Cyber security

Register your interest in this issue

Does your business have effective policies and practices in place to prevent and address a cyber breach?

EXCELLENT Answers

No EXCELLENT answers have been published for this question.

GOOD Answers

No GOOD answers have been published for this question.

OKAY Answers

No OKAY answers have been published for this question.

POOR Answers

No POOR answers have been published for this question.

The Internet has become a crucial part of daily life for individuals and business. As such, cyber security is crucial to all businesses, regardless of size or sector. While no organisation is ever 100% secure, cyber security is about taking steps to manage future risk. Without adequate cyber security measures embedded into culture and operations, businesses are taking huge risks. Recent events, such as the WannaCry ransomware attacks, the Equifax breach and the leaking of thousands of personal emails have received global media attention and exemplified the importance of protecting information which is sensitive both to businesses and their customers.

Understanding and recognising the evolving landscape of cyber threats at board level is essential to the sustainability and competitiveness of businesses. Acting on cyber security requires being prepared for and responding to breaches, and concerns intellectual property, customer information, resources, financial data, employee records, and much more. From coffee machines to driverless cars, everything that is linked to a network has the potential to be accessed by hackers. This increase in interconnectivity is becoming more prevalent with the growth of the ‘Internet of Things’, and the ability to collect much more data, from more individuals, and more sensitive data. The security built into all products and services is becoming even more important, as well as that used by companies in their business practices.

A business’s preparedness for a cyber attack, and how it responds in the event of an attack, can have profound impacts up to and including complete organisational failure. The 2017 Information Security Breaches Survey reported that 68% of large organisations had experienced a security breach of some sort. An FSB report published in June 2016 notes that 66% of small businesses have been victim to cybercrime, often more than once. Each of these crimes reportedly cost small businesses, on average, nearly £3,000. Given the impact of these breaches, cyber security is not exclusively an issue for large multinationals.

Businesses of all sizes increasingly hold enormous amounts of customers’ and employees’ private data, including ‘big data’ and ‘metadata’ on members of the public. Such data can be used to establish detailed and accurate profiles of individual behaviour and consumer habits, raising concerns over privacy and data ownership. Despite the significant financial and ethical dangers that accompany cyber crime, there is significant evidence that cyber security is still not treated as a high-priority strategic issue by many businesses.

The technical elements of cyber security are manifold. So too are the relevant human behaviours, which are often overlooked or not properly considered in the drafting of cyber security rules, regulations and codes. For example, best practices guidelines often include encouragements for employees to change their passwords regularly. However, experience suggests that this often leads to people choosing shorter, less secure passwords, or employees writing them down. These unintended consequences can lead to greater, not lesser, threats of cyber breach.

Advocates stressing the importance of employee behaviour suggest a holistic, joined up approach to cyber security that begins and ends with what people do in the workplace and why. This approach includes:

● Good written rules that are practical and useable, and can be easily understood by everyone in an organisation
● Effective training so staff know what to do and how - there is no substitute to being shown via demonstrations
● Ensuring consistent awareness among staff, such as through notices in common areas
● Rewarding good behaviour and disincentivising rule breaches with sanctions and punishment
● Empowering employees to act through cultivating culture and trust - employees should have a healthy dose of scepticism in regards unusual or risky behaviours.

Collaboration and trust building is essential to cyber security, both within and between organisations. Sharing information on threats between companies allows for organisations to be better prepared and increases their ability to deal with threats. This sort of collaboration depends on trust between individuals, which can be facilitated by trust networks that facilitate information sharing between organisations or individuals, or other routes of networking. Similarly, the reporting of breaches within an organisation is easier when relationships between individuals are strong and built on trust.

Certification to baseline standards on cyber security could help businesses to prevent successful attacks, although this is not suitable for all organisations. The UK Government publishes its Cyber Essentials Requirements (https://www.ncsc.gov.uk/information/requirements-it-infrastructure-cyber-essentials-scheme), or the ISO/IEC 27001:2013 is a more comprehensive certification developed by the International Organization for Standardization.

