of the public. Such data can be used to establish detailed and accurate profiles of individual behaviour and consumer habits, raising concerns over privacy and data ownership. Despite the significant financial and ethical dangers that accompany cyber crime, there is significant evidence that cyber security is still not treated as a high-priority strategic issue by many businesses.

The technical elements of cyber security are manifold. So too are the relevant human behaviours, which are often overlooked or not properly considered in the drafting of cyber security rules, regulations and codes. For example, best practices guidelines often include encouragements for employees to change their passwords regularly. However, experience suggests that this often leads to people choosing shorter, less secure passwords, or employees writing them down. These unintended consequences can lead to greater, not lesser, threats of cyber breach.

Advocates stressing the importance of employee behaviour suggest a holistic, joined up approach to cyber security that begins and ends with what people do in the workplace and why. This approach includes:

● Good written rules that are practical and useable, and can be easily understood by everyone in an organisation
● Effective training so staff know what to do and how - there is no substitute to being shown via demonstrations
● Ensuring consistent awareness among staff, such as through notices in common areas
● Rewarding good behaviour and disincentivising rule breaches with sanctions and punishment
● Empowering employees to act through cultivating culture and trust - employees should have a healthy dose of scepticism in regards unusual or risky behaviours.

Collaboration and trust building is essential to cyber security, both within and between organisations. Sharing information on threats between companies allows for organisations to be better prepared and increases their ability to deal with threats. This sort of collaboration depends on trust between individuals, which can be facilitated by trust networks that facilitate information sharing between organisations or individuals, or other routes of networking. Similarly, the reporting of breaches within an organisation is easier when relationships between individuals are strong and built on trust.

Certification to baseline standards on cyber security could help businesses to prevent successful attacks, although this is not suitable for all organisations. The UK Government publishes its Cyber Essentials Requirements, or the ISO/IEC 27001:2013 is a more comprehensive certification developed by the International Organization for Standardization.

In 2018, new EU-wide regulation comes into force, which will affect all businesses processing the data of EU citizens. The new EU General Data Protection Regulations (GDPR) will change the game for both large organisations and SMEs for the security of personal information. Organisations can be fined up to 4% of annual global turnover or €20 Million (whichever is greater) if they fail to protect personal information. Under GDPR, fines can also be issued if an organisation cannot demonstrate it has built security into its systems and processes. Regardless of legislative changes, this is an area that will face constant and potentially rapid change, which businesses will need to be aware of and adapt to.

Cyber Security

'Cyber security' is security as applied to computing devices such as computers and smartphones, as well as private and public computer networks. The field covers all the processes and mechanisms by which computer-based equipment, information and services are protected from unintended or unauthorized access, change or destruction, and is of growing importance in line with the increasing reliance on computer systems worldwide.

Hacker

A 'hacker' is an individual who attempts to gain unauthorized access to a computer system by exploiting its weaknesses and/or design flaws.

Cyber Attack

A 'cyber attack' is the attempt of hackers to destroy a computer network or system, or destroy, change, or steal information contained on it.

Firewall

A 'firewall' is hardware or software designed to prevent unauthorised access to a computer or network from another computer or network.

Encryption

'Encryption' is the process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext).

Malware

'Malware' is short for malicious software designed to infiltrate, damage or obtain information from a computer system without the owner’s consent. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware.

Virus

The most common form of malware is the 'virus', which is loaded onto a computer and then run without the user's knowledge or knowledge of its full effects.

Spyware

'Spyware' is malware that passes information about a computer user’s activities to an external party.

Phishing

'Phishing' is a method used by criminals to try to obtain financial or other confidential information (including usernames and passwords) from internet users, usually by sending an email that looks as though it has been sent by a legitimate organization (often a bank). The email usually contains a link to a fake website that looks authentic.

Cloud Computing

'Cloud-computing' is convenient, on-demand network access to a personal or shared pool of resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.

ISMS

An 'information security management system' (ISMS) is a set of policies and procedures for systematically managing an organisation's sensitive data. The goal of an ISMS is to minimise risk and ensure business continuity by limiting the impact of a security breach.

Sensitive Information

'Sensitive information' is data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organisation. There are three types: personal information, business information, and classified information.

