Dominic Roberts from Cyber Security Team explained the Cyber Security Essentials scheme at the Business Show at London’s Excel. Cyber Security Essentials is the government’s information security assurance scheme for SMEs.
Cyber security is what we need to stop theft of things such as credit card details, modification on websites or deletion. For SMEs, we are mainly looking at black hat hackers, criminals that exploit vulnerabilities for personal gain. There are other kinds of hackers that aren’t necessarily doing it for money, but for SMEs it will usually be the case that the hacker is trying to make a quick buck. It’s not always how you imagine it though – data is often exposed by employees accidentally.
Sometimes there are data leaks from ex-employees or third parties that could be intentional. SMEs often don’t make cyber security their priority – there is too much to juggle, and as a result they becomes the low hanging fruit.
Malware can be snuck in to your computer via dodgy emails and attachments. The malware will then set up home and try to connect to the internet, and hackers are often careful to make sure you get the latest updated version of that virus. They will push out any data they can, and they will spread and try and get out to other machines. System restore is a bad thing as far as malware is concerned, and it will try and delete the system restore files so you can’t return to a point before the computer was infected. It can then lock files.
Ransomware – if the virus manages to encrypt your files, it can demand you pay in Bitcoins to have your files released. You can pay the ransom, but there’s no guarantee you’ll be given your data back. If you write the data off it could be the end of your company. Trying to restore from backups can take days. Once it’s happened you will need to inform customers and it is incredibly damaging for your business. That is the real cost, because it might only be a few hundred to get your data back, but now the damage is done.
Anti-malware: you can install anti-malware, but you need this on all the machines. Update it regularly.
Secure host configuration: have secure passwords, remove unnecessary accounts. Control the creation of user accounts and when someone leaves the company make sure they can no longer access data.
Install a firewall: change the default admin password, approve and document firewall rules and remove unused rules.
Patching: remove old, defunct software, use licensed software that can download patches, install patches in a timely manner, (government suggestion is 30 days), and patch ALL systems.
Try and use a chain of protection. The more multi-layered your protection is, the safer your data and your brand’s reputation will be.
Cyber Essentials is self-assessed, so it’s not too difficult to do. You can use it to procure cyber insurance and you need it to work with the government.