Cyber security

Is your business prepared for a cyber security breach?

EXCELLENT Answers

No EXCELLENT answers have been published for this question.

GOOD Answers

No GOOD answers have been published for this question.

OKAY Answers

No OKAY answers have been published for this question.

POOR Answers

No POOR answers have been published for this question.

The internet has fundamentally changed how business is carried out to how we organise our day to day lives in less than two decades. We now depend on being able to safely access the internet in order to communicate and connect across the world but also to share and store information.

Regardless of size or sector, every business relies on digital technology. However, the benefits to efficiency and market development come a cost. The hyper-connection of industries, people and ‘things’ makes everything vulnerable to cyber attacks. Connectivity relies on software and the simple reality is that, according to Code Complete, in every 1,000 lines of code there are between 15 – 50 errors.

Welcome or not, cyber security has become a new mandatory operating layer that requires integration into all business models. Cyber security is what makes a business model operational; without adequate cyber security embedded in culture and operations, companies are taking huge risks and missing various opportunities.

Cyber security is essential to the safe use and continued development of the internet. Recent breaches at companies such as TalkTalk, Yahoo and Ashley Madison have received global media attention and exemplified the importance of protecting information which is sensitive both to businesses and their customers.

Understanding and recognising the evolving landscape of cyber threats is the new boardroom discipline essential to the sustainability and competitiveness of businesses. It concerns intellectual property, customer information, financial data, employee records, and much more. From coffee machines to system operators, everything that is linked to a network has the potential to be accessed by hackers. The more value stored online, the greater the likelihood of online attacks, which allow data to be held ‘ransom’ until the victim either loses the information or pays to get it back again, amongst other examples.

The levels of preparedness for cyber attacks and how businesses respond in the event of an attack can have profound economic impacts. The BIS 2014 Information Security Breaches Survey reported that 81% of large organisations had experienced a security breach of some sort. This costs each organisation, on average, between £600,000 and £1.5 million. For small and medium sized businesses (SMEs), the most severe breaches have cost as much as £310,800, up from £115,000 in 2014, demonstrating that the issue is not limited merely to ‘big business’. A FSB report published in June 2016 notes that 66% of small businesses have been victim to cybercrime, often more than once. Each of these crimes reportedly cost small businesses, on average, nearly £3,000.

More than ever before companies of all sizes hold enormous amounts of customers’ and employees’ private data. In addition to identifying information such as name, address, contact and bank details etc., companies increasingly hold ‘big data’ and ‘metadata’ on members of the public. Such data can be used to paint detailed and accurate pictures of individual behaviour and consumer habits. Despite the significant financial and ethical dangers that accompany cyber crime, cyber security is still not treated as a high-priority strategic issue by many companies.

A common yet flawed assumption is that cyber security is an IT issue, rather than a strategic risk management issue. In a survey carried out by McKinsey with information security leaders at 25 top global companies, the results showed that most respondents believed senior corporate leaders had too little understanding of the IT security risks and business implications to discuss the trade-offs for investment, risk, and user behaviour.

The technical aspects of cyber security are manifold. So too are the human aspects, which are frequently overlooked or not properly considered in the drafting of rules, regulations and codes. For example, best practices guidelines often include encouragements for employees to change their passwords regularly. However, experience suggests that this often leads to people choosing shorter, less secure passwords in order that they can remember them. Or, in the event a long complex password is obligatory, those then get written down and left in or near the worker’s work area. These unintended consequences can lead to greater, not lesser, threats of cyber breach.

Advocates stressing the importance of employee behaviour suggest a holistic, joined up approach to cyber security that begins and ends with what people do in the workplace and why. Jeremy Swinfen Green, member of the Data Privacy and Document Marking Standards Committee at the British Standards Institution (BSI) offers steps and areas of focus:-