In 2018, new EU-wide regulation comes into force, which will affect all businesses processing the data of EU citizens. The new EU General Data Protection Regulations (GDPR) will change the game for both large organisations and SMEs for the security of personal information. Organisations can be fined up to 4% of annual global turnover or €20 Million (whichever is greater) if they fail to protect personal information. Under GDPR, fines can also be issued if an organisation cannot demonstrate it has built security into its systems and processes.Regardless of legislative changes, this is an area that will face constant and potentially rapid change, which businesses will need to be aware of and adapt to.

Biometrics

'Biometrics' is the measurement and statistical analysis of people's physical and behavioural characteristics, such as fingerprints, gait or voice recognition.

CISSP

A 'Certified Information Security Systems Professional' (CISSP) certification is an internationally recognised qualification in information security, available to those who have at least four years experience in the field. The curriculum covers a variety of topics including identity and access management and security engineering.

Cloud Computing

'Cloud-computing' is convenient, on-demand network access to a personal or shared pool of resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Cyber Attack

A 'cyber attack' is the attempt of a hacker or hackers to destroy a computer network or system, or destroy, change, or steal information contained in it.

Cyber Security

'Cyber security' is security as applied to computing devices such as computers and smartphones, as well as private and public computer networks. The field covers all the processes and mechanisms by which computer-based equipment, information and services are protected from unintended or unauthorized access, change or destruction, and is of growing importance in line with the increasing reliance on computer systems worldwide.

Encryption

'Encryption' is the process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext).

Firewall

A 'firewall' is hardware or software designed to prevent unauthorised access to a computer or network from another computer or network.

GDPR

'EU General Data Protection Regulations' (GDPR) replaces the Data Protection Act (DPA) in May 2018. It was designed to protect and empower all EU citizens data privacy and applies to all businesses who process the data of subjects of the European union, regardless of where the business is based.

Hacker

A 'hacker' is an individual who attempts to gain unauthorised access to a computer system by exploiting its weaknesses and/or design flaws.

ICO

The 'Information Commissioner’s Office' (ICO) is the office responsible for uploading the DPA and Freedom of Information Act, promoting public bodies’ openness and the right to privacy by individuals.

Internet of Things (IoT)

The interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data.

ISMS

An 'information security management system' (ISMS) is a set of policies and procedures for systematically managing an organisation's sensitive data. The goal of an ISMS is to minimise risk and ensure business continuity by limiting the impact of a security breach.

ISO/IEC 27001:2013

'ISO/IEC 27001:2013' specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation.

Malware

'Malware', short for malicious software, is designed to infiltrate, damage or obtain information from a computer system without the owner’s consent. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware.

Patching

A 'patch' is a software update comprised of code inserted (or patched) into the code of an executable program. Typically, a patch is installed into an existing software program. Patches are often temporary fixes between full releases of a software package.
Patches may do any of the following:
● Fix a software bug
● Install new drivers
● Address new security vulnerabilities
● Address software stability issues
Upgrade the software.

Phishing

'Phishing' is a method used by criminals to try to obtain financial or other confidential information (including usernames and passwords) from internet users, usually by sending an email that looks as though it has been sent by a legitimate organisation (often a bank). The email usually contains a link to a fake website that looks authentic.

Privacy by Design

'Privacy by Design' is an approach to systems engineering which takes privacy into account throughout the whole engineering process.

Ransomware

'Ransomware' is a type of malicious software designed to block access to a computer system until a sum of money is paid.

Sensitive Information

'Sensitive information' is data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organisation. There are three types: personal information, business information, and classified information.

Spear Phishing

An email designed to obtain financial or other confidential information, however it differs from a simple phishing email in that it is more targeted at an individual or organisation. Some basic information has already been obtained and used to make this email appear more genuine and therefore trustworthy. The email will appear to come from either a specific person, sometimes from within the same company as the target, or from an organisation the person has a relationship with.

Spyware

'Spyware' is malware that passes information about a computer user’s activities to an external party.

Two factor identification

The use of security steps additional to username and password. This step requires something that only the user would have, such as a piece of information or physical object, such as a PIN or card reader.

