Cyber security solutions – Finding the best advice for security installers
Businesses and other organisations face an ever-evolving range of cyber-crime threats, placing an increasing focus on effective cyber resilience strategies. But where can they and their security installers turn to for best practice guidance in this fast-changing environment?
Malicious cyber activity threatens public safety and increasingly needs to be addressed as part of a wider security strategy alongside other risks, including physical attacks such as burglary and other crime. The rise of connected devices and the trend towards equipment interoperability via communication networks raises the vulnerability of security measures to external cyber-related risks.
In recent years high profile incidents have demonstrated the potential perils of our rising digital dependence. A 2018 data breach affecting more than 400,000 British Airways customers’ personal and credit card data, when insufficient security measures against hackers compromised security, led to a subsequent £20 million fine from the Information Commissioner’s Office. In 2022 a cyber-attack on an NHS software supplier caused widespread outages across the health service, while in January 2023 Royal Mail fell victim to a ransomware gang targeting its international shipping of parcels and letters.
Assessing the threat
Organisations like Royal Mail have well-established resources to handle such situations, but smaller businesses and organisations may not be able to bounce back from an attack of this nature for a considerable time. The related cost implications must be added to trading interruptions and reputational damage, with possible longer-term harm to customer confidence negatively affecting business.
The National Cyber Security Centre (NCSC, part of GCHQ) warned in April that small and medium-sized organisations are also prey to an assessed rising threat from irresponsible use of commercial hacking tools over the next five years, leading to more victims of cyber attacks. There is already a one in three chance of a UK business experiencing a cyber breach, the NCSC reports, underlining the need for organisation managers, business owners, and security installers to mitigate such risks by taking preventative and planning steps.
Cyber security entails protection against threats including phishing attempts, ransomware, cryptojacking, trojan horses, password infiltrations and malware attacks. Security system installations are vulnerable to cyber attacks in a number of ways, ranging from an engineer’s potentially compromised laptop being plugged in to a network through to breaches of a customer’s firewall, or a remotely operated site camera reliant for its functionality on an unsecured third-party network.
Cyber security: an oxymoron?
Given the scale of the challenge involved in providing full protection, cyber security could be considered an oxymoron: it’s therefore more realistic to adopt a multi-pronged approach of preventative protection alongside planned measures if, or when, an attack is successful. This involves combining strong cyber defences against malicious threats, enabling most attacks to be thwarted and minimising the impact of any that penetrate, with bolstering preparedness for when incidents occur, thereby minimises their impact, and enabling quicker and more effective recovery.
Unforeseen events, both malicious and accidental, can occur in a variety of ways, making it impractical to develop step-by-step instructions to manage every type of incident. Instead, plans should be formulated to prepare against the common threats each business or organisation faces in order to handle those incidents most likely to occur.
Assigning personal responsibility for identified protective measures and system management procedures plays a key part of embedding cyber security within any organisation’s risk strategy. This will help prioritise where protection is most needed, how best to achieve it, and who will ensure effective measures are taken in response to evolving threats.
Security installers are increasingly responsible for cyber security. Their customers can legitimately expect risk protection from their installation provider and demand redress if a subsequent incident investigation identifies that insufficient protective measures or procedures were specified and/or defined responsibilities were not carried out, e.g. security updates were not implemented.
NSI contributes to the raising of cyber security standards through its participation by the Cyber Security Product Assurance Group (CySPAG), which is facilitated by the British Security Industry Association. Established in 2017, as a collaborative effort by product and system designers, manufacturers, installers and maintainers of security systems to harness cross-industry expertise, CySPAG provides guidance specifically to installers of security systems to help reduce vulnerability to cyber crime.
Two CySPAG Codes of Practice cover the installation of security and safety systems, and the manufacturers of these systems (Forms 342 and 343 respectively). Form 342, nicknamed ‘CyberCop 342’, addresses the continually increasing use of internet- connected devices and systems in electronic security and how the proliferation of devices and links on home and business networks leave individuals and companies vulnerable to cyber attack.
Best practice options
To independently demonstrate that correct steps have been taken, self-assessment to the government-backed Cyber Essentials scheme covers a number of requirements to help organisations protect against common cyber attacks
Third-party certification against the more rigorous Cyber Essentials Plus scheme – involving a hands-on technical verification – or ISO 27001 (an international standard which acts as a framework for managing information security risks) provides additional proof of intent.
Cyber resilience is now a vital element in any organisation’s security strategy; ensuring a robust approach to preventing, detecting or disrupting an attack at the earliest opportunity is key to limiting business impact and damage.
Matthew Holliday
Director of Approval Schemes
NSI
