Counter Terror Business - Cybersecurity

Ten years of Cyber Essentials - a decade of making the UK more resilient

Polly Jones — Fri, 11 Apr 2025 14:04:02 +0000

Last year, the UK Government's Cyber Essentials (CE) scheme celebrated its tenth anniversary, marking a decade of growth. The scheme is centered around five technical controls and is proven to protect organisations of all sizes from the most common cyber attacks

The efficacy of Cyber Essentials

As technology advances and cyber threats evolve, the Cyber Essentials scheme continually adapts to stay effective. The National Cyber Security Centre (NCSC) and Cyber Essentials Delivery Partner, IASME conduct a comprehensive review and update process of the scheme each year. During this process, feedback from customers and Assessors is considered, as well as changes in the IT landscape. The goal through this annual review is to ensure that Cyber Essentials remains relevant and effective as well as an accessible and user-friendly scheme.

Research from insurers shows that organisations implementing the Cyber Essentials controls are 92 per cent less likely to make a claim on their cyber insurance than those which don’t have Cyber Essentials.

In their 2024 Annual Review, the National Cyber Security Centre described the current cyber threat landscape as ‘diffuse and dangerous’ where there is an increase in both the number of cyber incidents and the impact of those incidents. The majority of cyber attacks rely on techniques and vulnerabilities that are well known to us and we have the knowledge and the capability to defend against them. Despite this, the NCSC believe that the severity of the threat facing the UK is underestimated by organisations in all sectors and locations and basic cyber security practices are often ignored.

The Cyber Essentials technical controls can stop the vast majority of commodity cyber attacks and is the minimum standard of security recommended by the NCSC. Mass adoption of Cyber Essentials will significantly help improve the cyber resilience of the UK at scale.

Cyber Essentials as a supply chain assurance tool

Cyber security in supply chains has long been a significant challenge. Traditionally, large organisations have imposed their enterprise security requirements on small suppliers, often overwhelming them with complex and varied security questionnaires. Small companies working with multiple enterprise clients face the time-consuming burden of completing these forms.

Recently, larger organisations have started to recognise the Cyber Essentials scheme as a straightforward way to establish a baseline level of cyber security within the supply chain. Certification provides a tangible way for organisations of all sizes to gain confidence that their suppliers, or other third parties, have effectively implemented fundamental technical controls.

Organisations who require their suppliers or other third parties to have Cyber Essentials are proven to reduce the number of cyber incidents across their network. Compelling evidence of the scheme’s efficacy as a supplier security tool comes from the wealth management firm St. James’s Place (SJP).

In 2023, SJP began mandating *Cyber Essentials Plus (CE+) certification across their network of partner organisations.

Matthew Smith, divisional director of cyber s ecurity, SJP said: “Security incident numbers have significantly reduced within the Partnership since 2023, evidencing the value and effectiveness of having the core controls in place. To put into numbers, we have seen around an 80 per cent reduction in cybersecurity incidents, which directly correlates to controls and best practices implemented through CE+.”

Benefits of using Cyber Essentials as a supply chain tool

The tool gives confidence that a supplier has technical controls in place.

Through certification, an organisation can have their adherence to a set of criteria or standards independently verified. This enables them to provide a form of evidence, to anybody that asks for it, that a certain standard has been met.

It is affordable and achievable for all organisations.

Though there is a cost attached to achieving Cyber Essentials, it is comparatively inexpensive. The cost of the certificate is £320-600 for basic Cyber Essentials and the approximate cost of CE+ will be from £2K depending on the size and complexity of the applicant’s network. Other certification schemes may be more costly, making them unattainable for many organisations.

It can also help to consolidate the lengthy security review process.

Organisations using Cyber Essentials within their supply chain risk management processes report increased efficiency and cost savings in the due diligence process. Requiring evidence of standardised minimum expectations reduces the time spent assessing suppliers. It is also helpful for the suppliers themselves, especially SMEs, who benefit from clear, tangible expectations rather than responding to long and complex or duplicate questionnaires.

Those using the tool can verify Cyber Essentials certifications across the supply chain.

Organisations can use the Cyber Essentials Certificate Search on the IASME website to verify the Cyber Essentials and Cyber Essentials Plus certification of individual supplier organisations.

For organisations with large supply chains, it is possible to drop a large list of suppliers into the Cyber Essentials Supplier Check Tool to find out which suppliers are certified to either Cyber Essentials or Cyber Essentials Plus. These search functions make it significantly easier for organisations to verify if their suppliers are Cyber Essentials certified.

*Cyber Essentials Plus is based on the same technical requirements as Cyber Essentials but also includes a technical audit of the IT systems to verify that the controls are in place.

Review the cyber security of your organisation against the five controls of Cyber Essentials with the free online Cyber Essentials Readiness Tool. The process of working through the questions will inform you about your organisation’s level of cyber security and what aspects you need to improve. Based on your answers, you will be directed towards relevant guidance and a tailored action plan for your next steps towards certification.

Cyber security underpins everything we want to do

Polly Jones — Fri, 11 Apr 2025 11:48:02 +0000

Cybersecurity

In January, Socitm published its Public Sector Digital Trends report for 2025. The Institute team undertake months of research to create 'trends' rather than predictions. 'Trends' are about enduring change - those digital impacts and technology developments that will, over time, have a lasting effect, Carol Williams explains

My dual roles within local public services and the membership charity Socitm give me access to wonderful people and ideas. We are a sector which has a remarkable ability to adapt and innovate despite adversity. This latest piece of work from Socitm will chime with my colleagues across public service. It’s a call to action for all of us to think beyond traditional constructs.

Here I’m focusing in on the cyber security part of the report and narrowing in on local support and AI – acknowledging the threats but also some of the ways in which AI is already being used to secure our data and anticipate these new threats.

Cyber security focus – not just for 2025

As conflicts escalate beyond borders, all our organisations are being urged to bolster their cyber defences.

Making sure we’re protected from unauthorised access to data and systems, as well as preventing data loss or leakage, is always a top priority.

We in the public sector, as everywhere, need to adopt robust strategies to stay ahead of new threats and risks. Risks such as AI, distributed cloud models and the increasing use of IoT devices.

