Introducing the Issue
Are you prepared for a cyber attack? Businesses possess many types of sensitive information such as financial data, employee records, personal contact details, intellectual property, and financial and medical information. Without adequate cyber security measures in place, these are all put at risk. And in recent years, the likelihood of being victims of espionage, military operations, or acts of cyber terrorism or cyber warfare prosecuted by rogue states have grown many fold.
Contribute to the Development of the Cyber Security Benchmark
Exploring the Issue
‘Cyber security’ is security as applied to computing devices such as computers and smartphones, as well as private and public computer networks. The field covers all the processes and mechanisms by which computer-based equipment, information and services are protected from unintended or unauthorised access, change or destruction, and is of growing importance in line with the increasing reliance on computer systems worldwide.
The Internet has become a crucial part of daily life for individuals and businesses. As such, cyber security is crucial to all businesses, regardless of size or sector. While no organisation is ever 100% secure, cyber security is about taking steps to manage future risks. Without adequate cyber security measures embedded into culture and operations, businesses are taking huge risks. Recent events, such as the WannaCry ransomware attacks, the Equifax breach and the leaking of thousands of personal emails have received global media attention and exemplified the importance of protecting the information that is sensitive both to businesses and their customers.
‘Sensitive information’ is data that must be protected from unauthorised access to safeguard the privacy or security of an individual or organisation. There are three types:
Personal information: This is any information that can be used for identity theft, as it’s tied to a specific individual. Examples include National Insurance Numbers, credit card numbers, tax information, and more
Business information: This is any information that would have a negative impact on the business if released. Examples include trade secrets or customer records.
Classified information: Small businesses are unlikely to have to worry about classified information, as this is information that is classified as sensitive by the government, and access to it is therefore restricted.
A ‘cyber attack’ is the attempt by a hacker or hackers to destroy a computer network or system, or destroy, change, or steal the information contained in it. The information that cyber attacks target tends to be the sensitive information, but that is not always the case.
A business’s preparedness for a cyber attack, and how it responds in the event of an attack, can have profound impacts up to and including complete organisational failure. The 2022 Information Security Breaches Survey reported that 72% of large firms had experienced a security breach of some sort. An FSB report published in June 2016 notes that 66% of small businesses have been victims of cybercrime, often more than once. Each of these crimes reportedly cost small businesses, on average, nearly £3,000. Given the impact of these breaches, cyber security is not exclusively an issue for large multinationals.
Businesses of all sizes increasingly hold enormous amounts of customers’ and employees’ private data, including ‘big data’ and ‘metadata’ on members of the public. Such data can be used to establish detailed and accurate profiles of individual behaviour and consumer habits, raising concerns over privacy and data ownership. Despite the significant financial and ethical dangers that accompany cybercrime, there is significant evidence that cyber security is still not treated as a high-priority strategic issue by many businesses.
Understanding and recognising the evolving landscape of cyber threats at the board level is essential to the sustainability and competitiveness of businesses. Acting on cyber security requires being prepared for and responding to breaches, and concerns intellectual property, customer information, resources, financial data, employee records, and much more. From coffee machines to driverless cars, everything that is linked to a network has the potential to be accessed by ‘hackers’: individuals who attempt to gain unauthorised access to a computer system by exploiting its weaknesses or design flaws.
This increase in interconnectivity is becoming more prevalent with the ability to collect much more data from more individuals and more sensitive data. The growth of the ‘Internet of Things’ is also a major contributor to the vulnerability that hackers take advantage of. The ‘Internet of Things’ is the interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data. The security built into all products and services is becoming even more important, as well as that used by companies in their business practices.
Biometrics – the measurement and statistical analysis of people’s physical and behavioural characteristics, such as fingerprints, gait or voice recognition.
CISSP – A Certified Information Security Systems Professional (CISSP) certification is an internationally recognised qualification in information security, available to those who have at least four years of experience in the field. The curriculum covers a variety of topics including identity and access management and security engineering.
Cloud Computing – a convenient, on-demand network access to a personal or shared pool of resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Cyber Attack – An attempt of a hacker or hackers to destroy a computer network or system, or destroy, change, or steal the information contained in it.
Cyber Security – security as applied to computing devices such as computers and smartphones, as well as private and public computer networks. The field covers all the processes and mechanisms by which computer-based equipment, information and services are protected from unintended or unauthorised access, change or destruction, and is of growing importance in line with the increasing reliance on computer systems worldwide.
Encryption – the process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext).
Firewall – hardware or software designed to prevent unauthorised access to a computer or network from another computer or network.
GDPR – EU General Data Protection Regulations (GDPR) replaced the Data Protection Act (DPA) in May 2018. It was designed to protect and empower all EU citizens’ data privacy and applies to all businesses that process the data of subjects of the European Union, regardless of where the business is based.
Hacker – an individual who attempts to gain unauthorised access to a computer system by exploiting its weaknesses and/or design flaws.
ICO – The Information Commissioner’s Office (ICO) is the office responsible for uploading the DPA and Freedom of Information Act, promoting public bodies’ openness and the right to privacy by individuals.
Internet of Things (IoT) – The interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data.
ISMS – An ‘information security management system’, i.e. the set of policies and procedures for systematically managing an organisation’s sensitive data. The goal of an ISMS is to minimise risk and ensure business continuity by limiting the impact of a security breach.
ISO/IEC 27001:2013 – specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation.
Malware – short for malicious software, is designed to infiltrate, damage or obtain information from a computer system without the owner’s consent. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware.
Patching – A ‘patch’ is a software update consisting of code inserted (or patched) into the code of an executable program. Typically, a patch is installed into an existing software program. Patches are often temporary fixes between full releases of a software package.
Patches may do any of the following:
- Fix a software bug
- Install new drivers
- Address new security vulnerabilities
- Address software stability issues
- Upgrade the software.
Phishing – a method used by criminals to try to obtain financial or other confidential information (including usernames and passwords) from internet users, usually by sending an email that looks as though it has been sent by a legitimate organisation (often a bank). The email usually contains a link to a fake website that looks authentic.
Privacy by Design – an approach to systems engineering which takes privacy into account throughout the whole engineering process.
Ransomware – a type of malicious software designed to block access to a computer system until a sum of money is paid.
Sensitive Information – data that must be protected from unauthorised access to safeguard the privacy or security of an individual or organisation. There are three types: personal information, business information, and classified information.
Spear Phishing – An email designed to obtain financial or other confidential information, however, differs from a simple phishing email in that it is more targeted at an individual or organisation. Some basic information has already been obtained and used to make this email appear more genuine and therefore trustworthy. The email will appear to come from either a specific person, sometimes from within the same company as the target, or from an organisation the person has a relationship with.
Spyware – malware that passes information about a computer user’s activities to an external party.
Two-factor identification – The use of security steps additional to username and password. This step requires something that only the user would have, such as a piece of information or physical objects, such as a PIN or card reader.
Virus – The most common form of malware is the ‘virus’, which is loaded onto a computer and then runs without the user’s knowledge or knowledge of its full effects.
Links & Further Resources
Migrating to a quantitative cyber risk model of analysis allows for more accurate data, which leads to more informed decision-making.
Cybersecurity & Infrastructure Security Agency