Virus

The most common form of malware is the 'virus', which is loaded onto a computer and then run without the user's knowledge or knowledge of its full effects.

Answering YES

All Businesses MUST

Provide an overview of the strategies and steps taken to mitigate cyber security risks

Explain which individuals or teams are responsible for cyber security and data privacy, and to whom they report

Explain their approach to cyber security in terms of policies, people and operations (including IT)

Explain how they communicate cyber awareness across the organisation

Describe their framework for the classification of sensitive information

All Businesses MAY

Explain their codified and documented policies, strategies, and assessment dealing with personal data, including how, and how frequently reviews are conducted

Describe their approaches (if any) to combat threats, both internal and external, current and future

Explain any training staff are given in regards to computer usage and security risks

Explain what efforts are taken to ensure company culture is conducive with cyber security policies and practices

Explain whether they hire any external cyber security consultants or accredited experts

Explain policies relating to data sharing and reporting with third parties or along the supply chain

Describe how they have complied with new GDPR rules

Set out the process to comply with the findings from any risk assessment, and provide an example where reasonable steps were taken to comply previously if available

State whether they have obtained or are working towards a recognised security standard (i.e. ISO27001 or the Government’s Cyber Essentials scheme)

Explain how security is dealt with across different territories and subsidiaries

Answering NO

All Businesses MUST

Explain why they do not or cannot answer YES to this question and list any mitigating circumstances or any other reasons which apply

All Businesses MAY

List any practices that are relevant, but not sufficient to answer YES

Mention any future plans

DON'T KNOW is not a permissible answer to this question

NOT APPLICABLE is not a permissible answer to this question

Version 3

To receive a score of 'Excellent'

Business is committed to cyber security and fully understands its risk. It has implemented effective policies and procedures to continually protect itself, and to deal with a breach/incident if and when they happen - it is prepared for a cyber security attack

Examples of policies and practices which may support an EXCELLENT statement (not all must be observed, enough should be evidenced to give comfort that the statement is the best of the four for the business being scored):

Governance

  1. Cyber security is linked to the organisation’s goals and priorities and on the agenda at most board meetings
  2. The responsibility for cyber risk is appropriately allocated and a multifunctional team has been appointed
    a. Specialist team has clarified powers, autonomy and lines of communication in case of breach, with clear and effective security instant response procedure in place
    b. One or more members of the team have obtained CISSP certification
  3. Organisation has a named individual who takes active responsibility for the protection of personal data
  4. The organisation has nominated crisis advisors
  5. Feedback on decisions is provided so impact of decisions is understood

Strategy

  1. Takes flexible approach to resource and fund allocation based on need, regularly reviewed and updated to reflect continuous assessment of risk
  2. Business Continuity plans incorporate cyber security
  3. The company has developed, and consistently reviews and updates, key risk indicators, and performs very well on these
  4. The effectiveness of security policies and procedures are tested and reviewed against up to date risk register more than once a year
  5. Has a comprehensive strategy in place for identifying and protecting critical data
  6. Cyber security is considered when developing products and services as well as business operations
  7. Cyber security plays key role in procurement policies
  8. Effective strategies in place for monitoring IT systems and networks for evidence of security breach
  9. Data minimisation methods in place, such as imposing a time limit on how long personal data is held for, or de-identifying the data they collect
  10. Active and contributing member of a relevant organisation (i.e. National Crime Agency)
  11. Organisation is registered with the ICO (a legal requirement for organisations which process personal data such as personal details of employees) and reports any and all significant breaches to the ICO
  12. Organises or takes part in events with similar organisations where people responsible for cyber security (CISOs or similar) get together and discuss changes in the field