GDPR

'EU General Data Protection Regulations' (GDPR) replaces the Data Protection Act (DPA) in May 2018. It was designed to protect and empower all EU citizens data privacy and applies to all businesses who process the data of subjects of the European union, regardless of where the business is based.

CISSP

A 'Certified Information Security Systems Professional' (CISSP) certification is an internationally recognised qualification in information security, available to those who have at least four years experience in the field. The curriculum covers a variety of topics including identity and access management and security engineering.

ISO/IEC 27001:2013

'ISO/IEC 27001:2013' specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation.

ICO

The 'Information Commissioner’s Office' (ICO) is the office responsible for uploading the DPA and Freedom of Information Act, promoting public bodies’ openness and the right to privacy by individuals.

Biometrics

'Biometrics' is the measurement and statistical analysis of people's physical and behavioural characteristics. These can be either physical or behavioural characteristics, such as fingerprints, gait or voice recognition.

Internet of Things (IoT)

The interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data.

Privacy by Design

'Privacy by Design' is an approach to systems engineering which takes privacy into account throughout the whole engineering process.

Ransomware

'Ransomware' is a type of malicious software designed to block access to a computer system until a sum of money is paid.

Spear Phishing

an email designed to obtain financial or other confidential information, however it differs from a simple phishing email in that it is more targeted at an individual or organisation. Some basic information has already been obtained and used to make this email appear more genuine and therefore trustworthy. The email will appear to come from either a specific person, sometimes from within the same company as the target, or from an organisation the person has a relationship with.

Two factor identification

The use of security steps additional to username and password. This step requires something that only the user would have, such as a piece of information or physical object, such as a PIN or card reader.

Answering YES

All Businesses MUST

Explain any strategies or steps taken to minimise cyber security risks

Explain their approach to cyber security through both IT capabilities, process management, and human resource management to ensure the wider company understands cyber security risks

Explain any policies or procedures in place to deal with a cyber breach

Explain whether they have a nominated individual or team responsible for cyber security

Explain whether there is a named company officer with responsibility for data privacy and GDPR and, if so, how this is communicated to key people in the business

Micro Businesses MAY

Explain their policies of dealing with personal data

Describe how, and how frequently their strategies are reviewed

Describe their approaches (if any) to combat threats, both internal and external

Describe any other relevant policies or activities which indicate an appropriate approach to cyber security

Explain any training staff are given in regards to computer usage and security risks

State how key assets are identified and protected, if relevant

Describe anything within the company’s culture that relates to cyber security

Explain whether they hire any external cyber security consultants

Explain policies relating to sharing data with third parties

All Other Businesses MAY

Describe the policies and procedures in place to address cyber security breaches, including who is responsible

Confirm that a cyber security risk assessment is carried out regularly (i.e. at least once per year)

Set out the process to comply with the findings from any risk assessment, provide an example where reasonable steps were taken to comply previously if available

Confirm that an information audit is undertaken regularly which documents the personal data that is held, the source of such data, and details of with whom such data are shared is undertaken regularly

Confirm a data processing review is carried out which identifies and documents the legal basis for such processing

Confirm that there are procedures in place to detect, investigate and report on personal data breaches

Confirm their privacy and data protection procedures and policies are codified and documented

Confirm their critical information and systems not related to personal data (e.g. blueprints for new designs, merger plans etc) are adequately protected and that there are procedures in place to detect, investigate and report on any breaches

Describe how often these data protection policies are reviewed

Explain the disclosure/escalation policy in the event of an incident/breach

Explain whether the organisation has a nominated data protection lead

Explain compliance with external standards/marks of excellence (e.g. ISO)

Describe any risk assessments/audits or penetration tests undertaken by accredited experts

Explain policies relating to sharing data with third parties

Describe anything within the company’s culture that relates to cyber security

Describe their approaches (if any) to combat threats, both internal and external

State whether they have obtained or are working towards a recognised security standard (i.e. ISO27001 or the Government’s Cyber Essentials scheme)

Answering NO

All Businesses MUST

Explain why they do not or cannot answer YES to this question and list any mitigating circumstances or any other reasons which apply

All Businesses MAY

Indicate any relevant practices and policies, even if they do not fully address the specifications for answering YES