Use your local experts

The Cyber Technical Advisory Group (CTAG) and Warning, Advice and Reporting Points (WARPs) have generated significant benefits for local public service organisations.

CTAG has facilitated the development of best practice assets, such as securing Office 365 guidance and incident response policies. These are widely circulated and adopted by WARPs and councils. The collaboration has led to increased cyber maturity across local authorities.

WARPs are community-based services. Members receive and share up-to-date advice on information security threats, incidents and solutions. Reducing the burden on individual organisations.

Overall, the synergy between CTAG and WARPs has strengthened the cyber resilience of public services and critical infrastructure, ensuring they remain safe and up to date in a fast-paced digital landscape.

Incidents

Socitm’s analysis reveals several significant challenges that councils may face because of cyber incidents: complete loss of access to IT systems and data; service disruption; data exfiltration and potential breaches; communication difficulties; balancing service restoration with security considerations; resource constraints; rapid decision-making and response; and a need for enhanced security measures.

This all underscores the importance of having robust business continuity plans, IT disaster recovery plans, effective communication strategies, and enhanced security measures in place to manage and recover from cyber incidents.

Managing a cyber-attack and recovery plan

Gloucester City Council experienced a sophisticated ransomware attack that encrypted its servers and disrupted services. The attack began with a spear-phishing email, which led to malware installation and eventual data exfiltration and server encryption. You can read more here.

Emerging threats

We expect to see growing trends in AI-driven cyber-attacks – sophisticated phishing, social engineering and deepfake attacks. Leading to identity theft, influence, discredit, fraud and bypassing security measures.

Cloud and IoT vulnerabilities – targeting vulnerabilities in cloud environments and IoT devices, along with the continuous threat of ransomware, multifaceted extortion tactics and supply chain attacks.

How and where is AI helping public services?

As much as AI poses more risks to our cyber security, we can make use of it just as criminals do.

It’s starting to play a pivotal role in enhancing cyber protection and resilience in:

1. Threat detection and prevention:

Machine learning (ML) can analyse vast amounts of data from network traffic, system logs and user activity to identify patterns and anomalies that may indicate a cyber threat.

Intrusion Detection and Prevention Systems – AI helps to detect and block intrusions by analysing network traffic in real-time and flagging unusual login patterns and data exfiltration attempts.

Malware detection – AI can identify new and evolving forms of malware by analysing characteristics or behaviours instead of relying on predefined signature databases.

Where?

Cybersecurity and Infrastructure Security Agency (USA) Einstein uses AI and ML to continuously monitor and protect government agencies from cyberattacks by detecting anomalies and blocking malicious activities in real time.

2. Automated response and mitigation

AI can automate incident response processes, reducing the time it takes to mitigate threats. For example, AI-driven systems can isolate affected parts of a network, apply patches and restore services without human intervention enabling faster containment and mitigation of security breaches.

Where? National Cyber Security Centre (UK)

The NCSC has incorporated AI into its cybersecurity frameworks to automate the detection of threats and mitigate attacks before they escalate.

This includes the automated identification and isolation of potentially compromised systems within critical national infrastructure.

3. Vulnerability management

AI can help in identifying, classifying and prioritising vulnerabilities within systems and software.

By constantly scanning and assessing the cyber landscape, AI can highlight the likelihood of exploitation.

Where? Australian Cyber Security Centre

The ACSC uses AI to automate the identification and remediation of vulnerabilities across government networks, helping agencies improve their resilience to cyberattacks.

4. Phishing detection

AI can analyse emails and other communications to identify phishing attempts. Natural language processing and ML models can identify suspicious content and warn users before they fall victim to scams.

Where? Canadian Centre for Cyber Security

The CCCS uses AI-powered systems to detect and prevent phishing attacks aimed at federal government employees and the public sector in general. Their tool automatically flags suspicious emails and links in real-time, reducing the risk of successful phishing attacks.

5. Security analytics

AI enhances abilities to analyse security logs and other data sources to uncover hidden threats. Advanced analytics can correlate events across different systems to provide a comprehensive view of the security landscape.

Where? European Union Agency for Cybersecurity

They use ML algorithms to map out the AI threat landscape, identify trends and forecast emerging threats.

In summary

Using AI in our cybersecurity will help us to be more resilient against threats. Supporting faster detection, more effective responses, and better overall security management.

Digital leaders: things to think about and do

Basic

Maintain vigilance to protect applications and network infrastructure from unauthorised access; be proactive in addressing emerging threats; stay updated with compliance and regulatory requirements; and maintain patching and virus checking.

Good

Foster a culture of continuous education and awareness among all employees, staying informed about the latest trends and tactics; and undertake end-to-end testing, compliance checking, change control, regular training sessions, simulations, and updates on emerging cyber risks to empower staff to identify and respond to threats effectively.

Best

Engage senior and political leaders, ensuring that cyber reporting is a routine focus; develop cyber strategies and policies which integrate cyber resilience into a broader organisational picture. Including connections between IT disaster recovery, business continuity planning, emergency response and digital service dependencies – within wider civic resilience planning and testing; and establish a Security Operations Centre, cross-border collaboration and strong supplier management.

What’s working for you? Are you using AI to defend yourself against AI?!

About the author

Carol Williams is Director, Transformation and Digital and SIRO for Walsall Council, Socitm President 2024-25

Cyber resilience in the public sector: professionalising the workforce to combat emerging threats

Polly Jones — Mon, 07 Apr 2025 15:50:39 +0000

Cybersecurity

As cyber threats to the UK’s public sector grow in scale and sophistication, Dr. Claudia Natanson MBE, CEO of the UK Cyber Security Council, explores how professionalising the cybersecurity workforce is key to building national resilience and securing critical services

Cyber resilience has become a growing priority for the UK’s public sector, particularly as local government and national institutions grapple with increasingly sophisticated threats. Despite the heightened focus on cybersecurity commitments, the public sector still faces significant hurdles in addressing cyber risks and ensuring that the right people are in place to protect critical infrastructure.

The need to professionalise the public sector’s cybersecurity workforce has never been more urgent. The UK Cyber Security Council (UK CSC) has developed a framework to address these challenges, embedding professional titles and offering guidance on recruitment, training, and career development. This framework is designed to help organisations better align their cybersecurity strategies with evolving threats and fill critical staffing gaps.

