Welcome to this week's Black Arrow Cyber Tip Tuesday, this week Tony is talking about different cyber frameworks and standards and the different strengths and weaknesses between them.

If a firm was to try to start thinking about all the things they need to cover when it comes to cyber and information security it would take a long time and very likely key components would be missed. The hard work or at least some of the hard work, has been done for you through a number of different frameworks and standards, which, to varying degrees, cover off all the things a firm needs to think about.

The first and probably the most well known on the Island is the Cyber Essentials or Cyber Essentials Plus scheme, it is backed by the British Government and is intended to the first step on a journey into cyber maturity, rather than being the destination.

It only covers basic technical controls and crucially falls short of the expectations being set by the GFSC in the new cyber rules.

When I conducted the cyber thematic review for the GFSC it was clear that the majority of firms were gapped when it came to monitoring and detection, if you have no visibility of what is going on against your network, you can’t see attacks that are happening, or have happened, and you are blissfully none the wiser.

The takes me on to the second framework, NIST, an international standard and the most widely used amongst firms further along their cyber maturity journey, and certainly the most widely used across larger and multinational organisations.

Adherence or compliance with the NIST standard is at the core of the new GFSC Cyber rules and the GFSC will be looking for evidence that regulated firms are covering off the 5 pillars of NIST Identify > Protect > Detect > Respond > Recover.

Covering all of these areas will provide firms with much better visibility and oversight than many firms currently have in place.

The third standard here is ISO27001 and this standard is often considered to be the gold standard and one that few firms on the Island have achieved because attaining the accreditation does require more of an investment both in time and in some of the processes and the things you need to have in place to support the different policies.

This is all about increasing the maturity and capability of firms in the hopes that nothing bad happens to them.

Many firms unfortunately do not recover from a significant cyber incident, and that incudes some very large firms as well as many smaller firms. Even if the firm does survive it will very often cost a lot more to recover than it would have cost to prevent the problem from happening in the first place.

We can help any firms that want to explore their options when it comes to looking at which of these are best for them and where they are on their journey.

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week Bruce is talking about Phishing emails including Business Email Compromise or BEC.

Many of you will be familiar with receiving phishing emails that, for example, encourage you to click a link to unblock your PayPal account, or encourage you to respond to an urgent message.

Although you still see that type of email, they are being replaced by much more sophisticated versions that are addressed specifically to you. These encourage you, by name, to look at an attached document or to contact the sender for a private discussion.

If you click on the attachment it will try to download malware, or if you reply to the sender then you will be starting a correspondence that will likely lead to you being duped into a later harmful activity. These personalised types of emails are called spear phishing, and they have become more prevalent because the software to create them is more easily available online and so they require less work by the attacker.

A variation of spear phishing is when the attacker targets the senior leadership in an organisation because those targets have more valuable information on their computer, and they are likely to have more wealth to exploit. This is called whaling, and again they take a bit more effort on the part of the attacker, but the rewards can be greater.

Another type of email attack is called Business Email Compromise, or BEC.

In this case, someone’s email account is broken into, and the attacker monitors the emails while the email owner is unaware. Then, at an opportune moment, the attacker will send an email to the victim with an instruction such as to use alternative bank account details for a payment. The payment goes straight to the attacker instead of the correct recipient, and the victim does not find out until it is too late.

You cannot rely on technology to stop these kinds of attacks.

You need strong people controls, where everyone should be suspicious of email and aware of the types of possible attacks.

The best thing to do is to contact the supposed sender of the email to ask them to confirm that they sent you that email before you open it. And if you are suspicious of an email from someone you do not know and you cannot contact them, then you might want to delete it; if it is a genuine email then the sender can contact you again.

If you'd like to know more about how you can protect yourself or your company, have a look at the information on our site, blackarrowcyber.com, and contact us to see how we can help you.

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week I'm talking about why firms should think about having a CISO

Information security is a wide and complex subject and it would be wrong for us to pretend otherwise.

There are lots of different specialisms and it takes many years to become an expert, no one is expecting board members to become cyber experts but Boards will need to ensure they have access to expertise in this area.

Ultimately this comes down to being able to pull a lot of things together: Managing risks and controls, taking appropriate steps to secure the technology in use across the organisation, managing the different tools and vendors, managing supply chain risks, dealing with legal and compliance requirements, ensuring users are trained and kept abreast of the latest threat and tactics, monitoring output from whatever detection capability, responding to incidents, spearheading recovery efforts, and a lot more, all the while communicating with the Board in language they understand, aligning security with business goals and objectives and helping the business to grow securely by adopting and adapting to new technologies and new challenges for the business.

Ultimately it is the role of the CISO to provide strategy, leadership and governance to the Board.

If you don’t have this expertise in house you will probably need to get this function in from outside of your organisations.

