We have stated already that information risk management is not only about cybersecurity, but that it encompasses other areas, especially including the risks associated with people who, at the end of the day, are actually the cause of many of the information security problems. That said, cybersecurity will remain a key part of the information risk management programme for many organisations, and it would be highly remiss to ignore it.

We have already (in Chapters 10 and 11) discussed the way in which the UK government deals with information risk management in its own environment. In June 2014 the government launched a new scheme to improve and promote cybersecurity, its primary objective being ‘to make the UK a safer place to conduct business online’.¹

Firstly, let us take a very brief look at what cybersecurity actually is. The UK’s Cyber Security Strategy 2016–2021 defines cyberspace as:

the interdependent network of information technology infrastructures that includes the Internet, telecommunications networks, computer systems, internet-connected devices and embedded processors and controllers. It may also refer to the virtual world or domain as an experienced phenomenon, or abstract concept.

We can therefore suggest that cybersecurity is the art or science of protecting this infrastructure against accidental or deliberate loss or harm.

There are two separate government initiatives:

• HMG Cyber Essentials Scheme² from the Department for Digital, Culture, Media & Sport (DCMS).
• 10 Steps to Cyber Security,³ produced by the National Cyber Security Centre (NCSC).

HMG CYBER ESSENTIALS SCHEME

The Cyber Essentials Scheme defines a set of controls that, when properly implemented, will provide organisations with basic protection from the most prevalent forms of threats coming from the internet. In particular, it focuses on threats that require low levels of attacker skill and are widely available online.

Risk management is the fundamental starting point for organisations to take action to protect their information. However, given the nature of the threat, the government believes that action should begin with a core set of security controls, which all organisations – large and small – should implement. Cyber Essentials defines what these controls are.

The scheme provides for two distinct levels of certification:

• Cyber Essentials certification is awarded on the basis of a verified self-assessment. An organisation undertakes their own assessment of their implementation of the Cyber Essentials control themes via a questionnaire, which is approved by a senior executive such as the chief executive officer (CEO). This questionnaire is then verified by an independent certification body to assess whether an appropriate standard has been achieved, and certification can be awarded. This option offers a basic level of assurance and can be achieved at low cost.
• Cyber Essentials Plus offers a higher level of assurance through the external testing of the organisation’s cybersecurity approach. Given the more resource-intensive nature of this process, it is anticipated that Cyber Essentials Plus will cost more than the foundation Cyber Essentials certification.

The scheme recommends the use of controls in five separate areas, as follows.

Securing the internet connection

By installing a firewall between the organisation’s network and the internet, incoming traffic can be analysed to establish whether or not it should be allowed into the network.

Securing all devices and software

By checking the settings of new software and devices, the level of security should be raised, for example by disabling any functions that are not required.

All devices and accounts should be password protected. These should be easy for the user to remember, but difficult for an attacker to guess. Default passwords should always be changed at the first opportunity.

Two-factor authentication will increase the level of security still further.

Control access to data and services

Accounts with administrative privileges should only be allocated to those administrators who have a genuine business need to have them. Where a user does not have this requirement, they should be allocated a standard, non-privileged account.

Users should not be allowed to make changes to their operating system or application software, nor should they be allowed to install new software, which may contain malware.

Protect against viruses and other malware

Operating systems should be protected against malware and other viruses by installing suitable antivirus software. This can be further enhanced by the process of ‘whitelisting’, which allows only those programs that have been tested and approved for use to be run on a device.

Furthermore, the use of applications that support ‘sandboxing’ should be preferred. These operate within a controlled environment that has restricted access to other devices and network areas.

Keep devices and software up to date

By keeping operating systems and applications up to date by applying the manufacturer’s latest patches, the opportunity for an attacker to intrude will be much reduced.

There are two main supporting documents currently available:

• Cyber Essentials: Requirements for IT Infrastructure – downloadable from https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-IT-infrastructure.pdf.
• Cyber Essentials Plus: Illustrative Test Specification – downloadable from https://www.ncsc.gov.uk/files/Cyber-Essentials-Plus-Illustrative-Test-Specification-April-2020.pdf.

10 STEPS TO CYBER SECURITY

The 10 Steps to Cyber Security⁴ advice originates from the NCSC, which is part of GCHQ.

The measures detailed in the cybersecurity advice collectively represent a good foundation for effective information risk management. The degree of implementation of these steps will vary between organisations depending on their risks to the individual business.

This Crown Copyright material is included here under the UK Open Government Licence.⁵ The 10 areas are discussed below.

Risk management regime

Organisations should introduce and operate a regime of information risk management, which must be supported both by an effective governance structure and by the organisation’s board and senior management team. The organisation must communicate clearly its approach to risk management and must develop appropriate policies, procedures and practices. The aim is to ensure that all employees, contractors and suppliers are aware of the regime and the constraints to which they must adhere.

Secure configuration

Organisations must have an approach to identify baseline technology builds and processes in order to ensure that configuration management can improve the security of systems. Organisations should ensure that all unnecessary functionality is either removed or disabled from systems, and that known vulnerabilities are fixed in a timely manner, usually via patching. Failure to do so is likely to result in increased risk of compromise of systems and information.

Network security

In order to reduce the chances of network attacks succeeding, organisations should create and implement simple policies and appropriate procedures. Many organisations’ networks span multiple sites and the use of remote working, and the use of cloud services makes it difficult to define fixed network boundaries. Instead of focusing on physical connections, organisations should consider where their data are stored and processed, and where an attacker might have the opportunity to access them.

Managing user privileges

Users who are provided with unnecessary system privileges or data access rights may more easily impact, misuse or compromise information and services on the organisation’s networks. Non-administrative users should be provided with the minimal level of system privileges and rights needed for them to undertake their role. The granting of elevated or administrative privileges should be carefully controlled and managed.

User education and awareness

In order that users may play their role in their organisation’s security, it is important that both the security rules and the technology provided enable users to fulfil their role as well as help to keep the organisation secure. Delivery of suitable security expertise awareness programmes and training help to establish a culture of security.

Incident management

Organisations should establish appropriate incident management policies and processes in order to improve resilience, support the BC function, improve customer and stakeholder confidence and potentially reduce the impact of incidents. Where necessary, organisations should employ recognised sources of specialist incident management expertise.

Malware prevention

The term malware covers any code or content that could have a malicious or undesirable impact on systems. Any exchange of information may carry a degree of risk that malware might be present, and which could seriously impact the organisation’s systems and services. Anti-malware policies can help to reduce the risk as part of an overall ‘defence in depth’ approach.

Monitoring

In order to detect actual or attempted attacks on systems and business services, organisations should introduce system monitoring in order to respond effectively to attacks. Additionally, monitoring permits organisations to ensure that systems are being used appropriately, and is often a capability required in order to comply with legal or regulatory requirements.

Removable media controls

Malware is frequently introduced by means of removable media, which can also enable the accidental or deliberate export of sensitive data. Organisations should have a strict policy regarding the need for users to make use of removable media and should apply appropriate security controls to limit its use.

Home and mobile working

Mobile working and remote system access exposes risks that must be managed. Organisations should introduce risk-based policies and procedures supporting mobile working or remote access to systems by all users and service providers. Users must be trained on the secure use of their mobile devices in whatever environments they are working.

1 https://www.ncsc.gov.uk.

2 See https://www.gov.uk/government/publications/cyber-essentials-scheme-overview.

3 See https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security.

4 See https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security.

5 See http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/.