Are you doing enough to make sure you have robust cyber security controls in place?
An article in Washington Post regarding the theft of top-secret computer hacking tools in 2016 caught my eye the other day. The Post had seen a highly embarrassing internal report from the CIA relating to the theft and then wrote about it.
The CIA were attempting to blame a CIA employee for the data breach. However, the report concluded the theft resulted from a workplace culture in which the agency’s elite computer hackers, “prioritized building cyber weapons at the expense of securing their own systems.”
To paraphrase, they were too busy being masters of the universe.
The report commented that, “CIA has moved too slowly to put in place the safeguards that we knew were necessary given successive breaches to other U.S. Government agencies,”
And further, “most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media [thumb drive] controls, and historical data was available to users indefinitely.”
This should not have happened. This breach was the CIA’s own fault – it was the equivalent of going out and leaving the back door open. Except they did it every single day.
This is not just a problem for the CIA – many of the breaches reported over the last two years have been as a result of equally inept and lax security.
According to the latest ICO Cyber Security Trends Report 67% of breaches were non-cyber security incidents – errors, oversights, mistakes, negligence.
In the UK, there is a government backed scheme to help put basic security controls in place. It’s called Cyber Essentials. You can either self-certificate or go through the verification process for Cyber Essentials Plus. The government requires all their suppliers to be accredited with this scheme.
My thanks here to the National Cyber Security Centre who have published the Cyber Essentials 5-part checklist to ensure you’re getting the basics right.
1. Use a firewall to secure your internet connection
- understand what a firewall is
- understand the difference between a personal and a boundary firewall
- locate the firewall which comes with your operating system and turn it on
- find out if your router has a boundary firewall function. Turn it on if it does
2. Choose the most secure settings for your devices and software
- know what ‘configuration’ means
- find the Settings of your device and try to turn off a function that you don’t need
- find the Settings of a piece of software you regularly use and try to turn off a function that you don’t need
- read the NCSC guidance on passwords
- make sure you’re still happy with your passwords
- read up about two-factor authentication
3. Control who has access to your data and services
- read up on accounts and permissions
- understand the concept of ‘least privilege’
- know who has administrative privileges on your machine
- know what counts as an administrative task
- set up a minimal user account on one of your devices
4. Protect yourself from viruses and other malware
- know what malware is and how it can get onto your devices
- identify three ways to protect against malware
- read up about anti-virus applications
- install an anti-virus application on one of your devices and test for viruses
- research secure places to buy apps, such as Google Play and Apple App Store
- understand what a ‘sandbox’ is
5. Keep your devices and software up to date
- know what ‘patching’ is
- verify that the operating systems on all of your devices are set to ‘Automatic Update’
- try to set a piece of software that you regularly use to ‘Automatic update’
- list all the software you have which is no longer supported
If you think this will happen as a result of creating a policy, think again! No-one wants to set up two-step authentication but it’s essential. How many people use the same password for all their accounts? How many people use simple to crack passwords? How many people share passwords? And so on.
This is a culture project as much as it is a technology project. It requires a shift in mind-set with co-operation and support from every part of the organisation. Someone will need to own it and keep up to date. Surely a small price to pay relative to those eye watering fines being dished out by data protection regulators and the reputational damage.
Julia Porter, June 2020
DPN Associates provide consultancy advice and guidance on Cyber Security. We can help you implement the transformation programme to deliver Cyber Essentials. Contact us here.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.