Addressing public sector threats through professionalisation
The public sector is a prime target for cyberattacks due to its management of sensitive data and critical infrastructure. Government bodies and public organisations have increasingly become the target of ransomware attacks, data breaches, and other cyber incidents that threaten national security and public safety. For example, in June 2024, a cyberattack on a supplier of NHS pathology services led to the postponement of 10,152 outpatient appointments and 1,710 elective procedures [1].

Ransomware attacks on public bodies can disrupt services, expose personal data, and create substantial recovery costs. These incidents underscore the pressing need for cybersecurity professionals who are not only equipped to handle immediate threats but also to build long-term resilience within public sector organisations.

The professional framework from the UK CSC provides a roadmap to mitigate these risks. By professionalising cybersecurity roles, the framework seeks to ensure that the public sector is better equipped to address both current and emerging threats. It focuses on strengthening leadership, management, and technical capabilities of cybersecurity teams, which are often under-resourced or lack the necessary skills to combat modern threats effectively.

The new cybersecurity framework: A solution to staffing challenges
The primary goal of the UK CSC’s framework is to ensure the UK public sector has the skilled workforce needed to mitigate cybersecurity threats. The framework aims to professionalise cybersecurity roles, ensuring they are treated with the same level of expertise as other areas of leadership.

Among the most notable elements are the introduction of new professional titles which are designed to help public sector organisations recruit individuals who are not only accredited but also trained to manage and lead cybersecurity initiatives.

These titles will play a crucial role in filling gaps in the public sector’s cybersecurity workforce. Local councils, government agencies, and other public sector bodies will be able to hire professionals who have undergone specific training and certification tailored to their needs and requirements. This move addresses both recruitment shortages and the challenge of retaining skilled cybersecurity talent in a competitive job market.

Staffing gaps and recruitment challenges
A key issue facing the public sector is the chronic shortage of qualified cybersecurity professionals. While the private sector is able to attract top talent with competitive salaries and benefits, the public sector often struggles to match these incentives which has led to a widening skills gap.

A significant barrier to recruitment in public sector cybersecurity roles has been the lack of clear career progression. However, the UK CSC’s framework addresses these challenges by providing a clear career pathway, making the sector more attractive. The future development of specialisms like Cyber Manager will create a structured career ladder, providing more defined roles, responsibilities, and progression opportunities.

The framework also emphasises the upskilling of existing employees. This focus on continuous professional development will be vital in helping local councils and government agencies keep pace with evolving threats. By providing access to targeted training, certification programs, and professional development opportunities, the UK CSC aims to create a more capable and adaptable cybersecurity workforce.

The role of leadership and culture in cybersecurity resilience
While technology is a critical component in defending against cyber threats, it is leadership and organisational culture that determines the long-term success of cybersecurity strategies. The public sector has traditionally been slow to adopt comprehensive cybersecurity leadership practices, often focusing on compliance rather than innovation.

The introduction of Principal and Chartered professional titles are designed to address this issue by empowering leaders to take ownership of cybersecurity initiatives and to drive change from the top down. Effective leadership is essential not just for managing threats but also for instilling a cybersecurity-conscious culture. Cybersecurity is no longer solely the responsibility of the IT department but a cross-departmental concern that requires buy-in at all levels.

Aligning with national security priorities
The professionalisation of cybersecurity is not just about organisational resilience but about enhancing national security. As the UK faces increasing threats from cyberattacks, cybercriminals, and even domestic terrorism [2], the need for a well-trained and capable cybersecurity workforce has never been more urgent.

By achieving this, the public sector can better align with national cybersecurity strategies and support broader initiatives aimed at enhancing national resilience against cyber threats. The framework also complements other government-led efforts to improve cybersecurity resilience across critical national infrastructure, and public services.

Looking ahead: future-proofing the public sector
The introduction and adoption of the UK CSC’s framework is a step forward, but it is only one part of the broader national strategy needed to tackle cyber threats. Future steps include continuing to strengthen professional standards, expanding the number of professionals entering the field, and ensuring that the public sector can keep up with the rapid pace of technological change.

The framework will also need to evolve to reflect the growing influence of emerging technologies such as artificial intelligence (AI) and machine learning, which have the potential to both improve and challenge cybersecurity practices. These advancements will require public sector organisations to invest in continuous learning and development to stay ahead of the curve.

In conclusion, the professionalisation of the industry offers a comprehensive solution to the staffing and skills challenges facing the public sector. By professionalising cybersecurity roles, public bodies can better defend against cyber threats, enhance national security, and build a resilient digital infrastructure that can withstand the evolving nature of cyber risks.

For more information on the UK Cyber Security Council’s professional framework and how it can support the public sector, click here.

Cyber teams are stressed and underfunded - cyber resilience starts with them

Meghan Shaw — Thu, 09 Jan 2025 09:22:05 +0000

Cybersecurity

Chris Dimitriadis, chief global strategy officer at ISCACA argues that cyber attacks are becoming more frequent and stopping them starts with investing in staff.

You don’t need a crystal ball to know that cyberattacks will only become more high profile and more frequent over the coming years. We’ve seen it in real time this year as major hacks and outages have disrupted public services, critical infrastructure, and business alike.

Where cyberattacks are concerned, it’s becoming a matter of when they will happen – not if they will happen. At ISACA, our latest State of Cybersecurity report revealed that 70 per cent of respondents – cybersecurity professionals – said they are experiencing more or the same level of cybersecurity
attacks compared to a year ago. 58 per cent agree that it is likely that their organisation will experience a cyberattack in the next year, which has increased from 52 per cent in 2023.

That the situation is worsening points to the fact that there needs to be more investment in the right staff and skills to better prepare and respond to such attacks when they happen.

But cybersecurity teams are stressed and underfunded

Despite this growing problem, the lack of funding and investment in cyber teams is only exacerbating the issue. In our research, 90 per cent of respondents reported that they feel their organisation’s cybersecurity budget is currently somewhat or significantly underfunded – and a further 61 per cent feel their organisation’s cybersecurity team is understaffed.

As a result, cyber professionals are not sufficiently prepared to carry out their crucial work, working in thin teams without the necessary budget, especially as the threat landscape becomes harder to navigate. And they’re feeling the strain – in the same survey, 68 per cent of cyber professionals reported that they feel their role is more stressful now compared to five years ago, with 79 per cent of them putting this down to the increasingly complex threat landscape.