Process

  1. There is a register of cyber security risks that includes probability of occurrence which is updated on an ongoing basis
  2. The organisation has adequate preventative measures in place against financial crime such as identity theft, CEO fraud, invoice fraud, terrorist funding and money laundering
  3. Clearly communicated, documented and efficient processes in place for data access, incident management, recruitment vetting process and insider threats
  4. The necessity of each individual’s access to data is periodically reviewed and justified - no one has access to data that is not necessary for them to do their job
  5. Strong, ongoing personnel security regime including security checks on individuals with access to the work place (for instance, contractors and business partners, as applicable to type of business)
  6. There is a policy on the use of mobile devices and mobile device security is in place, e.g. remote wiping
  7. Internal security protocols such as:
    a. Data backups (at a minimum weekly) including integrity checks on backups
    b. Encryption of internal services (such as emails and messaging)
    c. Internal systems and services logins (user names and strong passwords are mandatory; additions to usernames and passwords – such as biometrics, USB stick or two factor authentication – are available)
    d. Two factor authentication is used when logging in to critical internal systems and services and whenever available in external systems
  8. All electronic computing equipment is:
    a. Fitted with up-to-date antivirus software and programs
    b. Fitted with malware protection software which is configured to perform regular scans of all files
    c. Disposed of or recycled in a secure way when redundant
  9. Data collection and retention has been limited to what is necessary for the conduct of the organisation in line with the Data Protection Act and GDPR regulation
  10. Practices privacy by design and integrates cyber security practices within products and services
  11. Compliance with cyber requirements is included in third party contracts where appropriate
  12. The security of the supply chain is actively managed, e.g. asking key suppliers to confirm their security arrangements on a regular basis

Engagement

  1. The business actively works to build trust between and within organisation, e.g. specialist team engages with other teams and individuals (including acting to minimise feelings of disgruntlement among employees)
  2. The company honestly communicates cyber risks and actions to customers
  3. The company positively influences its suppliers to improve their cyber security
  4. Compliance with cyber requirements is included in employee contracts clearly indicating consequences for non-adherence.
  5. Security policies are well documented and easily accessible through employee contract; company intranet; provision at all training sessions
  6. Employees are given regular training on cyber security issues
  7. Programs and/or training in place to educate employees on the secure use of equipment including mobile phones
  8. Security incident management drills take place - staff rehearse what to do in the case of a significant cyber incident
  9. Enables individuals to request data held on them, equivalent to Freedom of Information Request
To receive a score of 'Good'

The business has clear commitment to cyber security and pursues various cyber security best practices

Examples of policies and practices which may support a GOOD statement (not all must be observed, enough should be evidenced to give comfort that the statement is the best of the four for the business being scored):

Governance

  1. Cyber security is on the agenda at most board meetings
  2. The responsibility for cyber risk is appropriately allocated and a team has been appointed who have clarified powers in case of breach and report any incidents
  3. Organisation has a named individual who takes active responsibility for the protection of personal data

Strategy

  1. Risk appetite is clearly outlined at board and senior management level and communicated to those responsible for cyber security
  2. Business Continuity plans incorporate cyber security
  3. The company has developed, and consistently reviews and updates, key risk indicators, and performs very well on these
  4. The effectiveness of security policies and procedures are tested and reviewed against up to date risk register at least once a year
  5. Working on a comprehensive strategy for identifying and protecting critical data
  6. Extends liability to cover damage from security breach through their products
  7. The company considers suppliers’ approaches to cyber security so that its data is not exposed due to dealings with these companies
  8. Strategies for monitoring IT systems and networks for evidence of security breach are under active consideration and updates provided to the board at regular intervals
  9. Business has undertaken some data minimisation methods in place, such as imposing a time limit on how long personal data is held for, or de-identifying the data they collect
  10. Passive member of a relevant organisation (i.e. National Crime Agency)
  11. Organisation is registered with the ICO (a legal requirement for organisations which process personal data such as personal details of employees) and reports any and all significant breaches to the ICO
  12. Occasionally takes part in events with similar organisations where people responsible for cyber security (CISOs or similar) get together and discuss changes in the field

