Raising the standard
NATO-backed guidebook offers guidance on cyber attacks
In the current economic climate, computer networks are being relied upon more than ever by UK businesses. But how is this affecting our cyber security, and in turn, our profits?
Research conducted by PwC in April 2012 revealed the substantial cost of data breaches. Although this research showed a decline from the 2010 figures, there was still a significant price to pay when a breach occurred, with the worst incidents costing £15,000-£30,000 for small firms, and £110,000-£250,000 for large businesses. Add the fact that of those surveyed, 76 per cent of small firms and 93 per cent of large businesses had reported a security breach in the past year, and the statistics make for anxious reading for company stakeholders and owners.
To further the concern, a report by Verizon reveals that 96 per cent of data breaches in 2012 were not highly difficult to perpetrate, 81 per cent utilised some form of hacking, and 97 per cent could have been avoided with simple or intermediate controls. The fact that attacks are now mainly opportunistic negates any thinking that a business is too small for security controls.
With the unpredictable weather disrupting the service and availability of many companies across the UK, another major issue is business continuity. The PwC report highlighted a strong correlation between the effectiveness of contingency plans and the seriousness of breaches. When contingency plans worked, less than half the incidents were serious; when the plans failed, four-fifths were serious.
What can we do to protect ourselves?
One solution that is growing in popularity is the implementation of ISO 27001. The standard, formulated in 2005, specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS) within the context of an organisation's overall business risks.
ISO 27001 is a process approach listing 133 controls that can be implemented under the 'Plan, Do, Check, Act' cycle; covering both information security and business continuity management. The adoption of this standard has risen dramatically over the past few years, particularly in Europe, where certification rose nearly 400 per cent between 2006 and 2010.
Despite the increase in uptake of the certification within larger businesses, the standard is due to be updated in the coming months. The update is expected to announce a reduction in the number of controls for the standard, which in turn may encourage adoption among small- to medium-sized enterprises (SMEs).
However, the certification may not be applicable for everyone. GCHQ, BIS and CPNI (Centre for the Protection of National Infrastructure) have outlined ten processes that, they say, will stop 80 per cent of cyber attacks:
·Home and mobile working policy
·User education and awareness
·Information risk management regime
·Managing user privileges
·Removable media controls
Most of the controls listed are simple to implement and, although they will not gain certification, they will deter the majority of modern attacks.
If a company wanted a certification but could not afford the overheads associated with ISO 27001, then a newly formed certification aimed at SMEs – the Information Assurance for SME (IASME) – might be the answer. The certification, backed by the Technology Strategy Board (TSB) and the University of Worcester, uses a maturity model to establish the controls currently in place in a company. These are then assessed and a score out of 100 is given, relating to a rating of bronze, silver or gold.
However, despite being tailored to SMEs, which account for 99.9 per cent of the UK's private sector, the uptake has been minimal. Generally SMEs pursue ISO 27001 certification as a result of their customers imposing the requirement on them.
Why look into ISO 27001?
Contained within the PwC research was the fact that large businesses are twice as likely as small firms to implement ISO 27001. Why is this? One reason could be economies of scale: the cost to a SME of implementing ISO 27001 might be greater than the value of the information it is protecting.
The main reason for implementing security protocols is to prevent incidents from occurring. As previously mentioned, these incidents can bring about huge financial burdens to a business, with direct financial loss estimated at £2,500-£4,000 and £13,000-£22,000 for small and large businesses respectively. Fines can also account for a huge loss. The Data Protection Act 1998 requires every organisation or person who is processing personal information in an automated form to notify the Information Commissioner's Office, unless they are exempt. Failure to notify is a criminal offence and could lead to a fine of up to £5,000 in a Magistrate's Court, or unlimited fines in a Crown Court.
In addition to the financial implications, there are many other factors that need to be considered, including reputation – something that is very hard to build, but which can be destroyed in an instant through negative media coverage.
What will it give us?
