Navigating the

Cyber Security
Landscape

Find out how we can help your organisation:

call 0845 119 9911
Navigating the Cyber Security Landscape

Introduction
Cyber-crime is a global phenomenon which affects everyone, from individuals and employees to
small and large organisations and across all sectors. This includes fraud, identity theft, phishing,
hacking, malware and distributed denial of service (DDoS) attacks. These attacks are increasingly
in the media as they become larger and more prevalent.
Just consider the frequency of cyber attacks — according to the PwC Global State of Information Security Survey 2015, the rate of
detected security incidents increased 66% year on year since 2009, with 42.8 million incidents detected in 2014, which equates to
117,339 attacks per day1. In the 2016 report2, detected incidents were up 38%, with theft of intellectual property up 56% from 2015.

Not only has the frequency of attacks increased, so too has the cost of managing and
mitigating breaches. Research suggests that the online security industry will grow at
a rate of 8.3% until 20213. To put that into perspective — globally, businesses spent
approximately $75 billion on online security in 20154.

For organisations, however, the investment goes beyond bolstering defences; the
estimated reported average financial loss from cybersecurity incidents around the
world in 2014 was $2.7 million – a 34% increase on the 2013 figure5. In the UK alone,
cybercrime cost businesses more than £1 billion in 20156.

In basic terms, cyber security is the body of technologies, processes and practices
designed to protect networks, computers, programs and data from attack, damage
or unauthorized access.

Attacks can be either random – almost drive-by – or targeted, but they are happening
constantly. In order to ensure these attacks are not successful, controls need to be in
place either under a formal information security management system (ISMS) or a more
informal approach.

The rate of detected security incidents increased 66% year

on year since 2009, with 42.8 million incidents detected in 2014,
which equates to 117,339 attacks per day1.

2
Find out how we can help your organisation: pulsant.com
call 0845 119 9911
Navigating the Cyber Security Landscape

One of the most problematic elements of cyber security is the quickly

and constantly evolving nature of security risks. The traditional approach
has been to focus most resources on the most crucial system components
and protect against the biggest known threats, which necessitates leaving
some less important system components undefended and some less
dangerous risks not protected against. Such an approach is insufficient
in the current environment.

Many firms now place cyber among their leading risks in terms of the
likelihood and severity of impact. Data loss, business interruption,
and theft of intellectual property, are some of the greatest consequences
of an attack, with the impact being dependent upon the industry,
risk profile, and size of a particular firm. There is a growing concern
with the physical damage impacts of cyber-attacks (whether indirectly
or directly), given the increasing connectedness of assets to the internet.
Cyber is rightly considered by firms to be a dynamic risk which pits them
in an “arms race” against those seeking to cause harm. This is likely to
keep cyber risk as a standing item on their agenda.

We are also seeing the increased commitment by government to

bolstering the defences of UK business and making the environment
a safe one in which to do business. This includes the recently announced
National Cyber Security Strategy by government, along with an allocation
of £1.9 billion to fund it until 2020. Still in its infancy, the plan aims
to protect citizen from spam and malware by limiting these types of
emails, strengthening the cybercrime unit within the National Crime
Agency, and setting up research institute to address device security7.

The purpose of this handbook is to provide an insight into

cyber security, what it is, the risks, impacts to your business
and the starting block to ensuring you are mitigated both from
a commercial and technological stance.

The estimated reported average financial loss from

cybersecurity incidents around the world in 2014
was $2.7 million – a 34% increase on the 2013 figure.
In the UK alone, cybercrime cost businesses more
than £1 billion in 2015.

3
Find out how we can help your organisation: pulsant.com
call 0845 119 9911
Navigating the Cyber Security Landscape

Industry mitigation
response
So, where do you start with cyber security? One part is to understand
something about the attacks themselves. The majority of incidents
faced by an organisation are the random probes from low-skilled
attackers or automated tools looking for well-known vulnerabilities
in people, processes and technology. These attacks are the easiest
to prevent. However, those conducted by skilled attackers against
specific targets are the hardest to defend against; and advanced
persistent threat (APT) attacks are the most difficult to avert.

You know you need to protect your organisation, but how is this achieved? The answer
is simple: start by implementing controls that are based on agreed best practice. As with
all simple answers, it is actually often not that simple. You have to identify those best
practices and then implement them within your organisation so they are part of your
daily routine or ‘business as usual’ (BAU).

Standards such as Cyber Essentials, Cyber Essentials Plus and IASME Governance standard–
all certifications offered by Pulsant – are based on best practice, so are ideal indicators of
effective cyber security mitigation controls.

4
Find out how we can help your organisation: pulsant.com
call 0845 119 9911
Navigating the Cyber Security Landscape

Cyber Essentials:
Your First Line of defence
As part of a drive to get the country protected from cyber threats,
the UK government created the Cyber Essentials scheme as
the lowest rung on the cyber security ladder. The scheme was
developed by organisations such as CESG, IASME, CREST and
others. It is designed to help protect organisations from the threats
posed by low-skilled attackers and automated tools by ensuring
basic hygiene controls are implemented.

