CS Mar-Apr 2020
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
masterclass<br />
BATTLING THE BREACHES<br />
A GLUT OF BREACHES ACROSS THE UK IS PROMPTING MANY ORGANISATIONS TO SEEK CYBER ESSENTIALS AUDITS<br />
According to the 2019 DCMS Cyber<br />
Security Breaches Survey, around a<br />
third of UK businesses fell victim to a<br />
cyber breach or attack over the previous year<br />
and, of those, nearly half had identified at<br />
least one breach or attack per month. This<br />
persistent threat may explain the surge in<br />
companies asking Xcina IS, an information<br />
services company based near Cardiff, for<br />
Cyber Essentials audits.<br />
Instigated by the UK Government's National<br />
Cyber Security Centre, the Cyber Essentials<br />
scheme evaluates participants' processes<br />
against five cyber security controls: boundary<br />
firewalls and internet gateways, secure<br />
configuration, access control, malware<br />
protection and patch management. Correctly<br />
deployed, these will protect against most<br />
common cyber threats, based on commodity<br />
capabilities available on the internet.<br />
Cyber Essentials certification has, since<br />
2014, been mandatory for suppliers bidding<br />
for public sector contracts involving the<br />
handling of sensitive and personal<br />
information, and provision of certain<br />
technical products and services. It also<br />
reassures clients, both current and<br />
prospective, that security considerations<br />
have been built into systems and processes.<br />
Certification is awarded on successful<br />
completion of a verified self-assessment<br />
questionnaire, but Xcina IS also offers an<br />
assisted version, as many SMEs lack the<br />
technical expertise to complete the process<br />
on their own.<br />
According to Chris Benson, Technical<br />
Director at Xcina IS: "A lot of people just<br />
don't realise that security patching needs to<br />
go beyond desktops and servers, for example.<br />
Hackers can exploit any device that provides a<br />
link between your network and the internet.<br />
That could include printers, VPN appliances,<br />
firewalls, switches, access points - anything<br />
that can run code, basically. And once<br />
someone has found a way into your network<br />
through one of these, they can exploit other<br />
internal security issues and, before you know<br />
it, you've got a ransomware attack on your<br />
hands," he says.<br />
Benson and his experienced team of<br />
engineers also conduct site visits to run the<br />
system scans required for clients wishing to<br />
take the next step: Cyber Essentials Plus<br />
certification. This more stringent audit builds<br />
on the foundations of Cyber Essentials and<br />
includes both internal and external scans to<br />
identify any areas requiring attention, as well<br />
as a series of on-site malware tests and an<br />
inspection of handheld devices.<br />
As an IASME-accredited certification body,<br />
Xcina IS also works with companies looking<br />
to achieve the IASME Standard, an<br />
information-security standard designed for<br />
SMEs. Two levels of assessment are offered:<br />
IASME Verified Self-Assessment, involving<br />
a questionnaire relating to cyber security,<br />
security governance and GDPR compliance,<br />
and IASME Gold, which requires an<br />
additional onsite audit.<br />
The increase in requests for these services<br />
may arise from increased awareness of the<br />
risks of lax cyber security. Media stories about<br />
the latest big name to suffer a data breach<br />
come thick and fast. Maybe the penny is<br />
finally dropping. The number of companies<br />
reporting breaches or attacks in the DCMS<br />
survey is still significant, but it does represent<br />
a considerable drop on numbers in previous<br />
years. The survey also indicates that<br />
companies are increasingly prioritising cyber<br />
security, with more written cyber security<br />
policies, greater provision of cyber security<br />
training for staff and regular updates to<br />
senior management on actions taken around<br />
cyber security.<br />
Organisations which understand that cyber<br />
security complements existing strategic<br />
priorities (by protecting reputation and<br />
finances, and keeping key services running,<br />
for example), rather than competing with<br />
them, are likely to be in a far better position<br />
to anticipate, identify, prevent and deal with<br />
potential attacks. As Benson says: "Ultimately,<br />
if you're serious about protecting your assets,<br />
you'll employ a company like us."<br />
For further information about Cyber<br />
Essentials, Cyber Essentials Plus and the<br />
IASME Standard, call Xcina IS on 02922<br />
671564 or visit https://is.xcina.co.uk/<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Mar</strong>ch/<strong>Apr</strong>il <strong>2020</strong> computing security<br />
29