Find out more The National Cyber Skills Centre (NCSC) runs short courses and offers advice to small and medium-sized enterprises to help them become cyber secure. It also has some useful resources: l Short articles about cyber security published by the NCSC l Resources to help with your cyber security The NCSC can be reached at info@cyberskillscentre.com or by calling 01684 585111. summer 2016 Cyber security: the basics As more and more of an organisation’s assets become digital, many companies are unwittingly providing a virtual supermarket of rich pickings for the bad guys. These can include: identities of staff and customers; accounts receivables; proprietary process details; access credentials to the systems of clients and suppliers; and so on. All these things have a value: identities can be sold; payments can be redirected; processes can be copied or ‘adjusted’; credentials can be used to attack others in a supply chain; computers can be used in a ‘denial of service’ attack on others or to run phishing attacks – the list goes on. Common attacks currently include ‘ransomware’ and ‘spear phishing’. The former is where all systems are locked down unless a fee is paid; the latter falsely uses the identity of a senior person to put pressure on an employee to direct a payment to a fraudulent account. Many attacks are variations of older crimes made more efficient by technology; others exist only because of technology. Attacks are often not personal, but exploit a known weakness in a technology to see what can be obtained. There are freely available tools on the internet that can tell a criminal the location of every computer with a given vulnerability. Many attacks are automated and incredibly efficient. Cyber Essentials is a list of five key technical controls the government believes can stop 80 per cent of the most common attacks that have occurred over the last few years. Understanding and implementing these controls is an important first step. To give yourself confidence that you have done it right, you can go through an official accreditation process. There are levels of protection higher than this but, if you do nothing else, you must implement Cyber Essentials. It is worth noting that it is already mandatory to do this in many public sector supply chains, and will be in private sector ones soon. When you hear supply chain, make sure you think of services as well as products, and include accounting services, payroll and legal. The great thing about technology is that it does the same thing the same way time and time again, but people don’t. This is both good and bad. The downside is it means people can be manipulated, duped, put under pressure, blackmailed, made to make mistakes and be malicious. On the upside, people can be effective sentinels; they can spot unusual things and raise alarms, learn, adapt and be loyal. Do put the technology in place and manage it, as this will ensure that even if one area is compromised the rot cannot spread to other systems. You will need to keep on top of the emerging technical threats and manage your system security. But, surround this with a culture of alert individuals and make sure good, old-fashioned transactional governance is in place, such as sign off and identity validation. Be careful out there! Credit: Dr Stephen Wright Images: welcomia / Shutterstock Common attacks at the moment include ‘ransomware’ and ‘spear phishing’ Attacks are often not personal, they exploit a known weakness in a technology to see what can be obtained Beating the bad guys What is it criminals want, and how can you protect yourself? For further information please contact your local Trading Standards Service