  • Write Good Rules – companies should be at pains to write policies that people can understand. They should be couched and presented as rules or guidelines, not as a contract. They should ideally not exceed more than a page or two in length. These rules or management instructions should be accompanied with the sanctions people should expect for breaking them. Businesses should ensure the rules are usable and practical, otherwise employees will be tempted to discover workarounds.
  • Training – the rules need to be communicated and explained with employees in various ways which must include face to face instruction. People need to know what to do and how, there is no substitute to being shown via demonstrations.
  • Awareness – a business must ensure knowledge of the rules stays front of mind. Notices can be placed on toilet doors and/or in common areas so people are regularly reminded.
  • Persuade and motivate – businesses should reward good behaviour, for example granting time off or other perks for exemplary practices and behaviours. They should also disincentivise rules breaches with sanctions and punishment.
  • Cultivating culture and trust – the leadership of and culture in the business is critical. Given social norms such as the desire to demonstrate politeness may dissuade an employee from challenging a person in the workplace not wearing a visitors badge for example, cultural norms should be set where employees are empowered to act in the best interest of security. Employees should have a healthy dose of scepticism in regards unusual or risky behaviours. They should not feel compelled to let someone “tail gate” through workplace security barriers, for example, in the event such an incidence occurs. Unsafe, risky behaviours can become culturally unacceptable if the appropriate culture is nurtured.

In 2018, new EU-wide regulation comes into force, which may or may not include the UK. The new EU General Data Protection Regulations (GDPR) with change the game for both large organisations and SMEs for the security of personal information. It will also transform the cost of regulatory fines for cyber breaches, from £1.4 billion in 2015 to a vastly increased £122 billion (these figures assume the same level of breaches as last year where 90 percent of large organisations, and 74 percent of small and medium-sized enterprises, said they had suffered a security breach according to the PCI Security Standards Council). Under GDPR, fines can also be issued if an organisation cannot demonstrate it has built security into its systems and processes.

Certification to baseline standards on cyber security could help businesses to prevent successful attacks. The UK Government published its Cyber Essentials Requirements in 2013. ISO/IEC 27001:2013 is a more comprehensive certification developed by the International Organization for Standardization.

Cyber Security

'Cyber security' is security as applied to computing devices such as computers and smartphones, as well as private and public computer networks. The field covers all the processes and mechanisms by which computer-based equipment, information and services are protected from unintended or unauthorized access, change or destruction, and is of growing importance in line with the increasing reliance on computer systems worldwide.

Hacker

A ‘hacker’ is an individual who attempts to gain unauthorized access to a computer system by exploiting its weaknesses and/or design flaws.

Cyber Attack

A ‘cyber attack’ is the attempt of hackers to destroy a computer network or system, or destroy, change, or steal information contained on it.

Firewall

A ‘firewall’ is hardware or software designed to prevent unauthorised access to a computer or network from another computer or network.

Encryption

‘Encryption’ is the process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext).

Malware

‘Malware’ is short for malicious software designed to infiltrate, damage or obtain information from a computer system without the owner’s consent. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware.

Virus

The most common form of malware is the ‘virus’, which is loaded onto a computer and then run without the user's knowledge or knowledge of its full effects.

Spyware

‘Spyware’ is malware that passes information about a computer user’s activities to an external party.

Phishing

‘Phishing’ is a method used by criminals to try to obtain financial or other confidential information (including usernames and passwords) from internet users, usually by sending an email that looks as though it has been sent by a legitimate organization (often a bank). The email usually contains a link to a fake website that looks authentic.

Cloud Computing

‘Cloud-computing’ is convenient, on-demand network access to a personal or shared pool of resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.

ISMS

An ‘information security management system’ (ISMS) is a set of policies and procedures for systematically managing an organisation's sensitive data. The goal of an ISMS is to minimise risk and ensure business continuity by limiting the impact of a security breach.

Sensitive Information

‘Sensitive information’ is data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organisation. There are three types: personal information, business information, and classified information.

GDPR

‘EU General Data Protection Regulations (GDPR)’ replaces the Data Protection Act (DPA) in May 2018. The DPA was implemented in the 1990’s when there was no social media or cloud computing. It does not reflect how we now live and do business.

CISSP

A ‘Certified Information Security Systems Professional (CISSP)’ certification is an internationally recognised qualification in information security, available to those who have at least four years experience in the field. The curriculum covers a variety of topics including identity and access management and security engineering.

ISO/IEC 27001:2013

‘ISO/IEC 27001:2013’ specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation.

ICO

The ‘Information Commissioner’s Office (ICO)’ is the office responsible for uploading the DPA and Freedom of Information Act, promoting public bodies’ openness and the right to privacy by individuals.

