Cyber Security

Cyber Security

Introducing The Issue

Are you prepared for a cyber attack? Businesses possess many types of sensitive information such as financial data, employee records, personal contact details, intellectual property, and financial and medical information. Without adequate cyber security measures in place, these are all put at risk. And in recent years, the likelihood of being victims of espionage, military operations, or acts of cyber terrorism or cyber warfare prosecuted by rogue states have grown many fold.

Describe What You Currently Do

Responsible 100 has developed a number of introductory questions for both managers and employees. Our short question sets enable these key stakeholders to explore this important responsibility issue, relevant to their organisation, and to begin to describe current practices and views. Please respond with as much relevant information as possible. Nothing you submit will be shared or published without your permission.

FOR MANAGERS FOR EMPLOYEES

Benchmark Performance Statements

EXCELLENT - The business is fully prepared for a cyber attack. Promoting and enabling thorough cyber security is fundamental to the business. Protecting the personal information of customers and all forms of business data is critical to the business’s success, values and mission. The business demonstrates a deep understanding and a range of appropriate responses to cyber threats which are invariably of an evolving nature. The business combines best practices in terms of the training and behaviours of its employees and other key stakeholders, with state of the art technical defences. Both pillars are fully resourced. KPIs are set and progress is measured and monitored against them with strategies and practices updated and recalibrated accordingly. All stakeholders understand the centrality of the highest standards of cyber security and their roles in enabling it.
GOOD - The business demonstrates a commitment to achieving the highest standards of cyber security and pursues a number of best practices. The business demonstrates the pursuit of relevant practices and policies and understands and addresses a full range of risk factors. Cyber security is frequently and actively discussed in the workplace and employees are appropriately trained regularly. The business invests in both the regular training of its employees and other key stakeholders, and in the best technical defences. Both pillars are adequately resourced. KPIs are set and progress is measured and monitored against them. All stakeholders understand the importance of the highest standards of cyber security and what the roles and responsibility are in helping to achieve that.
OKAY - The business makes clear it understands that cyber security is of the utmost importance and that it has responsibility to various stakeholder groups in establishing protection from cyber threats. The business undertakes a number of best practices in regards to cyber security but on an ad hoc basis, and predominantly as and when convenient. Policies and practices may exist but are not regularly updated nor widely circulated. Most employees understand that cyber security is important and take a number of steps to play their part, but deep knowledge and full compliance is highly variable. Some training is given or available but is rarely taken up. Both good practices and poor practices are evident but the business takes responsibility to improve. OR the business explains how the issue is neither relevant nor material to its operations and outside of all its spheres of influence.
POOR - The business acknowledges performance is below expectations. The business is poorly protected against cyber threats. The business is poorly protected in terms of out of date and/or inadequate IT systems and technical protections, and in terms of the behaviours of its employees and other stakeholders. The business’s systems and mission-critical information are at risk, along with the sensitive data it holds for its customers and other stakeholders. The business has suffered from cyber attacks before but not learnt from nor improved its practices since. The business’s practices are poor despite its size and/or sector making it particularly susceptible to cyber attack.

Responsible 100 creates and develops detailed benchmarks on each of the issues we explore. The above reveals only summaries of the current statements describing POOR, OKAY, GOOD and EXCELLENT performance standards. No policy nor practice examples are included here. The complete benchmarks are shared with organisations which, through offering answers to the above questions, help to shape and improve the benchmarks on an ongoing basis. Find out more about our benchmarks here.

Exploring The Issue

'Cyber security' is security as applied to computing devices such as computers and smartphones, as well as private and public computer networks. The field covers all the processes and mechanisms by which computer-based equipment, information and services are protected from unintended or unauthorised access, change or destruction, and is of growing importance in line with the increasing reliance on computer systems worldwide.

The Internet has become a crucial part of daily life for individuals and businesses. As such, cyber security is crucial to all businesses, regardless of size or sector. While no organisation is ever 100% secure, cyber security is about taking steps to manage future risks. Without adequate cyber security measures embedded into culture and operations, businesses are taking huge risks. Recent events, such as the WannaCry ransomware attacks, the Equifax breach and the leaking of thousands of personal emails have received global media attention and exemplified the importance of protecting the information that is sensitive both to businesses and their customers.

'Sensitive information' is data that must be protected from unauthorised access to safeguard the privacy or security of an individual or organisation. There are three types:

>> Personal information

This is any information that can be used for identity theft, as it’s tied to a specific individual. Examples include National Insurance Numbers, credit card numbers, tax information, and more

>> Business information

This is any information that would have a negative impact on the business if released. Examples include trade secrets or customer records.

>> Classified information

Small businesses are unlikely to have to worry about classified information, as this is information that is classified as sensitive by the government, and access to it is therefore restricted.

A 'cyber attack' is the attempt by a hacker or hackers to destroy a computer network or system, or destroy, change, or steal the information contained in it. The information that cyber attacks target tends to be the sensitive information, but that is not always the case.

A business’s preparedness for a cyber attack, and how it responds in the event of an attack, can have profound impacts up to and including complete organisational failure. The 2022 Information Security Breaches Survey reported that 72% of large firms had experienced a security breach of some sort. An FSB report published in June 2016 notes that 66% of small businesses have been victims of cybercrime, often more than once. Each of these crimes reportedly cost small businesses, on average, nearly £3,000. Given the impact of these breaches, cyber security is not exclusively an issue for large multinationals.

Businesses of all sizes increasingly hold enormous amounts of customers’ and employees’ private data, including ‘big data’ and ‘metadata’ on members of the public. Such data can be used to establish detailed and accurate profiles of individual behaviour and consumer habits, raising concerns over privacy and data ownership. Despite the significant financial and ethical dangers that accompany cybercrime, there is significant evidence that cyber security is still not treated as a high-priority strategic issue by many businesses.