The lack of support, training, and investment is therefore limiting the cyber resilience of those organisations whose teams cannot work to their full potential. Many of these businesses neglect cyber teams when it comes to decision making; 47 per cent of professionals working in cyber said they were not involved in the development, onboarding, or implementation of AI solutions, and 42 per cent were not involved in the development of a policy governing the use of AI within their organisations.

This is a critical oversight given the cyber risk implications of new and emerging technologies like AI, and suggests that businesses are failing to prioritise cyber resilience when making these decisions.

In essence, cyber teams which are understaffed and underfunded work in a more reactive than proactive way, firefighting as threats emerge rather than preventing them in the first place. This leaves professionals stressed, worried, and overworked, and the organisation itself more vulnerable to attack.

Skills and training are a key way to support teams and drive resilience

The cybersecurity industry has a persistent skills gap – the shortage of cybersecurity professionals in Europe ranges between 260,000 and 500,000. Indeed, our State of Cybersecurity report found that 45 per cent of respondents reported another reason they feel that their role is more stressful now than five years ago is because they are not sufficiently trained or skilled.

At a time when bad actors are only getting more sophisticated, we can’t afford to put both businesses and people at risk – a single attack on one company can have adverse effects on its entire supply chain and network. Every organisation needs trained and skilled professionals in the right roles who understand the ever-evolving nature of the threat of cyberattacks. Cyber roles are constantly evolving as new technology emerges – take, for example, the rise of AI and the web of cyber risks which have surfaced as a result. Professionals working in the industry need consistent upskilling or they risk being several steps behind bad actors.

Training and diverse hiring practices are the key to combating the skills gap and making organisations more resilient. Given the massive shortage of people in the industry, the ‘conventional route’, such as a degree in cybersecurity or years of experience, does not need to be the only way for talent to enter the industry. Businesses should encourage people who don’t necessarily have a background in security to take the leap into cyber and then train them on the job in order to widen the talent pool.

The best route into the cybersecurity sector varies based on every individual. But there are several ways to earn certifications and skills. In fact, 51 per cent of cyber professionals feel that soft skills are the biggest skills gap in the industry. Of the soft skills in question, 54 per cent state that communication skills (such as speaking and listening skills) are the most important, followed by problem-solving (53 per cent) and critical thinking skills (48 per cent).

If businesses rethink their hiring strategies and prioritise candidates who demonstrate the necessary strong soft skills, enthusiasm, and a genuine interest in the sector, they can train those people as they go and support them in earning the right qualifications. Organisations therefore become more resilient to external threats and have a healthy workforce of cyber professionals who feel supported in their career development.

Cyber resilience is part of an organisation’s duty of care

Cyber resilience is so important, not only because a cyber resilient organisation can better protect itself, but because a cyber resilient organisation also protects its customers, suppliers, and everyone across its network. Supply chain resilience is a combination of a business’ level of vulnerability and its level of dependency on others in its network.

Businesses should not invest in cybersecurity as a box-ticking exercise, but as part of their duty of care to end-users, customers, and stakeholders. In order to build resilience, businesses must understand their key dependencies and where along the supply chain potential issues lie and what to do in response if things go wrong.

In the cybersecurity industry, collaboration is key to creating secure environments and frameworks. Whatever the size of the organisation, conversations around risk need to happen with others in the network and make sure everybody is comfortable with how processes are being organised and run across the chain. Companies must talk to each other about the threats they are facing and protect each other against the big-ticket issues which can go wrong.

Cyber resilience is a team effort

All in all, dealing with the growing threat of cyber attacks will require a multi-pronged approach from each and every organisation. Driving cyber resilience starts at the very beginning of the process with the hiring practices, training opportunities, and career development of cyber professionals to plug the skills gap and help teams feel supported and skilled.

This effort should continue through to involving these professionals in both the day-to-day decision making and the big-ticket strategies like the implementation of AI solutions to ensure security is built into any new processes. Then, businesses should think about their cyber resilience holistically and collaborate with other organisations about the threats they face and how they can be overcome.

By building a truly cyber resilient society, cyberattacks will still happen, but they will not be as damaging and catastrophic as those we have seen in the last few years. Rather than completely halting public infrastructure or crippling businesses and their consumer trust, organisations will be able to limit the harm of the attack and carry out a response plan which is thorough, informed, and effective.

Ensuring public sector safety in a digital age

Robyn Quick — Tue, 20 Aug 2024 11:21:27 +0000

Cybersecurity

Chris Dimitriadis, chief global strategy officer at ISACA discusses some of the current cyber threats and what is being done about them.

Earlier this year, several hospitals across London were subjected to a sophisticated cyberattack that had devastating consequences for patients. With more than 1,000 planned operations and over 3,000 outpatient appointments postponed, the attack caused huge disruption for the NHS in the capital.

Cyberattacks are undeniably on the rise. In the UK alone, as many as half of all businesses report having suffered a cybersecurity breach or attack in the last twelve months.

But they are also becoming increasingly sophisticated. Hackers are moving at pace with technology and honing their skills to inflict maximum damage on their victims. Ransomware attacks remain the most acute type of cyber threat facing most UK organisations. And these are becoming increasingly more sophisticated.

Typically, organisations with complex supply chains face far greater risk. If one element of that chain becomes compromised, the whole organisation can be brought down. This means that when it comes to cyberattacks, nothing and no one is off limits, including public sector institutions such as the NHS and the Ministry of Defence.

So, how can organisations in the public sector better protect themselves against the threat of impending cyberattacks?

Regulation is being implemented

At the State Opening of Parliament in July, King Charles III announced the new Labour government’s plans. One of these plans was the Cyber Security and Resilience Bill, something that has been welcomed with open arms by the technology and cybersecurity industry.

A significant way that the bill is set to protect public sector organisations is by proposing to enforce universal standards across supply chains. This will mean that every single company within the supply chain of a service such as the NHS, for example, will be required to comply with a certain standard of cybersecurity protection.

Of course, it’s a positive step in the right direction, as bad actors can capitalise on any small weak link in a supply chain and launch an attack. The next move will be for this Bill to be followed through, introduced and enforced by the new government sooner rather than later to avoid further damage in the meantime. But regulation alone isn’t the only answer.

