Embracing cyber risk is good governance
At CyberUK 2023, the UK’s flagship cyber security event run by the UK National Cyber Security Centre (NCSC), Lindy Cameron CB OBE, CEO of the NCSC, and Jen Easterly, Director of CISA, the USA Cyber Defense Agency, called out ‘the responsibilities of boards and CEOs to embrace cyber risk as a matter of good governance’.1
The UK government’s Cyber Security Breaches Survey 20222 found that in the preceding 12 months, 39% of UK businesses had found a cyber-attack, but only 54% of those had acted to identify cyber security risks despite four out of five boards categorising it as a ‘very high’ or ‘fairly high’ priority.
Every device must be protected by a correctly configured firewall. All firewalls must be maintained and strengthened by regular and routine changes, updates, active approvals and documentation.
Active management of all devices to ensure that proper configuration provides only the services required hence reduced vulnerabilities due to unattended, unmaintained and weak default configurations. High levels of technical controls to manage access credentials, i.e., make it harder for criminals to gain access.
User access controls
Clear processes to create and approve user accounts, with authentication of users and disablement/removal of users paramount, so that access to data is managed and authorised. Access to privileged accounts is subject to higher controls, scrutiny and separation. Password rulings means the dog’s birthday is out and longer, non-personal passwords with multi-factor authentication are in.
Avoidance of malware through detection and disablement before it causes harm. Using allowed listings to limit use to known and trusted software. Testing/sandboxing untrusted software in a secured, segregated environment.
Security update management
All software updates are implemented so that latest fixes and patches are employed within 14 days of release, therefore reducing vulnerabilities of known software flaws. All software used is licensed and supported; any that becomes unsupported is removed from use. This ensures that it continues to benefit from continuous security improvements developed by the provider.
Taking the next steps in future-proofing our cyber security
Cyber security is a journey, never a destination. With this in mind, we are about to embark on the next steps.
As well as continuing to maintain our Cyber Essentials Certification, we are now on the road to the ISO27001 accreditation. This is a significant undertaking, but one that our principles and priorities direct us to take.
Our immense gratitude and admiration go to Cheetah Transformation’s Tim Saunders, Senior Solution Architect, and Gary Thornton, Operations Director, for the work they have put into this achievement.
If you have any questions about Cheetah Transformation’s Cyber Essentials or ISO27001 journey, please contact us.