Mention any future plans

DON'T KNOW is not a permissible answer to this question

NOT APPLICABLE is not a permissible answer to this question

Version 2

To receive a score of 'Excellent'

The business is fully prepared for a cyber attack

Examples of policies and practices which may support an EXCELLENT statement (not all must be observed, enough should be evidenced to give comfort that the statement is the best of the four for the business being scored):

  1. Effective strategies in place for monitoring IT systems and networks
  2. The effectiveness of security policies and procedures are reviewed more than once a year
  3. Security policies are written down and all staff are given face to face training in their meaning
  4. Has clear, efficient processes in place for reacting to incidents, such as a phishing scam or ransomware request, and these are communicated to all employees
  5. Cyber security is addressed at most board meetings
  6. The responsibility for cyber risk is appropriately allocated and a multifunctional team has been appointed
  7. Specialist team has clarified powers, autonomy and lines of communication in case of breach, with clear and effective security instant response procedure in place
  8. There is a register of cyber security risks
  9. Has adequate preventative measures in place against financial crime such as identity theft, CEO fraud, invoice fraud, terrorist funding and money laundering
  10. Regularly backs up information (at least once a week) and checks the integrity of backups
  11. Two factor authentication is used when logging in to critical internal systems and services and whenever available in external systems
  12. All internal services (such as emails and messaging) are encrypted
  13. All electronic computing equipment is fitted with up-to-date antivirus software and programs
  14. Malware protection software is installed on all computers that are connected to or capable of connecting to the internet
  15. Malware protection software is configured to perform regular scans of all files (e.g. daily)
  16. There is a policy on the use of mobile devices and Mobile device security is in place, e.g. remote wiping
  17. Redundant IT equipment is disposed of or recycled in a secure way
  18. User names and strong passwords are mandatory. Additions to usernames and passwords – such as biometrics, USB stick or two factor authentication – available
  19. Access privilege is managed and unnecessary access is not granted
  20. Has strong provisions in place to defend against insider threat, such as a strong, ongoing personnel security regime, acting to minimise feelings of disgruntlement among employees and application of checks to anyone with legitimate access to workplace, for instance, contractors and business partners
  21. Has provisions in place to protect against insider threat during the recruitment process, such as vetting and taking up references
  22. Compliance with cyber requirements is included in employee contracts with consequences for non adherence
  23. Employees are given regular training on cyber security issues (more than once a year)
  24. Programs and/or training in place to educate employees on the secure use of equipment
  25. Has a comprehensive strategy in place for identifying and protecting critical data
  26. Data collection and retention has been limited to what is necessary for the conduct of the organisation in line with the Data Protection Act and GDPR regulation
  27. Data minimisation methods in place, such as imposing a time limit on how long personal data is held for, or de-identifying the data they collect
  28. Organisation has a named individual who takes active responsibility for the protection of personal data
  29. Enables individuals to request data held on them, equivalent to Freedom of Information Request
  30. Business Continuity plans incorporate information security
  31. Cyber security elements of Business Continuity and Incident Management plans are tested more than once a year
  32. Cyber security is considered when developing products and services as well as business operations
  33. Compliance with cyber requirements is included in third party contracts where appropriate
  34. The security of the supply chain is actively managed, e.g. asking key suppliers to confirm their security arrangements on a regular basis
  35. Active and contributing member of a relevant organization (i.e. National Crime Agency)
  36. Actively works to build trust between and within organisation, e.g. specialist team engages with other teams and individuals
  37. Organisation is registered with the ICO (a legal requirement for organisations which process personal data such as personal details of employees) and reports any and all significant breaches to the ICO
  38. Has an employee who has obtained the CISSP certification
To receive a score of 'Good'

The business pursues various cyber security best practices

Examples of policies and practices which may support a GOOD statement (not all must be observed, enough should be evidenced to give comfort that the statement is the best of the four for the business being scored):

