It was recently announced that the Welsh Government was making it mandatory for new contracts, where the supplier had ‘moderate' to ‘high' levels of risk, to be Cyber Essentials accredited - a certification which allows businesses to demonstrate to their customers, insurers and suppliers that they have implemented the necessary security controls to manage their cyber risk.
But surely this only applies to 'digital' businesses? Recent evidence proves that is not the case.
In December 2014 details emerged of a significant cyber attack at a steel mill in Germany, ensuring failure of some of the plant and then removing control from the operators to force the fast shut down of the furnace which in turn caused 'massive' damage.
Although unusual in its nature, the attack started using simple methods in the company’s email system, but once these emails were opened it allowed the attackers to exploit the connections between the office and production systems to cause havoc and take control of then plant.
Details as to the extent of the damage were not revealed, but that is not unusual as most organisations will not want to reveal that they have been penetrated.
Methods do not have to be so aggressive though.
Brian Lord, who spent 21 years at GCHQ, finishing as their deputy director for intelligence and cyber operations, spoke at a recent Digital Tuesday after become managing director of PGI Cyber.
Although commercial confidence prevented him from revealing the exact detail he outlined two recent incidents to which they had responded.
In case A the attackers sat within a company’s email system monitoring all email traffic and gaining a detailed knowledge of all of the staff. During a routine financial transaction one party informed the other of a change of bank account details. The email looked like it had come from the correct email address, was in the normal format and referred to personal details of recent family events which made it look totally plausible and therefore the change was made.
It was only 24 hours later that it came to light that the email was false, £10m had been transferred to the fraudulent account and the money was gone.
In case B a company had taken significant steps to protect its key computer systems, but had forgotten it had a link to allow their food supplier to access their canteen system. The food supplier had very low levels of protection and the attackers penetrated this route to access all of their client’s systems.
Costs to address these issues do not have to prohibitive.
Mark Edwards, of Capital Network Solutions, recently commented at Digital 2015 that he felt the Cyber Essentials' standard is a simple, low-cost and very effective set of controls that will protect against up to 80 per cent of Cyber Threats.
And with a variety of Government organisations making this a mandatory requirement, achieving this certification could differentiate you when you are trying to win new business.
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here