Cyber Security


Introducing The Issue 

Are you prepared for a cyber attack? Businesses possess many types of sensitive information such as financial data, employee records, personal contact details, intellectual property, and financial and medical information. Without adequate cyber security measures in place, these are all put at risk. And in recent years, the likelihood of being victims of espionage, military operations, or acts of cyber terrorism or cyber warfare prosecuted by rogue states have grown many fold.

Questions For Managers

Responsible 100 has developed a number of introductory questions to help you explore this important issue and your organisation's exposure to it. Please respond with as much relevant information as you can. These questions are available via this Google Form

Questions For Employees

Responsible 100 has developed a number of questions specifically for employees. They are designed to enable people working in the organisation to share their thoughts, observations and opinions on this important issue. Please respond with as much relevant information as you can. These questions are available via this Google Form

Benchmark Performance Statements

  • EXCELLENT - The business is fully prepared for any type of cyber attack. Promoting and enabling thorough cyber security is fundamental to the business. 
  • GOOD - The business demonstrates a commitment to promoting cybersecurity with clear practices and policies in place to address multiple factors.
  • OKAY - Business supports efforts regarding cyber security on an ad hoc basis; OR the business demonstrates how the issue is not relevant or material to it.
  • POOR - The business acknowledges performance is below expectations; OR workplace deepens or perpetuates poor cyber security; OR there is no evidence of consideration of the issue. 

Responsible 100 creates and develops detailed benchmarks on each of the issues we explore. Each benchmark identifies and defines different levels of performance as either POOR, OKAY, GOOD or EXCELLENT. A general statement describes those four performance levels in summary. Under each statement, examples of the sorts of policies and practices businesses are observed pursuing are listed, usually broken down into categories, e.g. Policies & Procedures; Target Setting, Measurement & Reporting; or Leadership, Advocacy & Culture. Some such lists include 50 or more examples. The above reveals the current summary statements only. The complete benchmarks are shared with those organisations which, through offering answers to the above questions - and any other relevant details about what they do, how and why - help to shape and improve the benchmarks on an ongoing basis.


Exploring The Issue

'Cyber security' is security as applied to computing devices such as computers and smartphones, as well as private and public computer networks. The field covers all the processes and mechanisms by which computer-based equipment, information and services are protected from unintended or unauthorised access, change or destruction, and is of growing importance in line with the increasing reliance on computer systems worldwide.

The Internet has become a crucial part of daily life for individuals and businesses. As such, cyber security is crucial to all businesses, regardless of size or sector. While no organisation is ever 100% secure, cyber security is about taking steps to manage future risks. Without adequate cyber security measures embedded into culture and operations, businesses are taking huge risks. Recent events, such as the WannaCry ransomware attacks, the Equifax breach and the leaking of thousands of personal emails have received global media attention and exemplified the importance of protecting the information that is sensitive both to businesses and their customers.

'Sensitive information' is data that must be protected from unauthorised access to safeguard the privacy or security of an individual or organisation. There are three types:

>> Personal information - This is any information that can be used for identity theft, as it’s tied to a specific individual. Examples include National Insurance Numbers, credit card numbers, tax information, and more

>> Business information - This is any information that would have a negative impact on the business if released. Examples include trade secrets or customer records.

>> Classified information - Small businesses are unlikely to have to worry about classified information, as this is information that is classified as sensitive by the government, and access to it is therefore restricted.

A 'cyber attack' is the attempt by a hacker or hackers to destroy a computer network or system, or destroy, change, or steal the information contained in it. The information that cyber attacks target tends to be the sensitive information, but that is not always the case.

A business’s preparedness for a cyber attack, and how it responds in the event of an attack, can have profound impacts up to and including complete organisational failure. The 2022 Information Security Breaches Survey reported that 72% of large firms had experienced a security breach of some sort. An FSB report published in June 2016 notes that 66% of small businesses have been victims of cybercrime, often more than once. Each of these crimes reportedly cost small businesses, on average, nearly £3,000. Given the impact of these breaches, cyber security is not exclusively an issue for large multinationals.

Businesses of all sizes increasingly hold enormous amounts of customers’ and employees’ private data, including ‘big data’ and ‘metadata’ on members of the public. Such data can be used to establish detailed and accurate profiles of individual behaviour and consumer habits, raising concerns over privacy and data ownership. Despite the significant financial and ethical dangers that accompany cybercrime, there is significant evidence that cyber security is still not treated as a high-priority strategic issue by many businesses.

Understanding and recognising the evolving landscape of cyber threats at the board level is essential to the sustainability and competitiveness of businesses. Acting on cyber security requires being prepared for and responding to breaches, and concerns intellectual property, customer information, resources, financial data, employee records, and much more. From coffee machines to driverless cars, everything that is linked to a network has the potential to be accessed by ‘hackers’: individuals who attempt to gain unauthorised access to a computer system by exploiting its weaknesses or design flaws.

This increase in interconnectivity is becoming more prevalent with the ability to collect much more data from more individuals and more sensitive data. The growth of the ‘Internet of Things’ is also a major contributor to the vulnerability that hackers take advantage of. The ‘Internet of Things’ is the interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data. The security built into all products and services is becoming even more important, as well as that used by companies in their business practices.


