On October 23rd the National Cyber Security Centre (NCSC) published their Annual Review for the period 1 September 2018 to 31 August 2019. It’s a good read, if only to understand the breadth of the threats facing organisations in the UK. The Cyber Essentials scheme got a few mentions, with some 14,234 Cyber Essentials Certificates being issued in the last year.
Consult MB Ltd is a licensed certification body for the Cyber Essentials and Cyber Essentials Plus schemes. We support clients in Somerset, Bristol, and the surrounding areas in their efforts to establish and verify their cyber-security baseline. Please contact us if you wish to learn more about Cyber Essentials and how your organisation could achieve it.
In June the NCSC announced that they were going to create a
new partnership model with just one Accreditation Body, and minimum criteria
for the skills, knowledge and experience of Certification Bodies and their
assessors.
We’re pleased to announce that from 1-April-2020 the IASME Consortium will be the sole Accreditation Body. Consult MB Ltd based in North Somerset is already licensed by the IASME Consortium to conduct Cyber Essentials and Cyber Essentials Plus audits, and we look forward to continuing to provide that service to small-medium sized organisations who seek to improve their cyber security in a cost effective manner.
Mike Brett of Consult MB Ltd was asked to write an article for the Somerset Chamber of Commerce’s magazine, Somerset Voice. The article is reproduced below. Phishing is a relatively old topic but it remains very relevant, and should feature at, or near, the top of any list of topics for staff awareness training.
The Article
I sometimes come
across customers who have a security policy for absolutely everything. They
spend significant sums of money on advanced technical controls and are
supported by dedicated IT professionals. Yet, somehow, these organisations
still get hacked, and invariably it starts with an indiscriminate, untargeted
phishing attack.
Phishing used to be
defined as an attempt to trick someone into giving information away over the
Internet or by email. That still holds true, but these days phishing emails
frequently contain attachments or website links that are intended to lure the
recipient into inadvertently installing malware onto their computer. Typically,
that initial malware is just a foot in the door, and more advanced malware will
follow.
The lure of phishing
emails deliberately exploits both the best and worst features of human nature.
People can be trusting, willing to help others and inquisitive. They can also
be greedy, lazy, intimidated or coerced into making rash decisions. Phishing
may exploit any of those characteristics to achieve the desired aim, to get your
employee to open the attachment or click on the link.
Indiscriminate phishing
may, for example, send an email to 100,000 random recipients demanding
immediate payment of the invoice attached. If only 1 in 100,000 recipients is
pressurised into opening the attachment, the phisher may have succeeded. If
that recipient works in your company, let’s hope your technical controls are
good enough to counter what happens next.
Often the greatest
illegal gains are achieved via targeted phishing, known as ‘spear-phishing’.
This is when a mail is cleverly crafted to bamboozle a specific individual. If
that person is very senior in the organisation, this is known as ‘whale-phishing’.
You can buy software
to analyse incoming email, but it may not provide perfect phishing detection. Instead,
I suggest the focus should be on the potential victims, i.e. your staff. As
such, I recommend that you conduct frequent and interesting staff awareness
training. In April 2019 the National Cyber Security Centre introduced ‘Exercise
in a Box’ a free online awareness training tool that includes a phishing attack
exercise. Please check it out…but not if it arrives as a link in an email from
a stranger.
Mike Brett CISSP,
works as a Cyber Security Consultant for Consult MB Ltd.
Consult MB Ltd is pleased to announce that we have secured a
new contract to provide enterprise architecture services to our oldest customer.
Since our company formation in 2003 we have enjoyed a sixteen year relationship
with this government department. Repeat custom gone mad, we love it!
Consult MB Ltd, in association with the Somerset Chamber of
Commerce, held a half day ‘Cyber Security Workshop’ at the Somerset Chamber
Office in Taunton. The workshop provided an opportunity for small to medium
size businesses to understand common cyber security threats. It provided
insights into the current threats which are targeting businesses and examined
cost effective and achievable methods to counter those threats. No previous
cyber security knowledge was assumed. As ever, the workshop delegates were
delightful to meet, and represented some local businesses with interesting IT solutions
and challenges.
