GCHQ Advises Businesses to Invest in Information Security Training
The information security arm of GCHQ is called CESG; it has re-issued its guidance on averting cyber security risks. One of the 10 key steps is Education and Awareness.
“All users should receive regular training on the cyber risks they face as employees and individuals. Security related roles (such as system administrators, incident management team members and forensic investigators) will require specialist training.”
For those taking on responsibility for Information Security management a good option will be the following 5 day course from the BCS:
>> Certified Information Security Management Principles
The government has also announced a scheme which can provide 50% funding for cyber security courses.
The 2014 Information Security Breaches Survey found that 81% of large companies had reported some form of security breach, costing each organisation on average between £600,000 and £1.5m. These findings are supported by almost daily stories of large scale cyber incidents, such as the Gameover ZeuS botnet.
Robert Hannigan, the new GCHQ director, says
“In GCHQ we continue to see real threats to the UK on a daily basis, and I’m afraid the scale and rate of these attacks shows little sign of abating.”
The CESG operate a compliance scheme based around their set of top ten guidelines. Companies adhering to the guidelines are able to display the Cyber Essentials badge.
Cyber Essentials is for all organisations, of all sizes, and in all sectors. As well as private sector companies it is applicable to universities, charities, and public sector organisations. A recent survey of FTSE 350 companies shows that 58% of companies have assessed themselves against the 10 Steps guidance since it was first launched. This is up from 40% in 2013.
Cyber Essentials is mandatory for central government contracts advertised after 1 October 2014 which involve handling personal information and providing certain ICT products and services.
The Top Ten guidelines are regularly reviewed and reflect the types of cyber-attack experienced by real organisations. A number of case studies are available.
User Education and Awareness
All users should receive regular training on the cyber risks they face as employees and individuals. Security related roles (such as system administrators, incident management team members and forensic investigators) will require specialist training. Security policies should be formally acknowledged in employment terms and conditions.
Information Risk Management Regime
Assess the risks to your organisation’s information assets with the same vigour as you would for legal, regulatory, financial or operational risk. To achieve this, embed an Information Risk Management Regime across your organisation, supported by the Board, senior managers and an empowered information assurance (IA) structure. Consider communicating your risk management policy across your organisation to ensure that employees, contractors and suppliers are aware of your organisation’s risk management boundaries.
Introduce corporate policies and processes to develop secure baseline builds, and manage the configuration and use of your ICT systems. Remove or disable unnecessary functionality from ICT systems, and keep them patched against known vulnerabilities. Failing to do this will expose your business to threats and vulnerabilities, and increase risk to the confidentiality, integrity and availability of systems and information.
Follow recognised network design principles when configuring perimeter and internal network segments, and ensure all network devices are configured to the secure baseline build. Filter all traffic at the network perimeter so that only traffic required to support your business is allowed, and monitor traffic for unusual or malicious incoming and outgoing activity that could indicate an attack.
Managing User Privileges
Only provide IT users the access and privileges they need to do their job. Control the number of privileged accounts for roles such as system or database administrators, and ensure this type of account is not used for high risk or day-to-day user activities. Monitor user activity, particularly all access to sensitive information and privileged account actions (such as creating new user accounts, changes to user passwords and deletion of accounts and audit logs).
Establish an incident response and disaster recovery capability that addresses the full range of incidents that can occur. All incident management plans (including disaster recovery and business continuity) should be regularly tested. Your incident response team may need specialist training across a range of technical and non-technical areas. Report online crimes to the relevant law enforcement agency to help the UK build a clear view of the national threat and deliver an appropriate response.
Produce policies that directly address the business processes (such as email, web browsing, removable media and personally owned devices) that are vulnerable to malware. Scan for malware across your organisation and protect all host and client machines with antivirus solutions that will actively scan for malware. All information supplied to or from your organisation should be scanned for malicious content.
Establish a monitoring strategy and develop supporting policies, taking into account previous security incidents and attacks, and your organisation’s incident management policies. Continuously monitor inbound and outbound network traffic to identify unusual activity or trends that could indicate attacks and the compromise of data. Monitor all ICT systems using Network and Host Intrusion Detection Systems (NIDS/HIDS) and Prevention Systems (NIPS/HIDS).
Removable Media Controls
Produce removable media policies that control the use of removable media for the import and export of information. Where the use of removable media is unavoidable, limit the types of media that can be used together with the users, systems, and types of information that can be transferred.
Home and Mobile Working
Assess the risks to all types of mobile working (including remote working where the device connects to the corporate network infrastructure) and develop appropriate security policies. Train mobile users on the secure use of their mobile devices for locations they will be working from. Protect data-at-rest using encryption (if the device supports it) and protect data-in-transit using an appropriately configured Virtual Private Network (VPN).