There’s strength in numbers

While implementing and enforcing regulation is vital when looking to protect organisations – both public and private – from succumbing to cybercrime, it’s not a quick fix solution on its own. In order to be successful and achieve the best level of protection, businesses need to have trained professionals in place. By employing staff with the right skills in the right places, they can not only diligently monitor for and implement any measures needed to comply with such regulation but can also be on the front foot, proactively monitoring for any warning signs or potential threats.

It is essential that upskilling and training for staff is available and provided at any company, big or small. The World Economic Forum reports that there is a global shortage of nearly four million cyber professionals. That number is vast, and is unfortunately growing. This cannot continue in a digital world where cyberattacks are on the rise.

According to research that we at ISACA carried out amongst our membership in Europe in 2023, a shocking 62 per cent of respondents reported that their cybersecurity team was understaffed.

The new UK government has proposed the introduction of Skills England, a new entity designed to fight the broader skills shortage issue that the country is facing by working to assess where current and future skills demand lies. The next step will be for digital skills to become a focus of that body, with a view to working on closing the skills gap.

Schemes like Skills England will help to both fill vital positions to make organisations more secure and create a more diverse workforce. By providing a range of opportunities and routes for those looking to enter the cybersecurity industry, workplaces will attract a variety of people from different backgrounds, fostering a team that has diverse thought processes and approaches to problem solving.

This is valuable, as a fully rounded cybersecurity team needs people with both technical and soft skills – someone that can think like a hacker and remain one step ahead is just as important as someone with excellent communication skills who can simplify the intricacies of cybersecurity to the board. And if organisations can widen their approach by inviting people to interview that might not yet have the exact qualifications needed, but have the right attitude, aptitude and are willing to learn, they will see more applicants and more talent keen to sign up.

Time for change

Societies often suffer from a feeling of inertia. People follow in the employment footsteps of their ancestors, take static careers advice from their school or university or simply “find themselves” in a job. Typically, we lack dynamism and forethought when it comes to starting out on the career ladder. That needs to change.

From a young age, people need to be taught that there are career options beyond the ‘obvious’, including exciting, diverse job opportunities and career paths in the world of cybersecurity. Figures suggest that around 60 per cent of today’s school children will enter a career that hasn’t been thought of yet, which is no surprise with emerging technologies evolving at a rate of knots.

With that in mind, it’s important that the information available to young people is the most up to date, whether that’s by a change in curriculum, or by professionals heading into schools to talk to students about what their future could look like. Not only do young people need to be made aware of the career options open to them, but they also need to be told that they don’t need to be limited to taking specific technical qualifications to pursue a certain career.

When it comes to cybersecurity and AI, there’s a wider need to upskill people from the ground up. The school curriculum should be evolving now to cover the basics of AI technology, its applications and ethical use cases so that the next generation of leaders grows up steeped in knowledge of the future technologies, and resultant job opportunities.

Keeping up with the
latest technologies

While AI can – and will – no doubt achieve powerful things, with the potential to revolutionise services and improve menial workloads across industries, it does pose a threat. And public sector organisations are just as vulnerable here as anybody else. It’s imperative that users of AI are aware and mindful of the risks associated. Education and training around emerging technologies such as AI is a non-negotiable if organisations want to feel secure and protected.

Regular training is the remedy for this. And while any cyber and IT teams should be offered such training as an immediate priority, it should be rolled out to the wider workplace, particularly if staff are regularly coming into contact with AI. Although they are the experts, the onus shouldn’t solely be on the cybersecurity or IT team, and staff throughout the organisation should at least be familiar with the basics and how these are set to change.

Yet research carried out by ISACA amongst our European membership earlier this year revealed that 40 per cent of organisations offered no AI training to staff and a further 30 per cent only offered it to those working in tech-related positions.

Legislation and guidance on AI will of course be welcomed alongside this. AI tools are informed by data, and so this data needs to be regulated and have the adequate protections in place. While being educated and having training on AI is imperative, users need to be secure in the knowledge that they are using a regulated and safe service and feel empowered to embrace newer technologies.

Ultimately, public sector organisations must make sure that they are taking the same precautions as private businesses. They are unfortunately just as vulnerable, and in a world full of increasing geopolitical tensions and state-sponsored attacks, national services with complex supply chains that are relied upon by large quantities of people are a haven for attackers on a destructive mission. A combination of legislation, compliance, and training will help businesses and sectors across industries to become more trusted and secure.

Getting the cyber security basics right

Robyn Quick — Thu, 02 May 2024 15:26:25 +0000

Cybersecurity

Cyber Essentials helps organisations, whatever their size guard against a whole range of the most common cyber threats. This government-backed certification scheme is based around five key technical controls that, when implemented correctly, enable the minimum cyber security protection that organisations should aspire to.

IASME is the National Cyber Security Centre’s partner for the delivery of the Cyber Essentials scheme and we are firm believers in the five core controls which are the basis for this scheme and encapsulate foundation cyber security best practice.

One thing is certain, if you are going to do cybersecurity right, you’ve got to get the basics right first; so let’s talk about getting the basics right.

The risk of using legacy and unsupported software

Unsupported software is a key target for cyber attacks. Known vulnerabilities in unsupported software left un-patched are easy targets for hackers who create programmes and services to make them easy to exploit, even for criminals with low levels of technical expertise.

Software and firmware are supported by the manufacturer for a period of time after they have been developed (this can range from two to eight years depending on the manufacturer).

This ‘support’ means that if a mistake or weakness, known as a vulnerability, is discovered in the code that makes up all software, the manufacturer will address it with an update or patch which fixes the problem before it can be exploited by cyber criminals. All critical and high-security updates must be applied within 14 days; the easiest way to achieve this is to enable ‘automatic update’ on all your devices.

For some larger organisations, there is a concern that some software updates may stop other software from working or cause some features to break. Most IT teams in larger organisations aim to fully test each update on a controlled sample of devices, before applying it company wide.

It is always a good idea to have backups of your data before updating.

The National Cyber Security Centre has some useful guidance on installing software updates without breaking things.

