When the chips are down … how to prevent a cyber security meltdown
Craig Snedden, Information Security Manager, Pulsant
Cyber security will always be on the corporate agenda — and it’s easy to understand why given the consequences of a data breach, DDoS attack or ransomware event. 2017 was perhaps most notable for the massive WannaCry / WannaCrypt attack that affected more than 300,000 computers in over 150 countries, with the UK’s NHS essentially crippled.
Worryingly, the disruptions to hospitals, doctors surgeries and A&E departments (more than 30% of trusts in England were affected and at least 19,500 NHS appointments cancelled) could have been avoided. How? By following cyber security basics, like applying patches for vulnerabilities as soon as they become available.
But there’s no use crying over spilt milk because with the new year there are new threats to face. Security researchers from Google’s Project Zero, universities and wider industry recently brought the smartly named Meltdown and Spectre vulnerabilities to light. These vulnerabilities affect chip sets / processors in almost every PC, smartphone and tablet, regardless of operating system.
In a nutshell, hackers could exploit this to bypass the hardware barrier between applications and the computer’s core memory (normally highly protected) and steal valuable information. The good news is that they haven’t yet. Chip manufacturers like Intel, AMD and ARM are working to provide users with patches, as are the likes of Google, Apple and Microsoft.
While it’s true that the fight again cyber criminals will never truly be over — as one vulnerability is patched another is exposed — having the basics in place, best practice security processes, can help mitigate the risk that businesses face. A cyber security risk framework like Cyber Essentials is the ideal place to start.
The framework is a government-backed programme comprising fundamental security controls. When properly implemented they address 80% of the most common cyber security threats, while positioning you to address the remaining 20% of threats that are specific to your business. The Cyber Essentials framework looks at five key controls, including: boundary firewalls and internet gateways; secure configuration; access control; malware protection; and patch management.
Looking at this latest flaw, as a hybrid IT provider, we are working closely with our vendors and following their recommendations to mitigate and patch against these issues, in order to keep our infrastructure and our customers protected. This is just an added step in our own approach to cyber security, which includes maintaining our certifications (such as ISO 27001) and monitoring and evolving our own strategy, best practices and controls.