We can provide a virtual CISO for your organisation, fully scalable depending on your needs, and by employing a corporate CISO you get a whole team’s worth of skills and expertise.

You can give your clients the assurance they need by telling them you appreciate how big a risk cyber threats are, and that in order to address these risks you have unrivalled world class experts from British Intelligence, Law Enforcement, Government, Big-4 Advisory, FTSE100, Global Financial Services and the GFSC, working to protect them, and to keep their data and their assets safe - safeguarding your own data, assets and reputation in the process.

Is Just Purchasing Cyber Security Tools Enough? Cyber Tip Tuesday Video

Welcome to this week's Cyber Tip Tuesday - this week James talks about how purchasing security tools does not in itself increase security.

It’s fair to say that there are plenty of things you can do for little or no cost that will greatly decrease your attack surface or increase your security posture.

With the sheer number of products on offer promising a complete solution, it’s easy to fall in to the trap of wanting a quick fix for security.

However, simply purchasing a product is unlikely to offer any benefit without appropriate configuration or in many cases the expertise to interpret the output.

A good example is Microsoft 365 which offers many passive security features as well as some of the most accessible and competitive security tools on the market for businesses of all sizes.

However, in order to take advantage of these features they must first be configured and then maintained and monitored with oversight by a security specialist.

Security is not a tool or even a collection of tools but a mindset of deliberate and regular actions.

If you'd like to know more about how you can protect yourself or your company, contact us today.

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week Tony is talking about the new cyber rules that the GFSC have just released and which are now in force for regulated financial services firms in the Bailiwick.

The GFSC have now released the new cyber rules and all regulated financial will need to be able to demonstrate compliance with these new regulations.

The regulations are built around compliance or adherence to the internationally recognised NIST cyber security framework and the five pillars contained therein, being identify, protect, detect, respond and recover.

We can assist any firm by producing a gap analysis against the NIST standard, and therefore the GFSC rules, to identify any areas of non-compliance or areas where firms will need to bolster their existing security arrangements.

Remember that cyber and information encompasses a lot more than just IT but is rather requires a holistic approach across people, operations and technology.

Leaving this solely to your IT team or IT provider likely won’t provide the coverage the GFSC now expects from firms.

Remember too taking a proactive approach should always be about preventing an attack or breach, many firms do not survive a significant cyber event, and for those that do recovery invariably costs a lot more than it would have cost to put appropriate controls in place to prevent the breach happening in the first place.

Boards are expected to show good governance over cyber and information security as they would be expected to do with any older and longer established risks.

It is clear from the new rules that the GFSC also agree that the responsibility for cyber and information security clearly sits with Boards, not IT.

Talk to us today to see how we can help you demonstrate compliance or become compliant with the new GFSC cyber rules.

Top Tips for Guernsey Businesses During the Second Coronavirus Lockdown, Cyber Tip Tuesday 26 January 2021

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week James is talking about how purchasing security tools does not in itself increase security.

It’s fair to say that there are plenty of things you can do for little or no cost that will greatly decrease your attack surface or increase your security posture. With the sheer number of products on offer promising a complete solution, it’s easy to fall in to the trap of wanting a quick fix for security. However, simply purchasing a product is unlikely to offer any benefit without appropriate configuration or in many cases the expertise to interpret the output.

A good example is Microsoft 365 which offers many passive security features as well as some of the most accessible and competitive security tools on the market for businesses of all sizes. However, in order to take advantage of these features they must first be configured and then maintained and monitored with oversight by a security specialist.

Security is not a tool or even a collection of tools but a mindset of deliberate and regular actions.

If you'd like to know more about how you can protect yourself or your company, contact us today.

Wishing all customers old and new a Very Happy and Safe Christmas

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week James is talking about security of home routers. A recent study in Germany of 127 home routers from 7 different brands including D-Link, Linksys, TP-Link and Zyxel found that almost 60 percent of models hadn't had a security update in over a year and most were affected by hundreds of known vulnerabilities. On top of that, they found that vendors were shipping updates with no fixes for critical vulnerabilities that have been known about for many years, some are even observed as being actively exploited.  Most routers are based on a Linux operating system which is patched and maintained regularly but the home router manufacturers are choosing to use old and known vulnerable versions of the operating system without sending updates to customers devices.

The lesser of the evils seemed to be Asus and Netgear who both applied more security fixes more frequently but another recent study found that 79 of Netgear's routers have a critical security vulnerability that would allow a remote attacker to take complete control of the device and the network behind which has been present since 2007. With the increasing popularity of home working it is essential that both individuals and firms take in to account this increase in attack surface and apply appropriate controls and mitigations to prevent their data and their clients data from being captured by malicious third parties.

When approached correctly, home working can provide significant benefits to productivity without compromising security. Speak to us today to find out how you can achieve this.