Create an asset together

Knowing which devices access your organisational data and which software and firmware you have and whether they are supported is really important. Keeping a documented inventory of your devices, software, firmware as well as the cloud services you use is sometimes referred to as an asset list. Maintaining an asset inventory helps to track which software you have in use in your organisation and when it becomes unsupported or is no longer receiving security updates.

Segregate your network

Perhaps because of the financial implications of updating software, using unsupported software is one of the most common reasons that an applicant fails Cyber Essentials.

If an unsupported or legacy piece of software continues to be used in an organisation, could those vulnerable systems be segregated via a firewall or VLAN onto a closed network? This could keep it safely out of scope and separate to the financial and business data systems of your organisation.

Cloud services are not secure by default

Today, most organisations use some elements of cloud computing; others have migrated their entire IT infrastructure off premises into the ‘cloud’ (Infrastructure as a Service or IaaS). A particularly attractive feature of cloud service tools and applications is that they are highly scalable and easy to access remotely.

It allows for a flexible and collaborative use of a resource without having to make the large outlay for ever-changing technology. Yet despite these incredible benefits, there are some serious security concerns. If professionals and customers can access data over the internet from any location, so can criminals.

Most cloud providers (e.g. Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform) attempt to create a secure cloud for customers and aim to prevent breaches and maintain public trust, however, they cannot control how their customers use the service, what data they add to it, and who has access.

Most data breaches in the cloud are a result of badly configured accounts and interfaces with the most common cause being weak, default or stolen passwords.

This highlights how important it is that all cloud services are set up correctly and have the essential security controls in place. Organisations should have a comprehensive password policy applicable to all employees and contractors. According to research by

Microsoft, there are over 300 million fraudulent sign-in attempts to their cloud services every day, they also estimate that 99.9 per cent of attacks can be blocked simply by using multi-factor authentication.

Enable multi-factor authentication on all accounts accessible over the internet.

Understand the shared responsibility model with cloud services

Understand the shared responsibility model with cloud services When talking about security, cloud service providers often reference a ‘shared responsibility model’. This means that for some security controls, it is the cloud service that is responsible for implementation whereas for other features, it is the user organisation. Who implements which controls will vary depending on the design of the cloud service being subscribed to?

Where an organisation uses Infrastructure-as-a-Service products, such as Microsoft Azure, Rackspace, Google Compute Engine, or Amazon EC2, they access virtual machines (VMs), storage, networks, and operating systems over the internet that are located on part of a server in a data centre. Despite the computing infrastructure being provided remotely by the cloud service provider, all of the security and backing up is the user organisation’s responsibility.

Do you research on your cloud service provider

It is crucial to research the company that is hosting the cloud service and looking after the computers which hold your data. Many data centres are kept up to date and secure, but it cannot be taken for granted as some do not understand or value security. It is essential that the user organisation researches the security controls used by the cloud service provider before entrusting organisational data to that service.

Account separation

Another common cause behind a cyber breach is when users are using local admin accounts for everyday tasks.

It is best practice that all staff should use a standard user account to carry out their normal day-to-day work and a separate administrator (admin) account should be used to install and remove software, and other administrative tasks.

Admin accounts typically have the greatest level of access to information, applications and settings and will cause the most damage if accessed by attackers. An attacker will have the same privileges as the account that you have used to log in and, if that is an admin account, they will be able to perform actions such as install malicious software, delete files and access sensitive data. For this reason, administrative accounts must be restricted, kept track of and not used to carry out everyday tasks.

Did you know the first account that is set up on Microsoft 365 by default is a global admin? These accounts will have full power to configure and change the settings and controls of everything in your organisation’s account. If this account is set up without the necessary security controls and then hacked, an attacker could access your whole system and possibly take all the data out of the organisation.

The huge control panels within the admin centre for a cloud service in Microsoft or Google can be a daunting prospect, and anyone setting up accounts will need to set role assignments, groups and permissions to each account as well as passwords and multi-factor authentication. This is the same whether you are a large enterprise or a micro organisation and therefore expert guidance in configuring these settings may be a necessity.

Close the remote desktop protocol port

Remote Desktop Protocol enables a user of a computer in one location to access a computer or server somewhere else. This is often used by technicians to support users and to carry out maintenance tasks.

Remote Desktop Protocol (RDP) is a common attack vector for ransomware and should not be exposed or accessed across the internet.

Close or block the RDP port at the firewall so that it is not open for use across the internet. Where possible, rather than using remote connections, utilise cloud services such as OneDrive or Google Drive.

Review the cyber security of your organisation against the five controls of Cyber Essentials with the free online Cyber Essentials Readiness Tool.

The process of working through the questions will inform you about your organisation’s level of cyber security and what aspects you need to improve. Based on your answers, you will be directed towards relevant guidance and a tailored action plan for your next steps towards certification.

Apply for Cyber Essentials here

What cyber dangers do government officials face in 2024?

Robyn Quick — Tue, 13 Feb 2024 16:08:19 +0000

Cybersecurity

Tom Kidwell, co-founder, Ecliptic Dynamics and former British Army and UK Government intelligence specialist and internet infrastructure security professional for the public sector looks at cyber threats for 2024.

The state of the cyber threat landscape became increasingly tumultuous in 2023. The number of attacks increased, malicious threat actors became more indiscriminate in their approach, and governments and public sector organisations have become key targets. But these threats are nothing new. In 2017, Westminster reported that a sustained cyber-attack had impacted the Houses of Parliament, attempting to steal emails of government members. It was claimed by Whitehall officials that the attack was staged by Iran and was later followed up by a separate attack on the Scottish Parliament. And just recently, the UK accused the Russian Secret Service, the FSB, of carrying out hundreds of attacks on politicians, civil servants, journalists, think-tank members, academics and other public sector officials. The reality is that 2024 will hold many of the same dangers. However, there will be some worrying differences, particularly for government officials.

How has the landscape changed?