  1. Security policies are written down and explicitly referenced when appropriate
  2. The effectiveness of their security policies and procedures are reviewed at least annually
  3. Cyber security regularly considered at board level
  4. Appropriate person identified for reporting incidents such as a phishing scam or ransomware request
  5. The responsibility for cyber risk is appropriately allocated and a team has been appointed
  6. Specialist team has clarified powers in case of breach
  7. Strategies for monitoring IT systems and networks are under active consideration
  8. There is a register of cyber security risks
  9. Frequently backs up information and check the integrity of backups
  10. Practices network segmentation
  11. All electronic computing equipment is fitted with anti virus software and programs
  12. Malware protection software is installed on all computers that are connected to or capable of connecting to the internet
  13. Malware protection software is configured to perform regular scans of all files (e.g. daily)
  14. Considering encrypting emails and messages sent via internal servers
  15. User names and strong passwords are mandatory
  16. Two factor authentication is used when logging in to external systems whenever available
  17. Access privilege in regard to critical information and systems, is managed
  18. Employee accounts closed after they have left organisation, access revoked
  19. There is a policy on the use of mobile devices
  20. Redundant IT equipment is disposed of or recycled in a secure way
  21. Has some provisions in place to protect against insider threat, such as reactive monitoring of employee behaviour on IT networks
  22. Has provisions in place to protect against insider threat during the recruitment process, such as vetting and taking up references
  23. All employees are made aware on the issue of cyber security
  24. Compliance with cyber requirements is included in employee contracts
  25. Employees encouraged to choose strong passwords
  26. Employees are given annual training on issues that may arise in relation to cyber security, with ongoing support if required
  27. Organisation has a named individual who is responsible for the protection of personal data
  28. Working on a comprehensive strategy for identifying and protecting sensitive data
  29. Data collection and retention has been limited to what is necessary for the conduct of the organisation in line with the Data Protection Act and GDPR regulation
  30. Business has undertaken some data minimisation methods such as imposing a time limit on how long personal data is held for, or de-identifying the data they collect
  31. Business Continuity plans incorporate information security
  32. Cyber security elements of Business Continuity and Incident Management plans are tested at least once a year
  33. Practices privacy by design and integrates cyber security practices within products and services
  34. Extends liability to cover damage from security breach through their products
  35. Compliance with cyber requirements is included in third party contracts where appropriate
  36. Passive member of a relevant organization (i.e. National Crime Agency)
  37. Organisation is registered with the ICO (a legal requirement for organisations which process personal data such as personal details of employees)
To receive a score of 'Okay'

Some cyber security practices are demonstrated OR given the nature of the business and its operations, cyber security is not relevant

Examples of policies and practices which may support an OKAY statement (not all must be observed, enough should be evidenced to give comfort that the statement is the best of the four for the business being scored):

  1. Security policies are written down and available to staff
  2. The responsibility for cyber risk is allocated to an appropriate employee
  3. Top-level employees consider cyber security an important issue
  4. Reporting on policies and practices is ad hoc/ inconsistent, or findings not acted upon
  5. Responsibility for cyber security is siloed within one team/individual
  6. Emails or messages may be encrypted
  7. Basic protections taken on electronic equipment, such as antiviral software
  8. Basic malware protection software is installed on computers that are connected to or capable of connecting to the internet
  9. Employees are aware of issues of basic cyber security i.e. through the use of awareness campaigns
  10. Organisation is registered with the ICO if applicable (a legal requirement for organisations which process personal data such as personal details of employees)
  11. The business follows UK Money Laundering Regulations required by law, including appointing a nominated officer
  12. Committed to future improvements, with clear goals in place
To receive a score of 'Poor'

No attention paid to cyber security

Examples of policies and practices which may support a POOR statement (not all must be observed, enough should be evidenced to give comfort that the statement is the best of the four for the business being scored):

  1. Cyber security is not considered a significant issue for the business
  2. No written policy on cyber issues
  3. No regular reviews of policies
  4. No identified person responsible for responding to a cyber security incident
  5. Employees not required to change their passwords from the default
  6. Electronic equipment not fitted for antiviral software, or software is not regularly updated
  7. Data/resources not adequately protected or stored
  8. Fails to report breaches to reporting bodies, or does not share with external parties
  9. Fails to meet regulations and/or legal requirements
  10. When breaches occur, fails to take necessary steps to resolve the risks that led to them
  11. Failings within security systems are obvious, and unresolved
  12. Often unaware they have been breached, only aware through being informed by third party