A good discussion around WiFi security, Man-in-the-Middle attacks, and VPNs followed a refreshment break look at a clever cyber security video from the Security Awareness Company.
If you’re interested in cyber security awareness training, please contact Consult MB Ltd and we can discuss a bespoke programme that will meet your specific needs.
The Department for Digital, Culture, Media and Sport’s Cyber Security Breaches Survey 2019 is an interesting read…not only if you’re into Cyber Security 🙂
A key message is that fewer companies have identified breaches or attacks than before, perhaps because the introduction of GDPR has had a positive impact on their cyber security posture. The report does say that where organisations have lost data or assets through security breaches, the resulting costs have consistently risen since 2017. The survey continues to disappoint in the sense that most
organisations, particularly smaller ones, are not aware of Government
initiatives such as Cyber Aware, 10 Steps to Cyber Security, and Cyber
Essentials.
Help is at hand, Consult MB Ltd in Weston-super-Mare, North Somerset conducts much of its cyber security work based on ’10 Steps’ and Cyber Essentials. Check out our services options for more details.
UK charities play a make a major contribution in supporting their chosen groups throughout the UK. For many people, the support from charities is literally a lifeline. Their work, however, also necessitates that they hold personal, commercial and financial information which has a clear value to cyber-criminals. Coupled with a reliance on IT, this sadly means charities are as vulnerable to cyber-attacks as any other business
Addressing resilience within charitable organisations can be
a challenge. Many do not perceive themselves as open to the cyber-threat; a
threat which, in reality, is unbiased as to an organisation’s size or sector.
Whilst targeted attacks are still commonplace, so too are attacks which target
a vulnerability rather than a specific person or organisation. Be it targeted
or not, the consequences of a cyber-breach can be devastating.
The IASME Consortium, a leading Accreditation Body for the
government backed Cyber Essentials certification scheme, is launching a
week-long campaign aimed at encouraging registered charities to improve their
resilience to on-line threats. Together with participating certification
bodies, IASME is offering discounted certifications on schemes which
demonstrate charities have recognised best practice protections in place.
IASME’s support for the third sector will take place between 29 April and 3 May
2019.
The IASME Consortium package includes the widely recognised
Cyber Essentials scheme. This scheme assesses against 5 core technical controls
which, had they been in place, would have prevented the majority of successful
attacks in recent years. The 5 technical controls are anti-malware, access
control, patching, secure configuration and firewalls.
IASME will also be offering its own award-winning governance
standard as part of the promotion. IASME Governance, which includes a Cyber
Essentials assessment and a GDPR check, is an information security management
standard which is more practical for SMEs than the traditional ISO27001. Taken
simultaneously with Cyber Essentials, IASME governance covers additional
protections such as physical security, data back-ups and staff awareness.
Dr Emma Philpott, Chief Executive of The IASME Consortium
stated, “Charities work tirelessly to secure donations for fantastic causes.
Having the right safeguards against unscrupulous cyber activity can help
protect the donations and also any sensitive information that a charity might
hold.”
The IASME Consortium licenses a network of certification
bodies including Consult MB Ltd, based in North Somerset. Consult MB Ltd owner,
Mike Brett , stated, “We had no hesitation in participating in this campaign.
Charities do so much to help society and we want to help ensure that every
available penny goes to where it can make a real difference.”
Interested charities can find further information and apply via Consult MB Ltd.
Attended an interesting seminar, arranged by Lloyds Bank hosted at Weston College, on Fraud and Cyber threats. Lots of useful tips and advice for small businesses. Also, lots of alarming statistics around fraud and cyber-crime.
Lloyds say a financial fraud is committed once every 17s (yes seconds!).
The ‘Meet the Fraudstars’ video by Get Safe Online and Lloyds looks at impersonation fraud.
Pleased to have joined the Weston-Super-Mare Chamber of Commerce. Enjoyed the first networking event, which included a fun presentation by Sophie Richards from The Laughter Show.
Consult MB Ltd is pleased to announce that we’ve joined the Somerset Chamber of Commerce.
Looking forward to the Chamber’s events and networking with other members!