Cybercrime has become one of the most difficult issues for governments to get ahold of, and devolving foreign relations are only making it more difficult. Conflicts across Europe, Africa and the Middle East have caused an uptick in malicious cyber activity, as warring states look to gain the upper hand on their enemies. Advancements in technologies such as AI and deepfakes are creating yet more problems for organisations and individuals in the public and private sectors, while the entry bar for cybercriminals is at its lowest ever point, with off-the-shelf products giving complete novices the ability to infiltrate environments, encrypt data, and secure ransom payments. All of these factors are being accentuated by a lack of funding for many areas of the public sector. In the United Kingdom, the economy has stalled, with interest rates stagnating at 5.2 per cent. And although spending on cybersecurity from the UK government is in the billions of pounds, this simply isn’t enough to tackle the problem head on. This leaves government officials in a difficult position, and the need for constant vigilance, watertight processes, and increased understanding from a cyber perspective is critical to avoiding more attacks on our national critical infrastructure.

What will this year's cyber threats look like for government officials?

In 2023, AI transformed from a conceptual technology of the future, to being integrated into almost every walk of life. From healthcare and schooling, to banking and hospitality, every industry is looking to improve its efficiency using AI. However, the rise of AI has opened up yet more opportunities for cybercriminals to exploit. For attackers, finding the path of least resistance is what they thrive on. This is why phishing and other low-skill attack vectors are the most common. With AI, it allows criminal groups to automate email campaigns, write malicious code, and clone the language of a brand or person in moments using advanced language models. This makes it easier to carry out attacks, again lowering the bar for entry for attackers.

For government officials, identity validation is critical to carrying out their jobs, and remaining secure. However, advancements in the deepfake field are making this increasingly difficult. Deepfakes involve manipulating media, using deep generative tech to clone a person’s likeness, usually their face or voice. This means that criminal gangs can copy the likeness of a government official, let’s say a cabinet minister, and send a video message to a junior minister asking them to open an attachment from an email they just sent through. This attachment could contain ransomware or other malware which steals and encrypts data or gives the attackers access to harvest and compromise sensitive government information from the network. These types of attacks are likely to become increasingly prevalent in 2024, with more and more malicious groups getting hold of deepfake capabilities.

In 2024, more than 40 countries will be taking part in elections, with these states making up more than half of the global GDP. More than 3.2 billion people will be heading to polling stations to cast their votes, and while change may represent a positive step in many of these nations, there is a critical cyber threat which must be considered. Starting with Taiwan in January, it is almost undoubtable that China will have an impact on the election. And later in the year, it is just as likely that Russia and China alike will attempt to interfere with the American election. Attackers from these states will look to manipulate voters. This will be done using a number of techniques, including targeted social media activity, as well as attempted data breaches on candidates and campaign staff. Attackers will be looking to gain access to potentially damaging material such as personal emails or messages, with the goal of leaking them to the media and swaying public opinion. Deepfakes are also an issue. Malicious groups can use them to create fake media of candidates delivering fabricated speeches or interviews which align them with the wrong side of controversial issues. Due to the quality of video and audio produced by deepfakes, the fakes are almost indistinguishable from reality. This level of interference isn’t new. In fact, the recent UK report which accused the FSB of continuous attacks on the UK public sector, also revealed that one Russian cyber group had stolen data which was linked to the 2019 election and made it public.

Global relations are becoming increasingly tenuous. There are conflicts going on in continents around the world, from the Russian invasion of Ukraine to the more recent Israel-Hamas war. On top of this, tensions between superpowers such as China and the United States are continuing to escalate, despite recent promises that they would move forward as friends. These evolving fronts are giving rise to increased cyber activity funded by certain states. For example, it’s impossible for Russia to consider a physical attack on NATO nations, however, cyber-attacks can be much easier to cover up, and still cause huge amounts of damage and disruption. This anonymity is increased when states use private, criminal cyber groups to carry out attacks. In order to avoid blowback and harsh sanctions, states such as Russia commission cybercriminals to carry out attacks on foreign critical infrastructure for them. In return, they offer them refuge in Russia, allowing them to operate as an everyday business. Recent reports suggest that these groups have high-rise offices, HR departments, holiday allowances and even flexible working. In 2024 government officials will likely become a target of these groups, funded by foreign governments to cause disruption within the UK government. The next 12 months will be a difficult one for the UK public sector, and remaining vigilant is critical to minimising the impact of malicious cyber activity. It’s the responsibility of government bodies to ensure their staff are prepared and protected, and that appropriate funding is made available to the public sector to protect themselves. Many criminal gangs are now propped up by by nation states, and we can’t allow them to gain the upper hand from an investment, awareness and capability perspective.

Breaking down digital trust barriers

Freya — Tue, 03 Oct 2023 12:00:31 +0000

Cybersecurity

Chris Dimitriadis, chief global strategy officer at ISACA (Information Systems Audit and Control Association) on how public sector organisations can protect themselves from cyber threats

Public sector organisations in the modern digital economy face an ambitious task in earning – and maintaining – people’s trust. Recent events like high-profile security breaches involving senior government officials, and the ransomware attack on Hackney Council, have fed into a growing distrust in many institutions. And with heightened scepticism about how well-equipped organisations are to protect personal data, building a trusted public relationship is more challenging than ever.

The only path forward is for organisations to make strengthening digital trust – defined by ISACA as “the confidence in the integrity of relations, interactions and transactions among providers and consumers within an associated digital ecosystem” – a central priority, and to strategically work through all obstacles that could impede this pursuit.

What specifically is preventing public bodies from achieving digital trust? According to ISACA’s State of Digital Trust 2022 survey report, the top obstacles are a lack of staff skills or training, lack of alignment of digital trust and strategic goals, lack of leadership buy-in, and lack of budget. Let’s look at each of these areas to see how public bodies can work through these obstacles to achieve digital trust.

Lack of staff skills and training
Many of the digital trust fields – areas such as cybersecurity, privacy, IT audit, risk management and IT governance – face critical staffing shortages, as the labour supply in those areas often does not keep pace with public sector demand. But in many cases, organisations can find the right employees by being less rigid about criteria for filling these roles. They can then reduce the skills gaps by providing ongoing training and supporting relevant professional certifications while on the job.

Organisations also need to strongly promote a culture of collaboration among these professionals. Digital trust cannot be achieved with a siloed approach – security and privacy professionals must support each other’s work and ethical considerations related to emerging technology implementations must be considered cross-functionally.