Process

  1. There is a register of cyber security risks which is updated on an ongoing basis (includes number of actual incidents)
  2. Has adequate preventative measures in place against financial crime such as identity theft, CEO fraud, invoice fraud, terrorist funding and money laundering
  3. Clearly communicated, documented and efficient processes in place for data access, incident management, recruitment vetting process and insider threats
  4. There is a policy on the use of mobile devices and mobile device security is in place
  5. Internal security protocols used (such as, regular data backups, integrity checks on backups; encryption of emails and messages sent via internal servers; mandatory user names and strong passwords for internal systems; two factor authentication for external systems)
  6. All electronic computing equipment is:
    a. Fitted with up-to-date antivirus software and programs
    b. Fitted with malware protection software which is configured to perform regular scans of all files (e.g. daily)
    c. Disposed of or recycled in a secure way when redundant
  7. Data collection and retention has been limited to what is necessary for the conduct of the organisation in line with the Data Protection Act and GDPR regulation
  8. Compliance with cyber requirements is included in third party contracts where appropriate
  9. The security of the supply chain is managed, e.g. asking key suppliers to confirm their security arrangements

Engagement

  1. Compliance with cyber requirements is included in employee contracts clearly indicating consequences for non-adherence.
  2. Security policies are well documented and easily accessible through employee contract; company intranet; provision at all training sessions.
  3. Employees are given regular training on cyber security issues (once a year)
  4. Programs and/or training in place to educate employees on the secure use of equipment including mobile phones
To receive a score of 'Okay'

Some cyber security practices are demonstrated OR action is ad hoc OR given the nature of the business and its operations, cyber security is not relevant

Examples of policies and practices which may support an OKAY statement (not all must be observed, enough should be evidenced to give comfort that the statement is the best of the four for the business being scored):

Governance

  1. Cyber security is discussed at board level on an ad-hoc basis
  2. The responsibility for cyber risk is allocated to a named individual or team, but leadership, monitoring or activity is not regular
  3. There is a commitment to future improvements, with clear goals in place

Strategy

  1. There is some effort to address risk appetite at the board or management level, but there is room for improvement in communication of it
  2. Business Continuity plans incorporate basic cyber security considerations
  3. Security policies and procedures are developed, but not regularly updated or communicated
  4. Strategies for monitoring IT systems and networks for evidence of security breach are in place, but not regularly updated or communicated
  5. The company only looks internally when considering cyber security and exposed data
  6. The organisation is working toward a strategy for identifying and protecting critical data
  7. Organisation is registered with the ICO (a legal requirement for organisations which process personal data such as personal details of employees), but there is room for improvement in reporting

Process

  1. Reporting on policies and practices is ad hoc or inconsistent; findings are not acted upon
  2. Processes cover some, but not all, issue areas: data access, incident management, ransomware request, insider threats, recruitment vetting process, mobile devices and email encryption
  3. Basic protections taken on electronic equipment, such as antiviral software
  4. Basic malware protection software is installed on computers that are connected to or capable of connecting to the Internet
  5. Phishing exercises are regularly undertaken
  6. Patching is up to date
  7. Anti-malware is in place
  8. Data is backed up

Engagement

  1. Security policies are written down and available to staff
  2. Top-level employees consider cyber security an important issue
  3. Employees are aware of issues of basic cyber security i.e. through the use of awareness campaigns etc.
To receive a score of 'Poor'

No attention paid to cyber security OR business acknowledges performance is below expectations

Examples of policies and practices which may support a POOR statement (not all must be observed, enough should be evidenced to give comfort that the statement is the best of the four for the business being scored):

Governance

  1. Cyber security is not considered a significant issue for the business
  2. Failure to meet regulations and/or legal requirements
  3. No identified person or team is responsible for responding to a cyber security incident

Strategy

  1. No written policy on cyber issues
  2. No regular reviews of policies

Process

  1. Electronic equipment not fitted for antiviral software, or software is not regularly updated
  2. Data/resources not adequately protected or stored
  3. Fails to report breaches to reporting bodies, or does not share with external parties
  4. Failings within security systems are obvious, and unresolved
  5. When breaches occur, fails to take necessary steps to resolve the risks that led to them
  6. Often unaware they have been breached, only aware through being informed by third party
  7. Company has insurance against cyber attacks and therefore fails to act to minimise risks
  8. Employees are not involved in creating a safe cyber environment (i.e. not required to change their passwords from the default)

Engagement

  1. No effort to engage employees, supplier, or other organisations around this issue