As part of our on-going work towards digital security, Link Group has recently been accredited with the Cyber Essentials certification.
The government-backed scheme helps organisations ensure adherence with security best practice for protection against the most common cyber-attacks. Cyber Essentials seeks to help businesses defend against most cyber-attacks, attacks which are generally very basic in nature; these attacks are often described as the digital equivalent of a thief trying lots of doors until they find an unlocked one.
Preparing for Cyber Essentials
We decided to prepare to achieve Cyber Essentials a few months before our regular cybercrime audit. This meant we were well positioned when the audit arrived because we discovered these audits would be based around the standards outlined in the government’s Cyber Essentials scheme (CES). The objective of introducing CES into Link’s strategy was to improve our cyber resilience by aligning as closely as possible with the CES baseline of security standards.
The process for gaining CES certification begins with familiarising the business with cyber security terminology and adopting techniques to secure the digital infrastructure. This leads to the completion of a self-assessment application which treats the risks associated with the most common cyber threats. This exercise removes the business from those which would be considered as ‘low-hanging fruit’ to the attackers.
While our ICT&D service was already adhering with a subset of the Cyber Essentials requirements, a large programme of change was needed to broaden our compliance with the recommended security standards stipulated by CES across five areas: boundary firewalls and internet gateways; secure configuration; access control; malware protection; and patch management.
We did have some challenges to overcome to meet all the standards, mainly due to our ICT&D services being weaved into many remote sites and distinct business areas, requirements and activities across Scotland. The work included the introduction of new policies and procedures, hardening configurations, refreshing hardware and purchasing software specifically to help manage security in our ICT&D services ecosystem.
Mobile ‘sandboxes’
While we did have a mobile device management (MDM) package, we decided to upgrade to a solution which would isolate all our business apps in a ‘sandbox’ on each mobile device. This enforced a defined standard regarding device compliance, configuration, control and reporting to deliver more robust assurance to the business.
To gain further intelligence and monitoring capabilities regarding our infrastructure, network and servers, we deployed vulnerability agents to monitor all our servers and a subset of desktops and laptops. These monitors determine if patches have been applied successfully and can detect security misconfigurations. The findings from this effort informed our security risk register and will trigger its vulnerability remediation processes.
In addition to this, we introduced a robust password management system comprising a series of encrypted vaults to facilitate the generation and storage of unique and cryptographically complex passwords for our administrator accounts.
Security training for staff
We also instituted security awareness training for all staff. This heuristically-guided training covers social engineering such as phishing emails, malicious websites and details best-practice security hygiene. The training is delivered during staff inductions and internal events and we will soon roll out annual online refresher training on the core security awareness concepts. Importantly, of all our security-related interventions, the training has had the most impact.
At the start of the training we discuss the ‘cyber security conundrum’ which poses three questions: who is to blame; what do we have to fear; and who is responsible?
We summarise that it is the attackers to blame and that they should fear the legal ramifications of their actions. Staff are urged not to be afraid as fear paralyses and, finally, we agree everyone in the organisation is responsible for security.
Staff are then trained to identify warning signs in emails (such as hyperlinks and attachments) which signify that they may be malicious. Encouragement is given to report any email, website or behaviour on their computer or mobile device which they are uncertain about, regardless of the degree of uncertainty. A reporting button was also rolled out to all email clients to make the reporting process just three easy clicks.
This exercise has acknowledged the ability and capacity of Link staff to be our strongest allies in terms of helping us to defend the business from external threats. The security awareness training was developed and informed by academic research into how to effectively design and deliver security awareness training. The training package was also shared with the Scottish NHS via The School of Design and Informatics at Abertay University to help them to design a security awareness program.
Our staff report multiple phishing emails every day; our ICT&D service then analyses and blocks malicious content from those emails. We also make a point of always thanking and letting the reporting member of staff know the conclusion of the analysis and any actions taken as a result of their report – very few of the reports turn out to be false positives.
GDPR compliance
Cyber Essentials is also a good way of showing compliance with GDPR; the Cyber Essentials website says, “The Information Commissioner’s Office (ICO), whose job it is to uphold the GDPR in the UK, recommends Cyber Essentials as a good starting point for the cyber security of the IT you rely on to hold and process personal data.”
Interestingly, we have also noticed that during procurement exercises, Cyber Essentials has started to become a common theme in the desired ICT&D security requirements of tenders.
Securing Cyber Essentials is only the beginning of our journey towards cyber resilience. Our next goal is to get ready for compliance with Cyber Essentials Plus and to build our compliance toward best-practice security management frameworks such as COBIT (control objectives for information and related technologies and to adopt a subset of the United States’ National Institute of Standards and Technology (NIST) guidance.
Gareth Renaud is an ICT&D services technical team officer at Link Group.