Lack of alignment of digital trust and strategic goals
Digital trust is so critical for public sector organisations to succeed that it must be baked into strategic goals from the outset, instead of only being considered once goals already have been established. People rightly expect public bodies to demonstrate urgency in putting plans into action but failing to ensure the necessary security measures are in place can undermine commitments to serve the community. Taking process shortcuts in the name of a near-term goal is likely to lead to a long-term problem that could erode trust with the public and key stakeholders.

Lack of leadership buy-in
While public sector leaders may not understand all the intricacies of the threat landscape or data privacy regulations, they should understand how building and sustaining trust with the public is necessary to achieve their goals.

If that is not the case, digital trust champions such as chief information security officers, data privacy officers and risk leaders should engage organisational leaders by communicating in clear, business-focused language what the business risks are of failing to prioritise digital trust.

Too often there is a disconnect between organisation leaders and technology functions in the language that they speak. Framing these conversations around building digital trust can be an effective way to bridge that divide and gain leadership buy-in.

Lack of budget
Prioritising digital trust inevitably requires a significant investment in staffing, tools and ongoing training and professional development for employees. While the public sector is often burdened by budget constraints, the risks of failing to make the necessary security investments must be carefully considered.

Public sector organisations are an attractive target for cyber criminals due to the sheer volume of personal identifiable information they hold. And while the tactics employed by bad actors are becoming more sophisticated, many organisations are increasingly at risk due to outdated technology, systems, and processes. As we have seen in the fallout of the ransomware attack on Hackney Council, huge investments in time, money, and resources are required to recover from such an incident, but budgets can be better managed when proactive steps are taken in anticipation of threats.

Overcoming the obstacles
While there is much progress to be made, each of the above obstacles can be addressed through commitment from public sector leaders and a renewed commitment to cross-functional collaboration.

Without earning and preserving trust from the public and other stakeholders, no amount of digital innovation will be enough for modern enterprises to remain competitive. Whatever factors might currently be holding organisations back from driving toward digital trust must be identified and overcome to set a foundation for sustainable success.

How can government officials stay protected against ‘hack-for-hire’ cybercriminal gangs’

Freya — Wed, 26 Apr 2023 08:40:28 +0000

Cybersecurity

By Tom Kidwell, Co-Founder, Ecliptic Dynamics and former British Army and UK Government intelligence specialist and internet infrastructure security professional for the public sector The cybercrime industry has been growing at a staggering rate in recent years, with organisations and individuals across every sector affected. The Government has been put on high alert from potential state-backed cyberattacks as political tensions continue to rise, including possible threats upon the safety and security of politicians and national critical infrastructure. And, recently the Government announced a new strategy to protect the NHS from cyberattacks. Some of the most notable attacks include the NHS 111 attack that occurred last year, which crippled emergency services across the health service, and the phishing attack on Scottish MP, Stewart McDonald, back in February 2022, which publicly exposed his private work emails. In addition to this, a sting operation recently revealed that Indian hack-for-hire gangs were targeting UK politicians. These are just a few examples of how threat actors are preying on the public sector which is expected to increase year on year. A recent report found that nearly 47 per cent of data breaches in the public sector weren’t discovered until years after the initial attack, and the overall cost of cybercrime to businesses is set to reach $10.5tn a year by 2025, making it one of the largest economies in the world, and one of the most lucrative types of crime globally. For government officials or other public sector professionals, the hack-for-hire groups will be of particular concern. Often cyber groups adopt a ‘get in where we can approach’, using simple attack vectors such as phishing. They target whoever they can with fake emails and communications, hoping someone, usually on a company work device, will open a link, installing ransomware or other malware. However, with these hack-for-hire groups, they are incredibly targeted, not only going after specific organisations, but specific people within them. And on top of this, due to current conflicts around the world, foreign states are becoming increasingly involved in cybercrime, with many commissioning malicious activity against other countries; again, placing a target on the back of government officials. So, government professionals need to know how to protect not only their organisation, but also themselves. Here are a few of the best practices professionals can implement to keep themselves secure: Two Factor Authentication (2FA) 2FA is probably the most effective cybersecurity practice that can be instantly implemented. It is an access management control method, which forces users to provide two forms of identification to access a network, environment, account, or data set. The concept is centered around having something you know (username and password) and something you have (a code or token on your mobile). This means that even if a malicious hacker compromises your work email login credentials for example, they still need access to the unique authentication code that is sent to your trusted device. Check suspicious links Even if an email comes from a trusted sender, there’s always the possibility that they themselves have been breached, and the link you’ve just received from them is malicious. As with many walks of life government, officials should trust their gut when it comes to cybersecurity. Does something seem off? Is this a strange email to receive from this individual? Have they used your full name, when they normally use a shortened version? If you’re thinking about these things, always check the link. You can do this using phishing tests or link scanners, however sometimes an even easier way is to pick up the phone and verify the communication with the sender. In some ways this is similar to 2FA. Isolate your sensitive work Malicious hackers will likely be looking to access your work communications or data, sometimes targeting something specific for the purpose of blackmail or extortion. That’s why it’s crucial to keep more sensitive information and data isolated. This can be done using a different device, or segmenting your data, implementing different access pathways for each part of it. It’s also important to ensure that when browsing the web, or opening sensitive communications, that your work device is also protected. Using ‘virtual machines’ or web isolation platforms means that if you do click on a malicious link, or accidentally download an infected asset, all of the risk is contained, with the software and IT provider absorbing the risk and removing it from the user and their organisation. What’s more, with web isolation platforms, the user has zero footprint online as the virtual computer is rebuilt entirely from scratch, daily, destroying any viruses – malware, trackers and online activity related to the user’s work, making it almost impossible to track a user online, leaving government officials to go about their work freely and safely. The public sector remains a top target for cyber gangs, mainly due to the highly valuable and sensitive data it holds, and the vital role public sector officials and organisations play in society. A crippling attack on critical public infrastructure is a real risk, especially with geo-political tensions high since the war on Ukraine. Despite this, there are steps government workers can take to protect themselves and the organisations they represent. 2FA, checking suspicious links and isolating your work are key, however, to enable these things to happen means ensuring that government workers are cybersecurity savvy, trained in knowing what cyber defence procedures to follow. Organisations should have proper governance and control measures in place for officials to abide by as well as an incidence response plan to observe, should a breach occur. It’s a three-step approach – People, Processes and Technology – and following those will help to keep your government officials and organisation secure.