What is cyber security?

What is Cyber Security?

Cyber security in its broadest form is protection against something bad that might happen in the future to anything connected to your electronic communication networks.

In human speak cyber security is any measure that helps reduce the risk that your organisation may face from cyber threats.

These measures come in many forms and help counter the level of cyber risk posed by anything that uses or impacts an organisation’s networks.

Why is Cyber Security important?

Cyber security measures are used to counter the level of cyber risk that an organisation faces. On average 40% of UK businesses experience a cyber attack per year according to the Department for Digital, Culture, Media and Sport’s Cyber Security Breaches Survey 2022 (DCMS Breach Survey 2022).

This is due to three main factors; firstly, cyber criminals have developed into criminal organisations that have more resources and money at their disposal. This has allowed them to utilise an increased number of methods to infiltrate an organisation’s networks such as:

• Malware
• Denial of Service
• Phishing
• SQL Injection
• Password Attacks

Secondly, the consequences of a successful cyber attack have become increasingly costly to an organisation both short term and long term. Since the introduction of the General Data Protection Regulation (GDPR) customers, employees and stakeholders hold a higher importance to their personal data. Organisations that suffer breaches not only face financial impact from the immediate operational disruption but also face large fines if the breach involves a leak of personal data. There is also a longer-term revenue hit due to loss of custom and reputation. Customers, employees and stakeholders are now expecting organisations to process their data securely. If it is proven after a breach that an organisation didn’t have the necessary controls in place then that is very hard to build up trust again.

At the end of the day, breaches happen. An organisation can have all the measures in place and still those cyber criminals find their way in – after all it is their job. If an organisation has the necessary measures in place and react in a timely and reasonable manner, then no one can expect any more. Article 32 of the GDPR states that organisations need to implement the appropriate technical and organisational measures to ensure a level of security appropriate to the risk. So as long as organisations do that then they should avoid hefty fines, reputational damage and will have the controls in place to stop an attack from progressing across the network.

Thirdly, cyber insurance has been considered by many organisations to be a viable and more cost-effective alternative to implementing proactive measures to prevent and protect against potential attacks. This stance has left many organisations wide open to an attack – and insurance companies paying out too many premiums. This has presented both policy providers and policy seekers with a number of cyber insurance challenges.

To determine the level of cyber risk your organisation is exposed to find out how cyber ready you are with our free tool.

Types of Cyber Security

If you’ve ever investigated cyber security measures, you’ll know that there are thousands of options out there which quickly become confusing and daunting.

Cyber security measures can be categorised into three main groups, or pillars as they’re known in the industry: People, Process and Technology. For the most effective cyber security strategy it is important to have a blend of measures from each of the three pillars.

People

When we think of cyber security, we typically think of technology solutions that get put onto the network and alert us when certain events happen. But cyber security is so much more than that. In fact, the majority of successful cyber attacks start by exploiting human error i.e. social engineering and phishing attempts. So, it is essential that our colleagues and employees are aware of the cyber risks that they are exposed to whilst going about their day job.

To combat these risks, educating colleagues and employees and creating a cyber aware culture is a good place to start. Implementing a continuous awareness and training program will help people to recognise phishing attempts, malicious URLs and basic device hygiene. It also helps familiarise people with the procedure to follow in the event of a suspected attack whether that be clicking a report button within their email platform, notifying a superior the security department.

Phishing attacks have become increasingly sophisticated, so it is important we arm our workforce with the knowledge of how to spot and report attempts that land in their inboxes.

Process

Processes are an integral part to business due to the visibility, efficiency, and flexibility they allow organisations to benefit from. Cyber security is no different, having the basic processes in place will help an organisation effectively combat the level of cyber risk that it faces.

The most efficient way to demonstrate basic processes are in place is to gain external accreditations. There are three main cyber security accreditations in the UK:

1. Cyber Essentials
2. Cyber Essentials PLUS
3. ISO 27001

The UK Government’s Cyber Essentials scheme is a great place to start for SMEs. It helps instil the basic process and some basic cyber security measures such as correct firewall configuration, restriction of admin access and multifactor authentication. The scheme starts with Cyber Essentials and then progresses to Cyber Essentials PLUS once organisations are ready to move up the ladder.

According to the DCMS Breach Survey 2022 only 6% of UK business have the Cyber Essentials accreditation and only 1% have the Cyber Essentials PLUS accreditation. Which, although worrying from a UK security standpoint, does present an opportunity for businesses to stand out from their competitors by showing that they put security first. As we explored above, people are now expecting organisations to handle their data securely, what better way to show that than by holding cyber security accreditations.

For larger organisations, or those that don’t want to settle with Cyber Essentials PLUS, then the International Organisation for Standardisation provide an Information Security standard, ISO 27001. This the crème de la crème of cyber security accreditations and is a requirement for doing business with some government and enterprise organisations.

Technology

Technology solutions are what most people tend to think of when they think of cyber security. The market is saturated with various technology solutions that all claim to be the silver bullet. The truth is, like with almost everything else, there is no silver bullet. It takes a combination of technology measures to ensure the best level of security.

