Staying secure on line
Cyber security has seen more and more exposure over the last few months, with high profile hacking including in the US elections, Olympic athletes data and even personal emails revealed.
It is now more important than ever that everyone realises the risks of cyber attack. Cyber attack is not limited to big financial institutions or national security and even the smallest network can be exploited by cyber criminals.
In a series of interviews, Defence Online has asked Cyber Security professionals about the risks and how we can combat them.
Ex-Royal Navy, Andy Taylor is an independent consultant in the field. He is the Lead Assessor co-ordinator at AMPG, looking after the Government Cyber Essentials Scheme, the GCHQ Certified Training scheme (GCT) and ISO27001, as well as Assessor for the MOD/Dstl Cyber Defence Capability Assessment Tool (CDCAT).
We asked him his thoughts on cyber security, Cyber Essentials –the government scheme to combat cyber crime – and what’s in store for the year ahead.
Cyber Essentials is an industry supported certification scheme developed by the UK Government to improve an organisation’s cyber-security systems.
It consists of five basic controls, which everyone – not just businesses – should be doing to protect their data.
The idea behind the scheme was to identify very simple things that any organisation can do in order to enhance their cyber security, in order to reduce the risk of hacking and cyber attacks. Devised by GCHQ and government partners, the scheme provides simple guidelines that could stop 90% of cyber attacks overnight!
Why hasn’t everyone signed up to Cyber Essentials?
For a tech guy like me, I cannot understand why Cyber Essentials hasn’t taken off more. Everybody needs to be aware of the risks for the unsecure. It’s an education issue really, and for good or bad, the news of recent high profile attacks is a place to start. It should really make people sit up and take notice.
Much of the Cyber Essentials guidelines are actually covered already by your service provider, such as firewalls . But there are some simple things that are overlooked – Administrator privileges being a common one. Most people will set up a computer with the first account they see, which invariably is an administrator account. If you click on a virus or download that you’ve done, it’s just another level of security to protect you.
Patching is another major gap; while cyber crime is increasing, it is very common that vulnerabilities that were available five/ten years ago are still being exploited because people haven’t been bothered to patch their systems in order to combat them.
So Cyber Essentials basics are very valuable and fundamental to cyber security?
Yes – but part of the problem is that people think ‘tech/cyber’ and that’s far too complicated. Others don’t comprehend why they would be targeted, since they think they have no valuable or important information. There’s a ‘head in the sand’ attitude about it.
Another problem is that these attacks really are random; they can go to a big or small company. What people don’t realise is that the small companies are an easy and logical path into the bigger corporations through electronic trading.
Electronic trading is allowing criminals to hack a company’s email and then send out invoices to their customers. They look legitimate, and since you already trade with that company, the invoice can be paid. And then, once they are in – data can be harvested or other damage done.
One of the great (but perhaps surprising) things about Cyber Essentials is that you have to have this certification to win most Government contracts; particularly within the defence sector. I have recently certified McAfee, one of the world’s largest security providers.
Is there a case to make Cyber Essentials a bit more robust then?
I don’t think so. The fundamentals are very important and small companies are incapable of doing much more without a huge overhead and time commitment. Cyber Essentials wasn’t designed for big companies and in the defence sector, security clearance is set at levels based on the work being undertaken.
Do you think this will change as the ‘connected generation’ comes into the workplace?
I do, it will be a culture change. I’m only worried that with this also comes a certain amount of arrogance. We expect newly purchased tech to be secure – but it isn’t always.
This is one of my major concerns for the future and the Government is currently working really hard to promote ‘secure out of the box’ design. For example Windows 10, we all know is one of the most secure operating systems out there and they have worked with GCHQ and other departments to ensure it is a secure operating system from the word go.
The Internet of Things (IOT)is a whole new ballgame in cyber security that really worries me. The manufacturers of these IOT devices are using old technology, which is cheap, but doesn’t have security built in and they are leaving a massive security hole.
I attended a conference recently where a brand new CCTV camera was hacked within minutes of being out of the box. You might not think that’s a big problem – but this is then connected to your network, with all your secure data and even bank details. You have an easy back door for the cyber criminal to open.
Cyber security is even an issue for cars – you would think that security would be top of the list here, but you could hack a car from a distance and put the brakes on, which is really scary.
Another area is Ransomware attacks, where the cyber criminals are not only locking up your data and encrypting it, but stealing it as well. Something everyone should be really concerned about.
The real sledgehammer to put cyber security on the map will be the General Data Protection Regulation (GDPR) due in 2018. The fines for non compliance are going to be astronomical, so businesses really need to take notice now.
The lessons are clear, with fines already being levied, companies need to protect their data and invest in cyber security. You could be covered for just £300 by investing in Cyber Essentials accreditation.
If you would like to join our community and read more articles like this then please click here