By Alan Calder, founder and executive chairman of IT Governance
The problem with security infrastructure is that we only pay attention when it fails.
In November 1979, the Soviet Union launched over 2000 intercontinental ballistic missiles at the United States, an overwhelming first strike intended to wipe the country off the map. Hawkish National Security Advisor Zbigniew Brzezinski was on his way to awaken President Carter so that the counterstrike could be launched, when the news came through – a triple check had revealed that the apparent Soviet launch shown on their screens was actually a computer error.
Fortunately, somebody had put a sensible security measure in place – triple checking – and prevented a disaster. Do we remember the men who prevented world war three that day? Of course not – but everybody knows about the world wars that we didn’t prevent.
A cyber security failure can destroy your business
Cyber security is not very different: a failure can destroy your business but we rarely give credit to the system when it protects us, and all too often the subject is entirely ignored until after a successful attack. Executives generally prefer to focus on other areas – sales, finance, innovation, and so on – often ignoring IT security. What few realise is that IT security has to be addressed at every level and across all business departments – it cannot be separated from the business, but must be truly integrated. The responsibility for making this happen lies with the board.
If you are an executive, it is your legal and moral obligation to make sure that your business is properly protected against cyber crime. You wouldn’t dream of letting strangers wander through your office, going through sensitive company data – this is common sense that applies equally in the digital and physical realms.
Cyber Essentials – implementation is easy
The UK Government is aware, however, that many organisations are still not taking the digital threat seriously enough. Their response is the new Cyber Essentials scheme, which is an effort to meet the first responsibility of any government: to protect its citizens. In this case, they want to prevent fraud and theft by ensuring that data is kept safe.
Cyber Essentials is suitable for small, medium and large organisations across the UK, and will ensure that they have basic cyber security systems in place to counter the most common attacks: phishing, which exploits user credulity to infect systems with malware, and hacking, where attackers exploit known vulnerabilities in systems using tools that are readily available on the Internet. The more organisations that sign up, the safer and more attractive the UK will be as a place to do business.
In our new pocket guide on the subject, I outline the five controls that make up the scheme. Most organisations already have some or all of these security measures in place:
- Boundary firewalls and Internet gateways must be used to protect the integrity of the system.
- Computers and devices must be properly configured for security.
- Access privileges for users must be properly controlled.
- Malware protection (e.g. antivirus software) must be in place.
- Software patches must be installed on release to ensure that the organisation is protected when security issues and vulnerabilities are repaired by the vendor.
Make no mistake, implementing these controls will not solve all your cyber security problems – a more thorough approach like ISO27001 will give better protection – but there are a number of crucial advantages to becoming compliant with the scheme. For a start, it will defend you against the automated, untargeted attacks that make up the majority of cyber crime. With the average cost of a data breach in the UK at over £2 million, stopping just one successful attack could cover the cost of implementing Cyber Essentials several times over. What’s more, it can also prevent damage to your reputation – it is extremely embarrassing to be exposed as the victim of low-tech cyber attackers. From 1 October, the UK Government is also restricting the bidding on certain contracts to those with an official Cyber Essentials certification, which provides a further incentive for organisations to get involved.
Certification can give organisations an advantage over competitors, helping to demonstrate to potential customers that they are more committed to securing valuable data. Many organisations have already been certified – Barclays Bank was the first major organisation to achieve this – and IT Governance recently helped Vodafone to get their badge, so it is also a question of whether your organisation can afford to be left behind.
Compliance is a simple and inexpensive process
Getting certified to Cyber Essentials is a simple and inexpensive process, developed in collaboration with the Information Security Forum (ISF), the Information Assurance for Small and Medium Enterprises Consortium (IASME) and the British Standards Institution (BSI) to ensure that any organisation – whether SME or multinational – is capable of achieving it. The involvement of an experienced cyber security company will significantly facilitate compliance – especially if the vendor is also an accredited certification body like IT Governance – as their experts can explain the entire process all the way through to full certification. The certification process itself involves a self-assessment questionnaire and external vulnerability scan. For Cyber Essentials Plus – the advanced level of certification – a more detailed internal check of your information security infrastructure is also necessary.
This raft of benefits means that the scheme is not just about ticking a box to win the odd government contract, however lucrative. It is also about taking steps to save your business from the untold financial costs and reputational damage that result from a breach – steps that might also save your career from taking the same unfortunate turn as that of the CEO of Target.
In short, obtaining certification could be one of the best investments you ever make. Don’t let your business suffer from the common management perception of security systems – you may never know just how many disasters Cyber Essentials has saved you from, but, with the current rise in aggressive cyber attacks, you can be sure that it is worth your attention.
|Alan Calder is founder and executive chairman of IT Governance, the global provider of integrated cyber security products and services, and the author of ‘IT Governance: An International Guide to Data Security and ISO27001/ISO27002’, and the recently released ‘Cyber Essentials – A Pocket Guide’.