Our recommendation for the best level of defence would be to have the following technology solutions in place:

1. Threat Detection and Response (TDR)
2. Vulnerability Management
3. Email Threat Prevention
4. Penetration Testing

In short, TDR, also known as Managed Detection and Response (MDR) or Endpoint Detection and Response (EDR) is a monitoring service that observes feeds from your network, IT services infrastructure and endpoints and automatically isolates threats that are detected. Typically, these services are supported by a Security Operations Centre (SOC), which simply put is a team of security experts that triage any alerts that come from your environment.  Through a series of complex processes and data analysis they initiate the response to any malicious activity. This service is the ‘Fire Alarm’ AND the ‘Fire Suppression system’ of your entire technology environment.

Vulnerability Management is a proactive approach to understanding all the technology vulnerabilities that may exist across your technology estate, with new ones emerging daily. Vulnerability scans your network, your servers and cloud environments, and your endpoints continuously looking for and alerting when new vulnerabilities emerge, or if there’s a device in your technology estate that could be susceptible. These vulnerabilities can then be patched by an IT team or outsourced provider. If your current IT resource doesn’t have capacity to patch the vulnerabilities, then a Vulnerability Patch Management service maybe required which automatically correlates vulnerabilities with available patches and deploys these across the network and devices.

Email Threat Prevention detects and blocks unwanted and malicious email traffic, including targeted and advanced attacks such as phishing and whaling, as well as potential ransomware.

Penetration Testing is slightly different to the other technology measures, TDR, Vulnerability Management and Email Threat Prevention are all services that are deployed and continue running on an ongoing basis. Penetration Testing is a point-in-time test whereby a team of ethical hackers mimic a cyber-attack to test your organisations resolve. A successful penetration test will identify and safely exploit weaknesses in your cyber defences. This allows you to remediate the weak points in your environment. It is recommended that penetration tests are conducted annually, and some government and enterprise organisations make this a requirement of doing business with suppliers.

Who needs Cyber Security?

In short, all organisations need to have some level of cyber security. After all a successful cyber attack can wipe out a business. Ultimately, it is up to each organisation to determine which measures to deploy.

As discussed earlier, if your organisation processes personal data (which is nearly every organisation, since employee data is considered personal data) it is a legal requirement to implement the appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

So, to determine what cyber security measures an organisation should deploy it would need to assess the risks that it faces and determine how much of that risk it is willing to accept, whilst also keeping in mind the challenges that come with deploying cyber security measures.

Read our blog post if you need help determining your organisations cyber risk appetite.

Challenges of Cyber Security

When implementing cyber security measures there are four main challenges to overcome:

1. Board buy-in
2. Budget
3. Managing cyber security
4. Measuring output

Board buy-in

Typically, because of the non-core nature of cyber security, Boards have been reluctant to buy-in to implementing a cyber security strategy. However, according to DCMS Breach Survey 2022 82% of boards or senior management within UK business rate cyber security as a very high or fairly high priority. So, getting Board buy-in could be easier than you think. Recent data protection laws hold Boards personally liable for data breaches so if there was a time to get your cyber security in order – now would be the time to do it.

If you need Board buy-in you can find out how cyber ready your organisation currently is with our free tool. You’ll receive a Cyber Readiness Score as well as advice and guidance on how to improve your cyber security posture – a great place to start in order to build out an effective cyber security strategy.

Budget

Cyber security is often seen as an additional expense that does not directly correlate to an increase in sales or productivity. For this reason, it can be difficult to secure budget. Hopefully by now you’ll agree, given what we’ve covered in this article, that it is a necessity. So how can you keep the costs down? Ultimately, if you were to start building our recommended cyber security strategy in-house you could spend up to five times more per annum than if you were to outsource it. Outsourcing to a trusted provider can be a way of overcoming the budget hurdle. We’ve written a blog post assessing in-house versus outsourced cyber security.

Managing cyber security

If you were to implement all of the measures we have suggested above then your current IT team or IT provider would be inundated with alarms and alerts that would need addressing, creating a lot of noise that would take away from their day job of ensuring critical systems are working as should be. Burdening already overwhelmed IT teams with cyber security not only distracts them from their day-to-day tasks but also presents a security risk in itself. norm. CTO Paul Cragg recorded a helpful video about managing cyber security. In short, it’s about having 24×7 experts in place to be able to deal with the output of the installed measures. This directly links to the budget piece we wrote above. You could go to recruiters and look at hiring some analysts and a team lead, but this can get very costly very quickly, particularly in today’s job market. A great way of negating having to do this is to lean on the resource of a trusted cyber security partner whose sole function is cyber security that can handle some of the noise for you. Don’t forget, cyber criminals work round the clock, not just 9 to 5, so having 24×7 support from a trusted partner is imperative to effectively managing your cyber security measures.

Measuring output

The fourth main challenge in cyber security is measuring output. How do you know your cyber security measures are working? norm. CTO, Paul Cragg, recorded a video about measuring the effectiveness of your cyber defences. Before now, there has only been one way to measure cyber security defences, by asking the question ‘Have I been breached today?’ Now, managed cyber security service providers like norm. are amalgamating the outputs of cyber security measures into a single metric. norm.’s is the Cyber Resilience Score. A single metric from 0-100 that tells stakeholders exactly how well protected the organisation is – simple. This can be tracked over time to show how, by training people, instilling processes and actioning the output of technology controls, an organisation can become more cyber resilient.