British National Cyber Security Guidance

Most organisations rely on their IT systems to carry out business and to control critical functions, using various types of digital technology to manage their safety, security and engineering systems. As a result, businesses can become vulnerable to hacking and threats that undermine their confidentiality, integrity or accessibility. 

The consequences of such incidents can be significant to organisations, leading to loss of reputation, damage to assets, regulatory fines or result in physical injury.

To understand the cyber risk to your business, you should conduct a Cyber Risk Assessment. This will help to ensure that your approach to cyber security is proportionate.  Here is the UK Government’s outline of cyber security information for organisations:

Whilst there is no prescribed format for this, it should be based on the Risk Management processes detailed below. Note that the risk assessing is a continuous, on-going process which you will need to revisit as your business changes and / or threats evolve.

Assessing The Risk

The following three step process will help you identify:

  • The digital technologies and systems which are critical to your business
  • Who might attack them
  • How they might be vulnerable

This information will allow you to narrow down what you must protect.

Impact: What Your Want To Avoid

Your approach to cyber risk management should be driven by the ‘Impacts’ you are trying to avoid. Start by identifying the systems, data and technologies on which your business relies. The type of questions you might want to ask are:

  • Is there technology that must be available for the business to function? (e.g. payment systems, access controls)
  • Do physical security systems rely on digital technology? How are they protected?
  • Are you processing sensitive data? (personal, financial) If so, what if this data is lost, stolen or unavailable?
  • Are you reliant on third-party systems? If so, which systems are central to your business?

If you take a systematic approach, you should be able to produce a prioritised list. You then need to consider the impact of these systems being compromised or becoming unavailable. This basic understanding of what you care about and why it’s important, will help you identify what you must protect.

Threats: What Type of Attacks To Expect

A ‘Threat’ is the individual, group or circumstance, which could cause a given impact to occur. It can be challenging to develop an accurate assessment of the threat to your business without undertaking an appropriate analysis. The following will help you develop a baseline threat picture:

  • Commodity Attacks: All organisations and events, regardless of profile and size, are at risk from commodity attacks that exploit basic vulnerabilities using readily available hacking tools and techniques. Mass phishing campaigns are one example of such an attack.
  • Targeted Attacks: Some businesses will be targeted by cyber criminals who, for example, intend to steal financial or personal information e.g. spear phishing.
  • Methodology: Most attacks are preventable and use well-known techniques.
  • Insider Threat: Not all threats are external. It is essential that internal threats are incorporated into your assessment.
  • Learn from Experience: Has your business or similar businesses previously experienced cyber-attacks? How could those attacks have been prevented?
  • With some research, you should be able to develop a baseline threat assessment. For example, you may decide that your business is unlikely to be deliberately targeted, therefore commodity attacks exploiting basic vulnerabilities are the main threat.
  • Alternatively, you may discover that businesses of similar profile have been targeted by organised crime groups, therefore the threat is heightened and specific defensive measures are required.
  • It should be noted that most targeted attacks still use basic techniques, such as phishing emails, to enable attacks. Good basics are always the first layer of defence 

Vulnerabilities: How Secure Are The Networks & Systems That You Rely On?

A ‘Vulnerability’ is a weakness that would enable an impact to be realised, either deliberately, or by accident. The final stage of the process is identifying your vulnerabilities. You should start by overlaying your critical systems (see ‘Impact’, above), with the expected capabilities of any attackers.

Next, focus on establishing whether the security controls for each critical system are appropriate for the threat. Remember, most cyber-attacks are preventable if basic controls are in place. Identify who is supplying your critical systems and establish a clear picture of each supplier’s cyber security posture.

A good starting point is to ask whether your suppliers hold any existing security certifications (e.g. Cyber Essentials, Cyber Essentials Plus, ISO 27001). Holding a certification indicates that the supplier has a proactive approach to cyber security. If suppliers do not hold any certifications you will need to invest time to understand more about their security posture.

From an IT infrastructure perspective, you may wish to use the Cyber Essentials themes as discussion points:

  • Firewalls
  • Secure Configuration
  • User Access Control
  • Malware Protection
  • Patch Management

For providers of online services, you may wish to focus your discussion on the common web application security issues and for further information:

Almost every business relies on the confidentiality, integrity and availability of its data and cyber security measures should form a critical part of a multi-layered approach that includes physical and personnel security. 

GovUK:          Centre for Protection of National Infrastructure:

For cost effective advice and recommendation on Cyber Security and Training for your organisation, please contact Cyber Security Intelligence.

You Might Also Read: 

Directors Must Understand Their Organisation’s Cyber Risks:

 

« The Data Center Containment Solution Market is Growing
Fake PayPal Emails Cost £8million In Theft »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

WEBINAR: 2024 and Beyond: Top Six Cloud Security Trends

WEBINAR: 2024 and Beyond: Top Six Cloud Security Trends

April 4, 2024 | 11:00 AM PT: Join this webinar to find out about six emerging trends dominating the cloud cybersecurity landscape.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

evoila

evoila

evoila GmbH is one of the leading providers in consulting, analysis, implementation and management of cloud infrastructure.

Praetorian

Praetorian

Praetorian is an offensive cybersecurity company whose mission is to prevent breaches before they occur.

CybelAngel

CybelAngel

CybelAngel is a leading digital risk protection platform that detects and resolves external threats before these wreak havoc.

Usenix

Usenix

Usenix brings together the community of engineers, system administrators, scientists, and technicians working on the cutting edge of computing.

ID Quantique (IDQ)

ID Quantique (IDQ)

ID Quantique is a world leader in quantum-safe crypto solutions, designed to protect data for the long-term future.

Sqreen

Sqreen

Sqreen is a web application security monitoring and protection solution helping companies protect their apps and users from attacks.

redGuardian

redGuardian

redGuardian is a DDoS mitigation solution available both as a BGP-based service and as an on-premise platform.

Recruit.net

Recruit.net

Recruit.net allows job seekers to instantly find millions of jobs from thousands of web sites with a single search.

Accel

Accel

Accel is a leading venture capital firm that invests in people and their companies from the earliest days through all phases of private company growth. Areas of focus include cybersecurity.

NETRIO

NETRIO

If you are looking for a highly mature, exceptionally competent Managed Service Provider, NETRIO has solutions to keep your business running at warp speed with zero disruptions.

CyberPeace Foundation

CyberPeace Foundation

CPF is a think tank of cybersecurity and policy experts with the vision of pioneering Cyber Peace Initiatives to build collective resiliency against CyberCrimes and global threats of cyber warfare.

National Cybersecurity Consortium (NCC)

National Cybersecurity Consortium (NCC)

The NCC’s mandate is to keep Canada’s cyber and critical infrastructures and citizens safe while ensuring Canada’s global competitiveness and leadership in cybersecurity.

CyberX9

CyberX9

CyberX9 helps you protect against a wide range of cyber attacks whether you are a business or a high-net worth individual under risk.

Intelligent CloudCare

Intelligent CloudCare

Intelligent CloudCare, a division of IPS, is a full IT Services provider serving the needs of SMBs in the metropolitan New York City region.

Sentar

Sentar

Sentar is a cyber intelligence company, applying advanced analytics and systems engineering expertise to protect our national security by securing mission-critical assets.

at-yet (@-yet)

at-yet (@-yet)

at-yet are an interdisciplinary team of experts. We are all about achieving results, whatever the situation – an acute incident, risk minimisation, safeguarding or data protection.