Definitions

Biometrics the measurement and statistical analysis of people's physical and behavioural characteristics, such as fingerprints, gait or voice recognition.

CISSP A Certified Information Security Systems Professional (CISSP) certification is an internationally recognised qualification in information security, available to those who have at least four years of experience in the field. The curriculum covers a variety of topics including identity and access management and security engineering.

Cloud Computing - a convenient, on-demand network access to a personal or shared pool of resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Cyber AttackAn attempt of a hacker or hackers to destroy a computer network or system, or destroy, change, or steal the information contained in it.

Cyber Securitysecurity as applied to computing devices such as computers and smartphones, as well as private and public computer networks. The field covers all the processes and mechanisms by which computer-based equipment, information and services are protected from unintended or unauthorised access, change or destruction, and is of growing importance in line with the increasing reliance on computer systems worldwide.

Encryption the process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext).

Firewall - hardware or software designed to prevent unauthorised access to a computer or network from another computer or network.

GDPR EU General Data Protection Regulations (GDPR) replaced the Data Protection Act (DPA) in May 2018. It was designed to protect and empower all EU citizens' data privacy and applies to all businesses that process the data of subjects of the European Union, regardless of where the business is based.

Hacker an individual who attempts to gain unauthorised access to a computer system by exploiting its weaknesses and/or design flaws.

ICO The Information Commissioner’s Office (ICO) is the office responsible for uploading the DPA and Freedom of Information Act, promoting public bodies’ openness and the right to privacy by individuals.

Internet of Things (IoT)The interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data.

ISMS An 'information security management system', i.e. the set of policies and procedures for systematically managing an organisation's sensitive data. The goal of an ISMS is to minimise risk and ensure business continuity by limiting the impact of a security breach.

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation.

Malware - short for malicious software, is designed to infiltrate, damage or obtain information from a computer system without the owner’s consent. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware.

Patching A 'patch' is a software update consisting of code inserted (or patched) into the code of an executable program. Typically, a patch is installed into an existing software program. Patches are often temporary fixes between full releases of a software package.
Patches may do any of the following:
>> Fix a software bug
>> Install new drivers
>> Address new security vulnerabilities
>> Address software stability issues
>> Upgrade the software.

Phishing a method used by criminals to try to obtain financial or other confidential information (including usernames and passwords) from internet users, usually by sending an email that looks as though it has been sent by a legitimate organisation (often a bank). The email usually contains a link to a fake website that looks authentic.

Privacy by Designan approach to systems engineering which takes privacy into account throughout the whole engineering process.

Ransomware - a type of malicious software designed to block access to a computer system until a sum of money is paid.

Sensitive Information - data that must be protected from unauthorised access to safeguard the privacy or security of an individual or organisation. There are three types: personal information, business information, and classified information.

Spear PhishingAn email designed to obtain financial or other confidential information, however, differs from a simple phishing email in that it is more targeted at an individual or organisation. Some basic information has already been obtained and used to make this email appear more genuine and therefore trustworthy. The email will appear to come from either a specific person, sometimes from within the same company as the target, or from an organisation the person has a relationship with.

Spyware malware that passes information about a computer user’s activities to an external party.

Two-factor identificationThe use of security steps additional to username and password. This step requires something that only the user would have, such as a piece of information or physical objects, such as a PIN or card reader.

Virus The most common form of malware is the 'virus', which is loaded onto a computer and then runs without the user's knowledge or knowledge of its full effects.


Links, News And Further Resources

ARTICLES

Two Years After WannaCry, A Million Computers Remain At Risk - 12 May 2019

This article discusses the WannaCry ransomware attack, which infected hundreds of thousands of computers in May 2017, and discusses the risks many computers still face today.

Small Business Guide: Cyber Security - 15 November 2018

From the UK government, this guide details what a small business can do to be more secure. This guide can’t guarantee protection from all types of cyber attack, but the steps outlined below can significantly reduce the chances of your organisation becoming a victim of cyber crime.

How The Equifax Hack Happened, And What Still Needs To Be Done - 7 September 2018

This article details the events of the 2017 Equifax data breach, which compromised hundreds of millions of people’s data, and explains how it happened.

RESOURCES

CISA Cybersecurity Awareness Program Small Business Resources

Provided by the United States government, this link has many resources that small businesses can use to be more secure. This includes planning guides, tip cards, and toolkits.

Cyber Essentials

This is the National Cyber Security Centre’s standards for cyber security.

The Hacker News

The website provides up-to-date news stories regarding cyber security and cyber-attacks.

VIDEOS

Top Five Cybersecurity Tips For Small Businesses in 2021 - 6 June 2021

This instructional video details five steps that small businesses owners can take to make their organisations more secure. 

Profit Through Ethics Ltd

Responsible 100 is delivered by Profit Through Ethics Ltd, a business registered in England with company number 4769798.
All Rights Reserved.

Contact details

Email: info@responsible100.com
Phone: +44 (0)20 3372 4504
Contact Form