6 months post-GDPR. All technology and wealth are seized by the forces of the ICO to fill the dungeons of her palaces. Down here in the sewers, we fugitives of the cyber gulags dwell by candlelight; making our plans, sharpening our spears, waiting... waiting...
OK - that didn't happen. But we ARE now living in the post-GDPR "reportable breach" era. What are companies doing to survive? - read on to find out.
At CNS www.capitalnetworks.co.uk we have been able to see approaches adopted by companies post-GDPR from two key perspectives, primarily as assessors for a significant percentage of the world’s Cyber Essentials, Plus & IASME Governance certifications.
Secondly as a supplier of high end secure systems design consultancy and associated equipment through partnerships with the leading equipment vendors.
Two approaches cover just about everything from a "technical" perspective - I will leave detailed analysis and interpretation of the legislation minutiae to the experts in that area.
Target audience being prospective clients, competitors and the Information Commissioner's Office https://ico.org.uk/ by achieving cyber security accreditations and showing off the “badges” on websites etc…
We are finding that adoptions of information assurance / cyber security standards accreditations such as CE/+ & IASME continue to rise year on year.
In the early years of the programme 2014-2016 - largely only the big name technology companies and niche private sector companies with very particular security requirements, or those under significant risk of attack by specific interested parties (mining, banking, leading edge defence suppliers of specific needs etc.) were on board.
Subsequently the mandating enforced by Defence, Government and more recently Education; over themselves and their supply chains brought further organizations.
We find the larger, often public sector IT departments undergo a “Damascene Conversion” to adopt secure practices such as the timely and effective patching methods necessary to achieve CE+. Initially intransigent and reluctant to undergo the “growing pain” of raising defences effectively; these have proven to be the strongest advocates of CE+ in later years .
The largest driver since 2017 has been GDPR / DPA. Organisations have approached us voluntarily in response to their legal obligations and for fear of having nothing to produce for the ICO to show evidence of previous due diligence post-breach.
In the vanguard are the remaining technology companies, but included are leading companies in legal, health and all other sectors.
IASME Governance is a standard that incorporates Cyber Essentials in full and adds governance questions around operations, IT policies, GDPR & DPA. It is often used as either a self-assessed, condensed, pragmatic replacement for, or often a “stepping-stone” towards; ISO27001.
We are finding the percentage of organizations opting for IASME Governance in addition to CE have skyrocketed in the post-GDPR era, also that there has been a very small increase in those asking for help towards full ISO27001.
Due to the flexibility with which IASME Governance morphs to incorporate emerging requirements as it has done for GDPR, I foresee that it should remain relevant and pervade further in the years to come; a good option if you only have a few days rather than a year’s resources to dedicate.
– Mark Edwards Director of Cyber Security & Networks, Capital Network Solutions Ltd
The audited, technical version of CE, “Cyber Essentials+” which has almost every organization failing first time and always results in significant raising of technical defences in remediation (typically applying patches); has become my team’s main focus with huge demand post-GDPR.
CE & IASME are increasingly being mandated by MOD for the requirements of DCPP, with CE+ required for risk profiles of “Low”, “Moderate” and “High”. Underwriters also require this prerequisite to the more expensive Cyber Insurance policies.
– Karl Greenfield, Head of Cyber Security, Capital Network Solutions Ltd
While this trend in exponentially increased adoption of CE/+/IASME is admirable – there is a long way to go. Most UK organizations remain unable to reach into their back pockets and produce one of these certificates for the ICO post-breach.
Sadly, in many cases operational or commercial priorities mean that some organizations will only take cyber security seriously when they become lucky survivors of a significant breach.
Fortunately NCSC and ICO recognize that this is a “long-haul” process and have stated their backing for the Cyber Essentials programme for many years to come, it is mentioned In both the NCSC’s strategy and by ICO as a means of demonstrating technical due diligence.
Those organizations that have not already elected to “climb on board the CE / + or IASME buses”; would be wise to make plans to do so now.
The evidence seen by my team of 5 Cyber Essentials / IASME assessors is that organizations are now creating information asset registers & data privacy notices for the first time, making enquiries as to the locations and flows of their data entrusted with third parties, whether their data is encrypted in transit, or at rest and which of their personnel could gain access to private keys.
