Last month’s Shellshock bug compromised servers and small business across the globe. We’ve already highlighted the government’s Cyber Essentials programme as part of the support available to small businesses. Here, Mike Howie from IT Consultancy CS Risk Management outlines what Cyber Essentials is and what protection it offers small businesses.

Whilst many companies, and in particular SMEs, have historically not recognised the requirement for investment in maintaining robust IT security measures, the following statistics make worrying reading:

  • Earlier this year, the PWC Information Security Breaches Survey 2014 highlighted the fact that the cost of a breach to an organisation has almost doubled since the previous year;
  • Average cost to a large organisation for the worst level of security breach £600k – £1.15m (up from £450 – £850k a year ago);
  • Average cost to a small business for its worst security breach £65k – £115k (up from £35 – £65k a year ago);
  • During the last year significant global brands have been impacted by Information security attacks. These include eBay, Target, Evernote and WordPress.
  • According to the RSA monthly fraud reports the UK is the fourth most attacked country by volume after the United States, China and the Netherlands.

In response to this growing threat, the UK Government, in consultation with industry, launched the Cyber Essentials IT security standard in June 2014. Cyber Essentials when fully implemented will provide organisations with basic protection from the most prevalent forms of threats coming from the Internet. In particular, it focuses on threats which require low levels of attacker skill, and which are widely available online. One of the questions recently asked of us as an Information security consultancy is: “Would Cyber Essentials have protected our organisation from the Shellshock exploit?” Whilst the answer is “No” because it was a brand new technical vulnerability, the answer to the follow-up question “Would it have made it easier for us to address the impact from the Shellshock exploit?” is ”Yes”. The five control areas of Cyber Essentials would have provided the following protection:

  1. Boundary Firewalls and Internet Gateways controls would have ensured that that a majority of your vulnerable systems were protected behind securely managed firewalls, thereby denying internet-based hackers easy access to these systems.
  2. Secure Configuration controls would have ensured that internet-facing systems are configured to provide only the services required for fulfilling their role, reducing the number of internet-facing systems that may be susceptible to the Shellshock vulnerability.
  3. User Access Controls would have minimised the opportunity for hackers to gain access to your network using an insecure privileged, inactive or default accounts to exploit the Shellshock vulnerability on your internal IT systems.
  4. Malware Protection would have reduced an attacker’s chances of deploying Shellshock-exploiting malware onto your company network through e-mail or web phishing.
  5. Patch management would have ensured that you applied the correct software patches to any vulnerable systems in the minimum amount of time, reducing a Shellshock attacker’s window of opportunity even further.

Exploits like Shellshock are rare, however the rate of cyber-attacks are rapidly increasing. Cyber Essentials provides a set of controls to mitigate the risk from common internet based threats. Whilst Cyber Essentials will not provide bullet-proof protection, it certainly reduces your company’s exposure to these threats and gives you the capability to respond to attacks quickly and efficiently.

For more information on Mike’s work as an Information Security Consultant, visit www.csriskmanagement.co.uk.

Read Hiscox’s Matt Webb on the dangers posed to small businesses by a hacker attack. For more information on Hiscox’s cyber and data insurance click here.

Guest bloggers may post on this site. The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Hiscox or its employees. The accuracy, completeness and validity of any statements made within these guest blogs are not guaranteed and we accept no liability for any errors, omissions or representations or any liability regarding infringement of intellectual property rights. Our social media house rules which also include details on how to contact us about any concerns you have regarding our social media channels, can be found here.