What is cyber security?

Cyber security consists of technologies, processes and measures that are designed to protect systems, networks and data from cyber crimes.

Effective cyber security reduces the risk of a cyber attack and protects entities, organisations and individuals from the deliberate exploitation of systems, networks and technologies.

What are the consequences of a cyber attack?

A cyber attack is usually intended to inflict damage or expropriate information from an individual, organisation or public entity, for the purpose of theft (of payment card data, customer details, company secrets or intellectual property), unauthorised access to networks, compromise of official records or financial and/or reputational damage.

Why are cyber crimes increasing?

1. Cyber criminals are indiscriminate. Where there is a weakness, they will try to exploit it. Due to the massive financial gains being made, cyber crime has become a multibillion pound industry.
2. Cyber crimes are constantly evolving. Cyber attacks are becoming more complex and organisations are struggling to keep up with the pace of change.
3. Cyber attacks come in various forms and are designed to not only target technological weaknesses (for instance, outdated software) but also exploit people (for instance, uninformed employees who click on malicious links) and a lack of effective organisational processes and procedures.

Cyber criminals use a variety of malware and vectors to attack their targets:

• Malware
  Malware is a type of software designed to allow criminals to achieve their objectives, and can be categorised as follows:

• Ransomware
  Ransomware is a type of malicious program that demands payment after launching a cyber attack on a computer system. This type of malware has become increasingly popular among criminals and costs organisations millions each year.

• Viruses
  A virus is a small piece of code that can replicate itself and spread from one computer to another by attaching itself to another computer file.

• Worms
  Worms are self-replicating and do not require a program to attach themselves to. Worms continually look for vulnerabilities and report back to the worm author when weaknesses are discovered.

• Spyware/adware
  Spyware/adware can be installed on your computer when you open attachments, click on links or download infected software.

• Trojans
  A Trojan virus is a program that appears to perform one function (for example, virus removal) but actually performs malicious activity when executed.

 

Attack vectors

There are also a number of attack vectors available to cyber criminals that allow them to infect computers with malware or harvest stolen data, such as:

• Social engineering – An exploitation of an individual’s weakness, achieved by making them click malicious links, or by physically gaining access to a computer through deception. Phishing and pharming are examples of social engineering.
• Phishing – An attempt to acquire users’ information by masquerading as a legitimate entity.
• Pharming – An attack to redirect a website’s traffic to a different, fake website, where the individual’s information is then compromised.
• Drive-by – Opportunistic attacks against specific weaknesses within a system.
• Man in the middle (MITM) – An attack where a middleman impersonates each endpoint and is able to manipulate both victims.

 

Find your vulnerabilities and exposures with a cyber health check now

Assess your cyber risk exposure with our consultancy services, designed to audit your organisation and provide you with detailed recommendations for improvements.

How can an organisation improve its cyber security?

There are a number of effective measures you can take to reduce cyber risks, although there are dangers in thinking that technological solutions alone will improve cyber security.

The three fundamental domains of effective cyber security are people, processes and technology.

The best approach to effective cyber security is to identify the threats, vulnerabilities and risks the organisation faces, and to forecast the impact and likelihood of such risks materialising.

Once the risks have been identified, the organisation should implement appropriate measures to mitigate those risks, while balancing its business objectives against the costs of those measures, and the impact and likelihood of the risks occurring.

Fortunately, a number of frameworks already exist to help organisations reduce their cyber risks.

IT Governance recommends that organisations use ISO 27001, the international standard providing best practice in information security, combined with Cyber Essentials, which offers a baseline for mitigating key cyber security risks.

 

ISO 27001 and cyber security

ISO 27001 is the internationally recognised best-practice standard for information security management.

Implementing ISO 27001 will help your business protect its information, comply with your regulatory obligations related to data security, and provide assurance to your customers and stakeholders that you have taken the necessary measures to be cyber secure.

More information on ISO 27001 >>

 

Cyber Essentials

The Cyber Essentials scheme was developed by the UK government to help businesses deal with the business-critical issues of cyber security and cyber resilience. The scheme provides a set of five key controls that organisations can implement to achieve a basic level of cyber security.

More information on Cyber Essentials >>

 

Cyber security resources

Download free information on cyber security

This paper will help you understand what cyber security is, the threats facing your organisation, the correlation between security spending and security effectiveness, and our seven-step security strategy.

Contact us

To discuss your cyber security requirements, contact us by emailing servicecentre@itgovernance.co.uk or calling +44 (0)845 070 1750.