It is not the silver bullet to defeat all cyber threats, but all the controls within
it are the foundation of all measures to protect you and your organisation.

It concentrates on five key controls:

1. Boundary firewalls and internet gateways — these are devices designed

to prevent unauthorised access to or from private networks, but properly
setting up these devices either in hardware or software form is necessary
for them to be fully effective.

2. Secure configuration — ensuring that systems are configured in the most secure way
for the needs of the organisation.

3. Access control — ensuring only those who should have access to systems do have
access and at the appropriate level.

4. Malware protection — ensuring that virus and malware protection is installed and
up to date.

5. Patch management — ensuring the latest supported versions of applications are

used, and that all necessary patches supplied by the vendor have been applied.

The scheme focuses on internet-facing systems because they are more exposed. Equally,
the people within your organisation are also directly exposed to attacks from the internet
as they browse the web and receive emails.

In essence, Cyber Essentials addresses about 80% of the most common cyber threats.
Once in place, it then provides the ideal base from which to further assess how to protect
your business from the remaining 20% of threats by enabling you to confidently assess
which information needs to be protected which additional controls are needed to secure
your environment.

5
Find out how we can help your organisation: pulsant.com
call 0845 119 9911
Navigating the Cyber Security Landscape

The Road to Certification

Pulsant is a qualified assessor — through government-appointed
accreditation body IASME — and is able to certify your organisation
in the above cyber-security certification schemes, all of which are now
a prerequisite for many government tenders, cyber insurance policies
and compliance, such as the GDPR⁸.

Pulsant operates a structured certification scheme. Using questionnaires and working

with you to define the scope of applicability of the certification, we can rapidly assess
what is required to be implemented within your organisation to ensure compliance
and certification.

For most SMEs, the scope will be the whole of the organisation; larger organisations,
meanwhile, generally want to certify part of the business, such as a division or a single
company within a group. This is permitted as long as the in-scope entity has sufficient
network segmentation and management responsibility from the rest of the business
to meet the requirements defined in the scheme.

6
Find out how we can help your organisation: pulsant.com
call 0845 119 9911
Navigating the Cyber Security Landscape

Why get Cyber Essentials

certified?
• Demonstrate to customers
and suppliers that your
business has implemented
government-recognised
• Gain competitive advantage
by achieving and maintaining
your accreditation
The consequences • Have confidence that
mitigating controls are in
Telecommunications company TalkTalk experienced one of the
biggest data breaches in 2015 — attackers used DDoS9 to steal an place to protect your most
estimated 4 million customer records from the company. In addition
to the negative impact the breach had on customer loyalty, brand
valuable information assets
reputation and the bottom line, TalkTalk was also fined £400,000 by
the Information Commissioners Office for failure to implement basic
cyber security measures, which led to the attack10.

Now, skip forward to when the new data protection framework is

implemented; the GDPR will see organisations paying steep fines for
any loss of data. Businesses could, potentially, be looking at paying up
to 4% of their global annual turnover, which is a stark reminder of the
importance of having the right protection mechanisms and controls in
place. And even though the UK has voted to leave the European Union
(EU), the GDPR will still apply to all organisations doing business in the
EU regardless of where they are based11.

7
Find out how we can help your organisation: pulsant.com
call 0845 119 9911
Navigating the Cyber Security Landscape

The Pulsant
approach to
cyber assurance
As an accredited assessor, we can help you achieve
your Cyber Essentials certification successfully,
and provide a strategic plan for you to maintain
controls and re-certify annually.

Here’s how we do it:

1. Define scope and identify information assets 2. Rapid outcome Cyber Essentials review
This is the most important part of the process We assess the scope against the requirements
in which we determine and define the exact scope of Cyber Essentials to identify any gaps and make
of the review, identifying what needs to be included. recommendations for remediating these gaps.

3. Remediation and certification 4. Information risk management

Based on our recommendations, we can remediate
or help you close the security gaps before completing
the certification assessment.
Cyber security is not a one-off activity but
an ongoing one that requires the right controls.
Based on our assessment of your organisation,
we help you develop a risk management framework
which gives you the controls to not only maintain
certification, but demonstrate the effectiveness
of those controls.

8
Find out how we can help your organisation: pulsant.com
call 0845 119 9911
Navigating the Cyber Security Landscape

Next steps
There are two more options for those seeking even more
comprehensive cyber assurance certifications. First, there’s Cyber
Essentials Plus, which focuses on all of the above and includes an
additional internal scan and an on-site assessment. Those looking
to quality for Cyber Essentials Plus must have completed Cyber
Essentials within the last three months.

Secondly, there’s the IASME Governance standard, which was developed over several
years to create an affordable and achievable alternative to the international standard,
ISO27001. This is designed exclusively for smaller companies and allows them to reap the
benefits of a cyber-security certification, especially with the introduction of the General
Data Protection Regulation (GDPR) fast approaching.