Answering YES

Micro Businesses MUST

Describe their business sector

Explain any strategies, or steps taken, to minimise cyber security risks

Explain their approach to cyber security through both IT capabilities, process management, and human resource management to ensure the wider company understands cyber security risks

Micro Businesses MAY

Describe how, and how frequently their strategies are reviewed

State whether they have obtained or are working towards a recognised security standard (i.e. ISO27001 or the Government’s Cyber Essentials scheme)

Explain any training/education staff are given in regards to computer usage and security risks

State whether they audit key assets in terms of their importance to the organisation and the process by which these assets are identified

Describe anything within the company’s culture that relates to cyber security

Explain whether they hire any external cyber security consultants

Describe their approaches (if any) to combat an insider threat

Describe any other relevant policies or activities which indicate an appropriate approach to cyber security

All Other Businesses MUST

Describe their business sector

Explain any strategies, or steps taken, to minimise cyber security risks

Describe how and how frequently these strategies are reviewed

Explain their approach to cyber security through both IT capabilities, process management, and human resource management to ensure the wider company understands cyber security risks

All Other Businesses MAY

Explain whether they have a nominated team responsible for cyber security

Explain whether an individual is nominated to assume responsibility in the event a cyber security breach occurs

Explain whether there is a named company officer with responsibility for data privacy and GDPR and, if so, how this is communicated to key people in the business

Confirm that a cyber security risk assessment is carried out regularly (i.e. at least once per year)

Set out the process to comply with the findings from any risk assessment or provide an example where reasonable steps were taken to comply previously

Confirm that an information audit is undertaken regularly which documents the personal data that is held, the source of such data, and details of with whom such data are shared is undertaken regularly

Confirm a data processing review is carried out which identifies and documents the legal basis for such processing

Confirm that there are procedures in place to detect, investigate and report on personal data breaches

Confirm their privacy and data protection procedures and policies are codified and documented

Confirm their critical information and systems not related to personal data (e.g. blueprints for new designs, merger plans etc) are adequately protected and that there are procedures in place to detect, investigate and report on any breaches

Explain any training/education staff are given in regards to computer usage and security risks

Describe how often these data protection policies are reviewed

Explain the disclosure/escalation policy in the event of an incident/breach

Explain whether the organisation has a nominated data protection lead

Explain compliance with external standards/marks of excellence (e.g. ISO)

Describe any risk assessments/audits or penetration tests undertaken by accredited experts

Describe anything within the company’s culture that relates to cyber security

State whether they have obtained a recognised security standard (i.e. ISO27001 or the Government’s Cyber Essentials scheme)

Describe their approaches (if any) to combat an insider threat

Describe their approaches (if any) to combat a third party (supplier) threat

Describe any other relevant policies which indicate an appropriate approach to cyber security

Answering NO

All Businesses MUST

Explain why they do not or cannot answer YES to this question and list any mitigating circumstances or any other reasons which apply

All Businesses MAY

Indicate any relevant practices and policies, even if they do not fully address the specifications for answering YES

Mention any future plans

DON'T KNOW is not a permissible answer to this question

NOT APPLICABLE is not a permissible answer to this question

Version 1

To receive a score of 'Excellent'