The main appeal of gaining ISO 27001 is that the standard is globally recognised, giving potential clients the reassurance that you have a secure ISMS in place. BSI states the advantages of ISO 27001 implementation to be:
·Few security incidents
·Fewer business disruptions
·Less time spent responding to accidents and incidents, providing more time to spend on proactive measures
·Lower client audit requirements
·Less negative press, meaning less time and money spent on damage-limitation measures
·Greater understanding of the business information process
·Better able to reassure customers and internal parties
Another advantage is the hardening of the supply chain. Symantec's cyber security intelligence manager, Paul Wood, says: “It may be that your company is not the primary target, but an attacker may use your organisation as a stepping-stone to attack another company.
“You do not want your business to be the weakest link in the supply chain. Information is power, and the attackers know this, and successful attacks can result in significant financial advantage for the cyber criminals behind them. Access to intellectual property and strategic intelligence can give them huge advantages in a competitive market.”
It has also been reported that, as of June 2012, 36 per cent of all targeted attacks (58 per day) in the previous six months were directed at businesses with 250 or fewer employees – an 18 per cent increase on the preceding period. Thesme.co.uk states that companies taking online payments are even more at risk of attack. It reported that merchants found in breach of PCI can be fined thousands of pounds per card affected – a frightening thought considering that it takes just minutes to steal thousands of card details electronically; the ramifications for a small business could be crippling.
Despite the advantages of implementing an ISO 27001-compliant ISMS, there are certain drawbacks. The main concern is the time taken to implement. In a small survey conducted among ISO 27001 industry members, more than half predicted that it will take more than ten months to implement an ISMS and gain accreditation, even for an SME.
This is a long time for an internal project, especially if it is simply to tick a box. Therefore, it is generally good practice to have a business case for implementing the standard – ensuring that management provide the resources required for a successful implementation. This is contained within the ISO 27001 document under section five, which covers management responsibility to the process.
What's more, small businesses may not have the expertise to implement security features. Itjobswatch.co.uk reported that the average daily rate for an ISO 27001 contractor is £380, equating to £1,900 per week. For most SMEs, this will not be a viable solution, creating a catch-22 scenario: they want to achieve compliance, but can't afford to. By contrast, large organisations have more complex security requirements, so the cost is less, relative to the tasks at hand.
BSI, ISO and ITSUS Consulting all appear to be making a concerted effort for the SME market. BSI and ISO have created specific publications for SMEs, such as ‘ISO/IEC 27001 for Small Businesses – Practical advice'. And ITSUS Consulting is creating a suite of tools to enable SMEs to tie business processes to their information security.
There appears to be a demand for ISO 27001, and in particular business continuity planning, from SMEs, providing the price point is acceptable and that there is a business justification in the first instance.
There are a plethora of companies offering an ISO 27001 service, with some offering certification within three months. This seems appealing, but be warned: without cultural change within a company, you might have implementation, but not necessarily the adoption of controls.
In order to mitigate against the growing number of cyber attacks, companies need a mandatory set of security controls to protect their assets. Identifying a cost-effective mechanism to achieve a mandatory set of security controls will ensure that SMEs are less exposed to cyber crime, and in turn the UK business supply chain will be hardened.
This will reduce the cost of cyber crime nationally and boost the confidence of individuals looking to invest in UK businesses now and in the future.
About the authors:
Chris Roberts BSc [Hons] is a University of Glamorgan graduate having obtained a first class honours in computer systems security. Chris is currently employed on Knowledge Transfer Partnership (KTP) funded by the Welsh Government, and operating between the University of Glamorgan's infosec department and ITSUS Consulting Ltd.
Dr Shahid Mian MEng was awarded his PhD in Telecommunications from Cardiff University in 2003. He is managing director of ITSUS Consulting Ltd, a niche defence and communications networking company based in Cardiff.
Konstantinos Xynos BSc, MSc is a lecturer and the computer security award leader at the University of Glamorgan. Part of the Information Security Research Group, he specialises in computer security, network security and computer forensics, conducting many projects and publications in these fields.