Cyber lessons to be learnt from recent high-profile cyberattacks and hacks

Motherboard Circuit Background. Virus detected over circuit board. Worm, cyber attack, antivirus, firewall alert and danger warning concept. Futuristic PCB. 3D render
image: ©Quardia | iStock

Nick Denning, CEO of Diegesis, reflects on the obligations of government departments to ensure their own cyber security, and perhaps more importantly, that of their contractors

Time and again, lessons learnt from historic and recent cyberattacks on several high-profile organisations identify third parties as the point of attack. This raises the question of what levels of certification are required, how to monitor and audit third parties, and what to ask third-party suppliers and partners to provide, as evidence.

Government departments in the UK must adhere to a range of security standards and accreditations to protect sensitive information and implement cybersecurity. These include ISO 27001 for information security management and MCSS, Minimum Cyber Security Standard. MCSS has 10 standards across the main headings of Identify, Protect, Detect, Respond and Recover. However, there are many more actions organisations can take to ensure safety regarding procuring from suppliers in particular.

Third-party entrance points

Organisations are connected like never before, and supply chains can be large and complex, involving numerous suppliers performing various tasks. The recent high-profile cyberattacks on private sector companies have demonstrated that attackers can exploit vulnerabilities in supply chain security. Third parties are those that share systems and data with the main target, which means the “attack surface” extends far beyond a single department’s boundaries.

Here are questions to ask any organisation requesting access to log into internal systems and those that receive data electronically from your department or organisation:

  • What certifications and skills are in place? Is the organisation Cyber Essentials and/or Cyber Essentials Plus certified? What about Government Security Classifications?
  • How often are penetration tests carried out and when was the last one?
  • What systems are in place to defend against cyberattacks?

Cyber essentials

The importance of checking third parties’ cybersecurity preparedness cannot be overstated. The government- endorsed Cyber Essentials (CE) scheme was designed to help protect UK organisations from the most common cyber threats and establish a sound cyber defence posture.

Cyber Essentials Plus (CE+) is achieved by advancing to the next level, which involves moving away from self- certification and engaging an external assessor. This entails additional requirements and security measures, and should be combined with an awareness of IASME assurance and the ISO 27001 standard.

How do you check and monitor third-party responses?

It is not always easy to be sure who you are working with. They might claim to have certifications, but what are the best checks? How do you select the best practice from those even with CE+? Those suppliers and partners in the best position will have monitoring in all shapes and forms to spot when an attack is happening, so they can respond.

There will be systems in place to identify changes in their own and the department’s risk profile. The best third parties will have and be practising incident management, and there will be incremental backup available to recover from ransomware attacks. Finally, do not forget to check against the database of CE Certificates.

How to be sure who you are dealing with?

By asking the following questions of any suppliers or third parties of any description, you will help reassure yourself that they will protect your systems and data to at least a minimum acceptable level.

  • Are regular cybersecurity reports available? It is reasonable to expect a definition of the information and security policy, along with evidence that they have met their own obligations. A confirmation of the basics.
  • Is there a risk-aware approach, which means monitoring their environment as risk changes?
  • The ability to demonstrate that an organisation is monitoring near misses and enhancing people’s training and awareness.
  • If an incident occurs, what plans are in place to recover from it?

Keeping safe

Government departments have a legal responsibility to manage their own information securely and do not have Crown immunity against data breaches. However, some exemptions to data protection laws exist under the UK GDPR and the Data Protection Act 2018, notably for national security, crime, and taxation.

To maintain a safe cybersecurity profile, it is possible to manage the status of devices remotely and to prove that up-to-date patching is happening. It is also important to install software for configuration control to ensure that the correct products are installed and that no unexpected software is present.

Vulnerability scanning

All systems contain vulnerabilities. Bad actors are skilled at exploiting vulnerabilities. This makes vulnerability management a critical ongoing exercise, and tools are available to assist with this process. All products should be checked against the International Database of Vulnerabilities daily.

The NCSC’s Cyber Essentials Readiness Tool is a good starting point when evaluating an organisation’s vulnerabilities. Assessments must cover the whole of the IT infrastructure used to perform the business of an organisation. All the devices and software should be included which meet the following conditions,
i.e. they:

  • Can accept incoming network connections from untrusted Internet- connected hosts.
  • Can establish user-initiated outbound connections to devices via the Internet.
  • Control the flow of data between any of the above devices and the Internet.

A register of physical IT assets should be created, which you may already have, but also add intangible assets like databases and software, plus employee equipment used in a home-working or BYOD context, and IoT devices. This complete asset register will help assess any vulnerabilities.

Training and awareness

People continue to be the weakest link in cybersecurity defences. The NCSC warned that criminals launching cyberattacks at British retailers were impersonating IT help desks to break into organisations. Marks & Spencer boss Stuart Machin confirmed that the hackers gained access through “social engineering,” tricking an employee into divulging passwords or login credentials. It was also revealed that this was done through a third party organisation that had access to M&S systems.

Maintaining a high level of regular training and awareness is essential to help people stop and think.

In summary

Ensure your organisation implements strong business processes that are consistent with your department’s obligations, which may include Cyber Essentials, but could also be ISO 27001 or higher.

By demonstrating your commitment, you can reasonably demand third parties who access your systems to similarly invest in Cyber Essentials or higher, appropriate to the risk.

Be certain that you know each partner, i.e., who you are dealing with and their level of cybersecurity.

Confirm that all third parties remember that security is not a one-off exercise. Where the risk warrants it, demand regular evidence of an organisation’s compliance with its information security policy throughout the period of certification.

Finally, keep your “human firewall” safe and up to date.

Please Note: This is a Commercial Profile
Creative Commons License
This work is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International.

Contributor Details

OAG Webinar

Editor's Recommended Articles

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here