Conclusion
A cyber security strategy is essential. As part of this strategy,
implementing a risk framework which is ongoing and evolving,
changing in line with your business growth, shifts in operations and
technologies, and, most importantly, adapting to the ever-moving
cyber threat landscape, is fundamental in mitigating a business’s cyber
security risks. There’s no disputing the importance of such a strategy.
Demonstrating you are dedicated to preventing attacks is critical to
maintaining customer trust, protecting revenues and, in some cases,
meeting regulatory compliance.

However, for many organisations, getting to the stage where they have
a fully-fledged strategy in place, one that can be updated and changed,
is the major stumbling block.

As more cyber attacks are brought into the public’s line of sight, there
is the dawning recognition that that a cyber incident is inevitable. Along
with this recognition then is the allocation of resources and budget to deal
with the threat. But for many organisations, large and small, there is a
gap — either in terms of skills required, expertise needed, or support from
senior exec to spend the required budget. Coupled with that is the lack
of understanding of just which parts of their organisation have to
be protected.

In addition to having a certification to start with, there is also a strong

case to be made for working with a service provider with the requisites
skills and resources that can supplement your own and work with you
to create a risk management framework that forms the core of a long-
term, continuous strategy that enables you to maintain Cyber Essentials
certification, while demonstrating that the security controls are working.

9
Find out how we can help your organisation: pulsant.com
call 0845 119 9911
Navigating the Cyber Security Landscape

About Pulsant
Pulsant is a leading provider of hybrid cloud
solutions, professional services and managed
services, all underpinned by highly resilient
networks that support more than 4,000 mid-tier and
enterprise customers from our 15 UK data centres.

Our services are powered by enterprise-class technology,

delivered by exceptional engineers who create comprehensive
and innovative hosting solutions that deliver value to our customers.
Our consultative approach ensures we design and build flexibility
within our delivery model that adapts as your business grows.

We deliver comprehensive support, ensuring access and availability,

delivered 24/7 from our UK-based operation centres. We are
specialists in managing business critical data, through our highly
secure datacentres, which are all ISO 9001, ISO 14001 and ISO 27001
accredited, Cyber Security Essentials and CSA Star accredited for
cloud security.

For more information, please download or

request the Cyber Security Essentials Brochure
from www.pulsant.com/cyber-essentials

®
IASME
Consortium

Self-Certified
Company

10
Find out how we can help your organisation: pulsant.com
call 0845 119 9911
Navigating the Cyber Security Landscape

Cyber Security Essentials

Annual
Review Remediation Review

• Gap Analysis against controls • Close gaps • Implement control framework

• £9,400 fixed price • Annual certification

Upgrade
anytime

Cyber Security Essentials Plus

Annual
Review Remediation Review

• Gap Analysis against controls • Close gaps • Implement control framework

• External systems vulnerabity scan • Re-test to confirm gaps • Annual certification
• Internal systems vulnerability scan are remediated

Sources

1. http://www.pwc.com/us/en/press-releases/2014/global-state-of-information-
security-survey-2015.html
2. https://news.sap.com/pwc-study-biggest-increase-in-cyberattacks-in-over-10-
years/
3. http://www.prnewswire.com/news-releases/cyber-security-market-to-grow-at-
cagr-83-till-2021-says-techsci-research-report-590704471.html
4. http://www.forbes.com/sites/stevemorgan/2016/03/09/worldwide-
cybersecurity-spending-increasing-to-170-billion-by-2020/#220e15fa76f8
5. http://www.pwc.com/us/en/press-releases/2014/global-state-of-information-
security-survey-2015.html
7. http://www.bbc.co.uk/news/technology-37821867
8. https://www.gov.uk/government/uploads/system/uploads/attachment_data/
file/415354/UK_Cyber_Security_Report_Final.pdf
9. http://www.ft.com/cms/s/0/9bfb4e72-7965-11e5-a95a-27d368e1ddf7.
html#axzz4I9ErCkEI
10. http://www.itgovernance.co.uk/blog/talktalk-fined-400000-for-failing-to-take-
basic-cyber-security-measures/
11. http://economia.icaew.com/news/april-2016/business-faces-huge-fines-under-
new-dp-rules

6. http://www.computerweekly.com/news/450298242/Cyber-crime-cost-UK-
business-more-than-1bn-in-the-past-year

11
Find out how we can help your organisation: pulsant.com
call 0845 119 9911
Challenge Pulsant to fulfil your
business aspirations…

Contact Routes
Sales
Available: 9am - 5pm Monday – Friday
Telephone: 0845 119 9911
Email: sales@pulsant.com

Accounts
Available: 9am - 5pm Monday – Friday
Telephone: 0845 119 9999
Email: accounts@pulsant.com

Consulting Services
Available: 9am - 5pm Monday – Friday
Telephone: 0845 119 9933
Email: PS_Admin@pulsant.com

Find out how we can help your organisation,

call 0845 119 9911 or visit www.pulsant.com

Cadogan House, Rose Kiln Lane info@pulsant.com

Reading, RG2 0HP pulsant.com