Understanding and recognising the evolving landscape of cyber threats at the board level is essential to the sustainability and competitiveness of businesses. Acting on cyber security requires being prepared for and responding to breaches, and concerns intellectual property, customer information, resources, financial data, employee records, and much more. From coffee machines to driverless cars, everything that is linked to a network has the potential to be accessed by ‘hackers’: individuals who attempt to gain unauthorised access to a computer system by exploiting its weaknesses or design flaws.

This increase in interconnectivity is becoming more prevalent with the ability to collect much more data from more individuals and more sensitive data. The growth of the ‘Internet of Things’ is also a major contributor to the vulnerability that hackers take advantage of. The ‘Internet of Things’ is the interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data. The security built into all products and services is becoming even more important, as well as that used by companies in their business practices.

Definitions

Biometrics - the measurement and statistical analysis of people's physical and behavioural characteristics, such as fingerprints, gait or voice recognition.

CISSP - A Certified Information Security Systems Professional (CISSP) certification is an internationally recognised qualification in information security, available to those who have at least four years of experience in the field. The curriculum covers a variety of topics including identity and access management and security engineering.

Cloud Computing - a convenient, on-demand network access to a personal or shared pool of resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Cyber Attack - An attempt of a hacker or hackers to destroy a computer network or system, or destroy, change, or steal the information contained in it.

Cyber Security - security as applied to computing devices such as computers and smartphones, as well as private and public computer networks. The field covers all the processes and mechanisms by which computer-based equipment, information and services are protected from unintended or unauthorised access, change or destruction, and is of growing importance in line with the increasing reliance on computer systems worldwide.

Encryption - the process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext).

Firewall - hardware or software designed to prevent unauthorised access to a computer or network from another computer or network.

GDPR - EU General Data Protection Regulations (GDPR) replaced the Data Protection Act (DPA) in May 2018. It was designed to protect and empower all EU citizens' data privacy and applies to all businesses that process the data of subjects of the European Union, regardless of where the business is based.

Hacker - an individual who attempts to gain unauthorised access to a computer system by exploiting its weaknesses and/or design flaws.

ICO - The Information Commissioner’s Office (ICO) is the office responsible for uploading the DPA and Freedom of Information Act, promoting public bodies’ openness and the right to privacy by individuals.

Internet of Things (IoT) - The interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data.

ISMS - An 'information security management system', i.e. the set of policies and procedures for systematically managing an organisation's sensitive data. The goal of an ISMS is to minimise risk and ensure business continuity by limiting the impact of a security breach.

ISO/IEC 27001:2013 - specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation.

Malware - short for malicious software, is designed to infiltrate, damage or obtain information from a computer system without the owner’s consent. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware.

Patching - A 'patch' is a software update consisting of code inserted (or patched) into the code of an executable program. Typically, a patch is installed into an existing software program. Patches are often temporary fixes between full releases of a software package.

Patches may do any of the following:

>> Fix a software bug

>> Install new drivers

>> Address new security vulnerabilities

>> Address software stability issues

>> Upgrade the software.

Phishing - a method used by criminals to try to obtain financial or other confidential information (including usernames and passwords) from internet users, usually by sending an email that looks as though it has been sent by a legitimate organisation (often a bank). The email usually contains a link to a fake website that looks authentic.

Privacy by Design - an approach to systems engineering which takes privacy into account throughout the whole engineering process.

Ransomware - a type of malicious software designed to block access to a computer system until a sum of money is paid.

Sensitive Information - data that must be protected from unauthorised access to safeguard the privacy or security of an individual or organisation. There are three types: personal information, business information, and classified information.

Spear Phishing - An email designed to obtain financial or other confidential information, however, differs from a simple phishing email in that it is more targeted at an individual or organisation. Some basic information has already been obtained and used to make this email appear more genuine and therefore trustworthy. The email will appear to come from either a specific person, sometimes from within the same company as the target, or from an organisation the person has a relationship with.

Spyware - malware that passes information about a computer user’s activities to an external party.

Two-factor identification - The use of security steps additional to username and password. This step requires something that only the user would have, such as a piece of information or physical objects, such as a PIN or card reader.

Virus - The most common form of malware is the 'virus', which is loaded onto a computer and then runs without the user's knowledge or knowledge of its full effects.

Links, News And Further Resources

ARTICLES

Two Years After WannaCry, A Million Computers Remain At Risk - 12 May 2019

This article discusses the WannaCry ransomware attack, which infected hundreds of thousands of computers in May 2017, and discusses the risks many computers still face today.

Small Business Guide: Cyber Security - 15 November 2018

From the UK government, this guide details what a small business can do to be more secure. This guide can’t guarantee protection from all types of cyber attack, but the steps outlined below can significantly reduce the chances of your organisation becoming a victim of cyber crime.

How The Equifax Hack Happened, And What Still Needs To Be Done - 7 September 2018

This article details the events of the 2017 Equifax data breach, which compromised hundreds of millions of people’s data, and explains how it happened.

RESOURCES

CISA Cybersecurity Awareness Program Small Business Resources

Provided by the United States government, this link has many resources that small businesses can use to be more secure. This includes planning guides, tip cards, and toolkits.

Cyber Essentials

This is the National Cyber Security Centre’s standards for cyber security.

The Hacker News

The website provides up-to-date news stories regarding cyber security and cyber-attacks.

VIDEOS

Top Five Cybersecurity Tips For Small Businesses in 2021 - 6 June 2021

This instructional video details five steps that small businesses owners can take to make their organisations more secure.

ABOUT US

Profit Through Ethics Ltd

Contact details

Site Map