Shopping Online Safely; Black Friday and into Christmas Shopping special edition - Black Arrow Cyber Tip Tuesday video

Cyber security and information security is not an IT issue, sure IT is a big part of it, but whether you have IT in-house or if you outsource your IT, cyber security extends far further than just being sat within IT.

You need to ask yourself if your Board is able to make effective decisions about cyber security? Does it understand all this stuff? Is your Board educated in the different threats, and the different countermeasures? What about your people controls?

Attackers very often go after your people as a week entry point into your organisation, rather than trying to break in via your technical infrastructure. How well protected are your people? Do you have robust policies and procedures in place?

Many firms ignore the human layer, where the biggest vulnerabilities exist, and many firms are failing in exercising good governance over their cyber and information security risks.

We can help to make sure all of your bases are covered, not just your IT, but people and governance too, to help you defend your organisations against one of the biggest risks to your business. Contact us today.

Key InfoSec Terms and Concepts Explained: Vulnerabilities, Threats, Risks and Countermeasures - Cyber Tip Tuesday Explainer Series

Welcome to this week's Black Arrow Cyber Tip Tuesday.

In our articles in Business Brief magazine and the Guernsey Press, we have consistently highlighted that the Board, not IT, is responsible for Cyber and Information Security.

The financial services regulators in the Channel Islands have also made that very clear.

The GFSC has warned that “Cyber and information security should be taken seriously by the Board and included along with more established risks within a firm’s overall strategy for risk management”. And the JFSC has told businesses that “As a registered person, the Codes of Practice require you to understand and manage risks, including cyber-security risks, which could affect your business or customers”.

There is no room for misunderstanding there.

So, if a cyber incident happened, the Regulator would say to each Director “show us the evidence that you had taken cyber and information security seriously. Show us that you had understood and managed your risks properly, just as we had warned you to do”. 

If you are a Director, including a Non-Executive Director, and you had to get that evidence ready for tomorrow morning, would you be able to?

To be clear, it would not be appropriate to say that you handed it over to IT and thought they had sorted it.

Our Black Arrow website contains videos and articles that help Directors understand the basics of cyber and information security.

It is really important that the Board should be an educated customer of cyber security providers, including any outsourced IT providers, to be able to scrutinise and challenge what they are being told. You don’t need to be an expert, but have a good understanding of the basics, and your independent trusted advisors can support you on the details.

Have a look at the information on our site or contact us to see how we can help you achieve what the regulators require of you.

We explain one of the core concepts of information security, the functionality, usability and security triangle - and explain why getting the balance between the three points is so important

What is the CIA Triad?

In any conversation you may have been involved in relating to cyber or information security you may have heard reference to the 'CIA triad' - but what exactly is it?

And why you need to know what it represents

Welcome to this week's Black Arrow Cyber Tip Tuesday, this week Tony is talking about the most effective phishing lures.

Which phishing emails subject lines or hooks are user most likely to fall for?

Phishing emails often have a sense of urgency attached to them to get users to react without taking time to think or assess whether the email is genuine, but there are also subject lines that are more likely to trick users.

Anything where the user things they may be about to lose something they have earned or are entitled to can be effective, so things like a change or reduction in pay or benefits, reduction in holidays or a loss of things like airmiles or hotel loyalty points can be effective.

Anything involving threats of criminal action, courts, or implying you will incur a cost or charge for not complying is also effective, especially when combined with the sense of urgency.

Make sure your users are aware of the most effective lures and are continually honing their ability to spot phishing emails with rolling testing.

Welcome to this week's Black Arrow Cyber Tip Tuesday.

This week, Black Arrow will host a workshop on cyber security for charities. This is part of our pro-bono work with charities and the Guernsey Community Foundation.

As research, we have worked with a few charities to look at their main information and cyber security risks, and the solutions that they can implement either free of charge or at low cost. 

We have seen that a charity is effectively a small business, where the team uses information that needs to be safeguarded. But a charity’s information can be very confidential where it relates to the health or private lives of its members.

The charity’s team, including employees and volunteers, might not be aware of information security or be at ease using technology.

For example, employees and volunteers often receive sensitive information at home using their own computer, and then download it onto that computer and print it out to take with them when visiting the member.

There is sometimes no control over what happens to that sensitive printed document and how it is stored or disposed of. 

Equally, the charity’s employees and volunteers need to be alert to the risks of using online technology and the tactics of criminals who try to get access to their computer and information.

At the workshop, we will be looking at these risks and ways to improve information and cyber security at no cost or low cost.

For more information, visit the Guernsey Community Foundation website (foundation.gg) or our website blackarrowcyber.com. And contact us if you would like to be part of our pro-bono work.

If you are a charity and would like to attend Thursday's free workshop email joni@foundation.gg to book your place