CyberSmart is the easiest way to protect your business, or those of your clients.
Cyber Essentials is CyberSmart’s most common version. Cyber Essentials covers everything your business should do to protect itself from cyberattacks.
The Cyber Essentials scheme was developed by the UK Government. The scheme provides a clear statement of the basic controls all organisations should implement to mitigate the risk from common Internet-based threats. The Government believes that implementing these measures can significantly reduce an organisation’s vulnerability. Many companies, however, do not implement these controls, and in the past, this has led to serious security breaches.
What is CyberSmart
CyberSmart is the UK’s leading provider of Cyber Essentials certification. Simply being certified can reduce your cyber risk by up to 98.5%. And, it’s a great way to demonstrate to new customers and partners that you take cybersecurity seriously – helping you grow as well as stay safe.
CyberSmart is making cybersecurity simple and accessible to everyone. CyberSmart and Orbex Solutions are working to give every business, no matter how small, the tools to protect themselves easily and effectively.
So the question is: "Is CyberSmart really that much effective?"
If you are maybe looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.
- Boundary firewalls and internet gateways
“Computers and network devices should be configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfil their role” – Cyber Essentials Scheme Requirements: Control 2.
One of the aspects that this control highlight is the need to change any default passwords. Earlier this year, one of NASA’s drones was allegedly hacked by Anonsec (a hactivist group). “The hack was executed through brute-forcing an administrator’s SSH password left with a default password, which led to root access to three network-attacked-storage devices.”
The hackers were able to obtain data on over 2,400 employees as well as flight logs and aircraft videos.
For more information, see here.
- Secure configuration
“Computers and network devices should be configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfil their role” – Cyber Essentials Scheme Requirements: Control 2.
One of the aspects that this control highlight is the need to change any default passwords. Earlier this year, one of NASA’s drones was allegedly hacked by Anonsec (a hactivist group). “The hack was executed through brute-forcing an administrator’s SSH password left with a default password, which led to root access to three network-attacked-storage devices.”
The hackers were able to obtain data on over 2,400 employees as well as flight logs and aircraft videos.
For more information, see here.
- User access control
“User accounts, particularly those with special access privileges (e.g. administrative accounts) should be assigned only to authorised individuals, managed effectively and provide the minimum level of access to applications, computers and networks” – Cyber Essentials Scheme Requirements: Control 3.
In 2015, an employee accessed 10% of Morgan Stanley’s customer files in an investment database. The employee also exposed hundreds of these details on Pastebin. “Data is the new currency, and employees have easy access to steal sensitive data for profit or to inflict damage”, said Eric Chiu, president and co-founder of HyTrust.
The employee was found to be a mid-level wealth advisor who somehow had access to thousands of records. In companies such as Morgan Stanley, mid-level financial advisors are usually only allowed access to the entire aggregation of a dataset. Only a few select high-level managers should be able to access the actual records.
This incident is a good example of the consequences of giving special access privileges to individuals who do not need them.
For more information, see here.
- Malware protection
“Computers that are exposed to the internet should be protected against malware infection through the use of malware protection software” – Cyber Essentials Scheme Requirements: Control 4.
Malware refers to a variety of forms of intrusive software including viruses and trojan horses and has been used in cyber-attacks for the last 30 years. One cyber-attack on a small N.Y. marketing firm in 2010 highlights the importance of being protected against malware. Little & King LLC faced bankruptcy from a loss of $164,000 online-banking loss.
Just before the fraud occurred, the owner, Karen McCarthy, “found that her Windows PC would no longer boot and that the computer complained it could not find vital operating system files.” It was confirmed that her computer had been infected with the ZeuS Trojan that steals passwords and enables cyber-attacks to control computers remotely.
For more information, see here.
- Patch management
“Software running on computers and network devices should be kept up-to-date and have the latest security patches installed” – Cyber Essentials Scheme Requirements: Control 5.
In 2015, Adobe Systems patched a vulnerability in Flash Player. Within 4 days of the patch, cyber-attackers began exploiting the vulnerability on systems that had not yet deployed the patch. “Flash is commonly viewed as one of the most insecure pieces of software by security professionals and has been targeted by numerous state and criminal hacking groups”.
The exploit was discovered by China-based hackers known as APT3. They targeted victims using generic phishing emails and when someone clicked the link, they were served malicious SWF and FLV files exploiting the Adobe Flash vulnerability. APT3 attacked organisations in the following industries:
• Aerospace and defence
• Construction and engineering
• High tech
• Telecommunications
• TransportationFor more information, see here and here.