They are also considering which parties are playing the role of data controller or processor and reflecting these considerations in their contractual obligations. Data Protection Officers are being appointed, named and publicised.
Organizations state that they are deploying technical controls such as 2FA, strong passwords and account lockouts. We are seeing evidence that networks are being segmented for the first time ever. Next generation perimeter firewalls, and also host based firewalls are being deployed in efforts to prevent initial foothold and expansion of cyber attacks.
We need to be mindful that the assessors’ insight is of those who wish to be accredited under the Cyber Essentials or IASME programmes, so likely to constitute those already interested in employing best practice, and already at a “higher than average” level of cyber hygiene.
If we cast our net slightly wider to include those approaching us as new clients (often following a breach) we tend to find that the order of priorities is reversed.
In most cases, the swiftest, most pragmatic means of shoring up defences or containing an advanced persistent threat is to immediately cut the “baddies” (malware) off from their “bosses” (command and control centres) is by deploying secure DNS systems and often proxies too (e.g. Cisco Umbrella and AMP).
Secondly perimeter defences and capability to “see” attacks are enhanced; by deployment of a next generation firewall (e.g. Cisco ASA with FirePOWER). This would then afford the client the luxury of addressing other issues at a more leisurely pace, often with a SIEM or other forms of log capture and inspection, where absent; following closely afterwards.
Other specifics include cheaper unmanaged or unsupported switches being dumped for those with monitoring capabilities (netflow etc.). Wider “SOC” type monitoring systems can be deployed to oversee the whole estate. Unsupported end user devices (IP radios, links to legacy CCTV etc.) are segmented off, binned or replaced with upgraded supported versions.
Internal patching regimes are analysed and tested and endpoint defences such as host based firewalls are incorporated into the tiers of defence.
On discovering the source of attack, we are often asked to deploy a VPN solution (to help protect clients who may have been compromised by using public locations such as hotels/internet cafes and to deliver cyber/phishing/social engineering awareness training to staff. See the options and excellent "Anatomy of and Attack" video below...
Finally as previously mentioned – in a total reversal of the order for those who have NOT suffered a breach – these unfortunates then adopt CE / + and IASME Governance.
We are seeing a marked rise in those approaching us to penetration test web applications post-GDPR often stipulated by their clients to use a demonstrably competent third party such as CNS via our CREST status (we are the first and only one based in Wales).
External facing devices are now regularly pentested as a matter of course by some of our larger public sector clients whenever significant changes or upgrades occur... ... accompanying vulnerabilities can be detected and dealt with prior to “going live”.
– Callen Gibbs, CREST approved penetration testing team member, Capital Network Solutions Ltd
Many now also require “internal tests” to be undertaken on-site on the “other side of the firewall” similar to the Cabinet Office’s “IT Health Check”.
We are finding that post-GDPR, clients are opting for the more expensive “CREST Approved” option for pentests rather than the “value home-brand” options that were de-facto in the early “wild-west” days.
– Corey Jones, CREST approved penetration testing team member, Capital Network Solutions Ltd.
There does seem to have been a welcome increase in the UK cyber security industry maturity, evidenced by greater adoption of standards, recognition of accreditations, vendor partnership status, skills, experience and qualifications of personnel deployed locally.
NCSC seem to be actively advocating for clients to insist on employing the cyber security equivalent of a “registered GP” (UK medical professional), rather than visiting the local “wise woman”, and this is to be welcomed.
CREST ensures consistency of standards and further protection against pentesters “going rogue” with your organization’s “crown jewels”. It is easier to justify to the ICO, the use of a known standard, which requires vetting, insurance and has a formal complaints procedure.
– Bianca Andris, Cyber Security & Forensic Analyst, Capital Network Solutions Ltd
So – in summary – some organizations are taking this seriously, sadly often only in response to having experienced a breach. Generally awareness is rising, but at a slow pace, and there is still an expansive wilderness of ignorance in the majority of cases, and much for us in the cyber security industry to help them with now and for many years into the foreseeable future.
The high profile, easily avoidable cyber breaches will continue to decimate areas of the UK industry for years to come