Spring is here, the evenings are getting lighter. It’s a time when we clean and refresh for the year ahead. It’s also a time for renewal and optimism – but if there’s one area that we don’t want to experience the joys of spring it’s cyber crime.
Cyber criminals can threaten our personal security, steal intellectual property, create and distribute viruses and disrupt our critical national infrastructure.They can also target and manipulate employees ( the Insider Threat ) – sometimes with their co-operation, sometimes without their knowledge and attacks can remain undetected sometimes for months.
Considering all of this, it probably comes as no surprise that the cost of containment and damage is increasing.
The rising costs of cyber crime
The 2015 Ponemon Institute’s Cost of Cyber Crime Study: United Kingdom found that the mean annualised cost of cyber crime for 39 benchmarked organisations was £4.1 million per year, with a range from £628,423 to £16 million each year per company – a 14% increase on 2014.
In addition, the Office for National Statistics measured UK incidents of cyber crime for the first time in late 2015. Of 5.1 million cases of fraud, 2.5 million incidents were estimated to be in breach of the Computer Misuse Act. Of these, 404,000 involved actual hacking while 2,057,000 were cases of infection with a computer virus.
So, what can you do?
As we have said in other Ascentor articles, basic security measures can prevent the most common cyber-attacks. What’s more, cyber security controls don’t need to be complex or cutting edge to be effective.
The following suggestions are relatively simple to achieve and will provide a good level of assurance that security controls are working effectively.
1) Start with your perimeter network (DMZ)
We suggest you start by looking at your perimeter network (also known as aDMZordemilitarized zone)- it is the area of your cyber security that’s most exposed and therefore the most commonly attacked.
The Ponemon Institute’s findings show that companies deploying advanced perimeter controls and firewall technologies experienced a substantially higher ROI at 24% and 22%, respectively than other technologies.
- Ensure your perimeter network is appropriately patched, particularly anything that has a direct connection to the Internet such as your external facing firewalls.
- Ensure your perimeter network has no default accounts and/or default passwords. These are a godsend to hackers looking for an easy route in.
- Arrange a penetration test of your perimeter network and take appropriate corrective action as soon as possible.
2) Ensure your AV solution is up-to-date and working effectively – test it to gain assurance
Your AV (Anti-virus or malware) solution is critical to your cyber hygiene and so needs to be configured and working correctly. Whatever product you have chosen, make sure that it is being updated regularly. If you are connected directly to the Internet then updates to AV tools should be automatic and installed as soon as they are released by the vendor. Check to make sure your AV solution is being updated properly.
Is your AV solution actually working? What happens when the AV solution detects malicious code? Is it automatically quarantined so that it can’t execute? Is somebody alerted so that they can take the necessary clean up action? If the malicious code has been detected in email has anyone else seen the same or similar emails that have not been detected?
Make sure you test your AV solution. The EICAR (European Expert Group for IT-Security) anti-virus test file has been written for exactly this purpose. Download the dummy file from a trusted source ( http://www.eicar.org/86-0-Intended-use.html ) and run the test. McAfee provide some good guidance: https://kc.mcafee.com/corporate/index?page=content&id=KB59742
3) Audit all accounts with particular attention to privileged accounts and weed out those that are no longer required or have weak passwords
Having redundant accounts within your systems is just asking for trouble. If those accounts are ever compromised, would anyone actually realise and do something about it? Do an audit of all accounts on a system to see when they were last used. Disable or delete (depending on your audit policy) any that are not being used.
Run some internal tests on your accounts to ensure that passwords match your password policy in terms of strength and longevity. Identify all those that don’t and force users to change them.
Note that recent guidance from CESG offers practical advice on reducing the complexity of passwords and only changing them when a compromise is known or suspected. This implies that there is a good level of confidence in the ability to detect compromise in the first place, so you should ensure your accounting and audit processes are mature before adopting this stance.
4) Understand what information your business cares about
The way to secure your business is to protect the things that you care about, but to do that effectively you have to know what you care about first. So we suggest you start with the following steps:
- Draw a simple diagram of your business – what are the basic components and who are your business partners, service providers and customers. Use a simple set of symbols or a mind-map approach.
- Identify in your business what types of information are created, stored and transferred as part of day to day operation. This will include; staff personal information, sensitive client information, your company intellectual property, commercial information and business partner details. For each type of information try and establish what it is, where it is and how much of it there is. Some of the information may have legal implications such as the Data Protection Act.
- It helps to focus on what you really care about if you can look at those information types and sort them into an order of how important they are to your business – you could use a RAG (Red, Amber, Green) system, a numbering system of 1-5 or just put them in a list with the most important at the top.
- Now you have established what is most important to your business you can focus your security efforts accordingly.
5) Refresh and communicate your cyber security policies
Creating an organisation where cyber security awareness is part of the culture takes effort. Sadly, if we assume that employees will follow instructions just because we issue them we are mistaken. Communication needs context.
Do your people understand the consequences of a relaxed attitude to cyber security? Do they realise what can happen if they store data on their own devices without permission, leave their lap-top in the pub or think it’s OK to create their own IT ‘work around’ as a quick fix?
If your policies are gathering dust, if you haven’t put risk into scenarios that relate to your employees, if your people think security is the job of the IT department and doesn’t apply to them – now is a good time to revise your communication approach – springtime – or anytime. You may find our article Six Steps to Manage the BYOD Information Risk of help.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about cyber security and information assurance issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.
If you’d like to discuss how ourconsultants could advise on any aspect of cyber security, please contact Dave Jamesat Ascentor.
Email: [email protected]
Office: 01452 881712