The business is fully prepared for a cyber attack

  1. e.g. Effective strategies in place for monitoring ICT systems and networks
  2. e.g. The effectiveness of security policies and procedures are reviewed frequently
  3. e.g. Cyber security is treated as a strategic issue at board level
  4. e.g. Has a comprehensive strategy in place for identifying and protecting critical data
  5. e.g. Compliance with cyber requirements is included in employee contracts with consequences for non adherence
  6. e.g. Compliance with cyber requirements is included in third party contracts where appropriate
  7. e.g.The responsibility for cyber risk is appropriately allocated and a multifunctional team has been appointed
  8. e.g. There is a register of cyber security risks
  9. e.g. Has strong and efficient processes in place for reporting incidents, such as a phishing scam or ransomware request
  10. e.g. Alternatives or additions to usernames and passwords – such as biometrics, dongles or two factor authentication – available
  11. e.g. All internal services (such as emails and messaging) are encrypted
  12. e.g. All electronic computing equipment is fitted with up-to-date anti virus software and programs
  13. e.g. Programs and/or trainings in place to inform employees on the issue of cyber security
  14. e.g. Programs and/or trainings in place to educate employees on the secure use of equipment
  15. e.g. Malware protection software is installed on all computers that are connected to or capable of connecting to the internet
  16. e.g. Malware protection software is configured to perform regular scans of all files (e.g. daily)
  17. e.g. Business Continuity and Incident Management plans are tested on an annual basis
  18. e.g. Business Continuity plans incorporate information security
  19. e.g. Mobile devices security is in place, e.g. remote wiping
  20. e.g. Redundant IT equipment is disposed of or recycled in a secure way
  21. e.g. The security of the supply chain is actively managed, e.g. asking key suppliers to confirm their security arrangements on a regular basis
  22. e.g. Member of a relevant organization (i.e. National Crime Agency)
  23. e.g. Access privileges, especially in regard to critical information and systems, is managed and unnecessary access is not granted
  24. e.g. Has strong provisions in place to defend against insider threat, such as a strong, ongoing personnel security regime, acting to minimise feelings of disgruntlement among employees and application of checks to anyone with legitimate access to workplace, for instance, contractors and business partners
  25. e.g. Organisation is registered with the ICO (a legal requirement for organisations which process personal data such as personal details of employees) and reports all and any significant breaches to the ICO
  26. e.g. Data collection and retention has been limited to what is necessary for the conduct of the organisation in line with the Data Protection Act and GDPR regulation
  27. e.g. Has adequate preventative measures in place against financial crime such as identity theft, CEO fraud, invoice fraud, terrorist funding and money laundering
  28. e.g. Data minimisation methods in place, such as imposing a time limit on how long personal data is held for, or de-identifying the data they collect
  29. e.g. Has an employee who obtained the CISSP certification
To receive a score of 'Good'

The business pursues various cyber security best practices

  1. e.g. Security policies are written down and explicitly referenced when appropriate
  2. e.g. Compliance with cyber requirements is included in employee contracts
  3. e.g. Working on a comprehensive strategy for identifying and protecting sensitive data
  4. e.g. Frequently backs up information and check the integrity of backups
  5. e.g. Appropriate person identified for reporting incidents such as a phishing scam or ransomware request
  6. e.g. Employees encouraged to choose strong passwords
  7. e.g. Employees are given training on issues that may arise in relation to cyber security
  8. e.g. Most electronic equipment is fitted with antivirus software and programs
  9. e.g. Malware protection software is installed on all computers that are connected to or capable of connecting to the internet
  10. e.g. Considering encrypting emails and messages sent via internal servers
  11. e.g. Two factor authentication is used when logging in to critical systems and services
  12. e.g. The effectiveness of their security policies and procedures are reviewed at least annually
  13. e.g. All employees are made aware on the issue of cyber security
  14. e.g. Cyber security may be treated as a strategic issue at board level
  15. e.g. Organisation is registered with the ICO (a legal requirement for organisations which process personal data such as personal details of employees)
  16. e.g. Has some provisions in place to protect against insider threat, such as pre-employment screening checks and monitoring of risk factors, for instance, lifestyle changes for existing employees
  17. e.g. Companies have undertaken some data minimisation methods such as imposing a time limit on how long personal data is held for, or de-identifying the data they collect
To receive a score of 'Okay'

Some cyber security practices are demonstrated OR given the nature of the business and its operations, cyber security is not relevant

  1. e.g. Security policies are written down
  2. e.g. The responsibility for cyber risk is allocated to an appropriate employee
  3. e.g. Some emails or messages may be encrypted
  4. e.g. Some protections taken on electronic equipment, such as antiviral software
  5. e.g. Malware protection software is installed on some computers that are connected to or capable of connecting to the internet
  6. e.g. Top-level employees consider cyber security a strategic issue
  7. e.g. Some employees are aware on issues of cyber security i.e. through the use of awareness campaigns
  8. e.g. Organisation is registered with the ICO if applicable (a legal requirement for organisations which process personal data such as personal details of employees)
  9. e.g. The business follows UK Money Laundering Regulations required by law, including appointing a nominated officer
To receive a score of 'Poor'

No attention paid to cyber security

  1. e.g. Cyber security not considered a strategic issue for their business
  2. e.g. No written policy on cyber issues
  3. e.g. Employees not required to change their passwords from the default
  4. e.g. Electronic equipment not fitted for antiviral software
  5. e.g. No identified person responsible for responding to a cyber security incident