Adam Myers:

Hello and welcome to our podcast, Tales from the CyberLab. My name’s Adam Myers and I’m the Sales Director here at CyberLab, and I’ll be your host for today. Joining me is Neil Furminger, who heads up Cyber Essentials at IASME, and we’ll be discussing around defending against common cyber threats. Welcome, Neil. Could you just explain a little bit about your role and what you do on a day-to-day basis?

Neil Furminger:

Yeah, I’m the head of Cyber Essentials at IASME, the delivery partner for the UK Government and National Cyber Security Center’s Cyber Essential Scheme. I’ve been working on the scheme now full-time at IASME for seven years. And my key role in this is to make sure that the technical side of Cyber Essentials is deployed correctly throughout all our certification bodies, assessors, etc, to make sure that the scheme is deployed in a consistent manner and the integrity of the scheme is maintained.

Adam Myers:

Amazing. Yeah, so I’m really looking forward to this podcast. I think it’s going to be brilliant. So I guess first topic from what IASME sees nationally, what are the most common cyber threats affecting UK organisations?

Neil Furminger:

I think what we see is there are lots of threats out there, but in my world working in Cyber Essentials is that the threats we hear about and we talk about, we hear that they are started off by commodity tools, free and relatively easy to start with before they became more complex for the larger organisations. And so many cyber attacks start with freely available tools that are available out there in the commodity space that we talk about in Cyber Essentials.

Adam Myers:

We’ve done a few through our live hack, for example, of some of the tools that are used. Is that just readily available on the dark web? And I guess as one is found and maybe a new one will spin up as that sort of moved out. Is that kind of how it works and operates so that these tools are low cost and fairly easy to use?

Neil Furminger:

Not necessarily. Even in the dark web, some of the tools that can be used to carry out a cyber attack can be those that are used to do a pen test to see how secure an organisation is. And there’s things like tools like Metasploit out there, etc, which were there at the beginning of Cyber Essentials and used to carry out such target, well, such untargeted attacks, because that’s what we talk about. We’re not looking at the targeted attacks. Cyber Essentials is the untargeted attacks, and many cyber attacks start in that simple manner to start with.

Adam Myers:

Are you still seeing phishing is probably one of the main entry points? Is there anything there that you’re seeing as the main attack?

Neil Furminger:

Yeah. For Cyber Essentials, especially, that is what the threat model is about. It’s about phishing, vulnerability, exploitation, password guessing. All those common things that have been around we know about and hearing the news, etc, been around for many years, they are still very common entry points and threats that are exploited.

Adam Myers:

Yeah. A lot on patched systems, we see a lot of misconfigurations. Is that what you are seeing? And yeah, that’s often the sort of way that-

Neil Furminger:

Yeah, that’s a big part of Cyber Essentials is educating people on patching and making sure their systems aren’t vulnerable from those threats. I talk about it almost on a daily basis.

Adam Myers:

Yeah. And then, so obviously with HackRisk that we do, we have tried to help with the supply chain element of Cyber Essentials. And I guess that’s where maybe an attacker might try and that relationship between suppliers, they try and see that as a soft target. Is that still what you see as well?

Neil Furminger:

Yeah, the supply chain is really important and there’s an awful lot of work going on in the Cyber Essentials ecosystem at the moment, working with government and the NCSC about securing supply chains because we saw with attacks that happened last year, how supply chains get affected. So it could be top down or it could be bottom up that affects. You could have weak email systems further down the supply chain, sending in threats across to the larger organisation that causes disruption.

Adam Myers:

And I guess that’s why it’s important to have good cyber hygiene, doing your health checks, going through these accreditations and all this. Is that what you’d recommend, make sure you’re measuring and benchmarking yourself against those standards?

Neil Furminger:

Yeah. With Cyber Essentials, what I’d like to do is because that’s my world, is it’s an education piece and it’s something that should be maintained 12 months of the year ultimately. It’s good gap analysis when you start, certainly in your first year of doing it, but yeah, it gives you that benchmark and they are the best practises of basic cyber security. So any other scheme, Assurance level or whatever that may be required, I still think, really believe that the Cyber Essentials gives you that benchmark base level to build your platform of a good cyber security ethos within organisations, etc.

Adam Myers:

Yeah, some really good advice there for our audience. So yeah, great sort of first opening question, I guess. And then just moving on, so there’s this sort of perception that hackers are sort of highly sophisticated. Is that really what’s happening in most attacks or are you seeing anything different?

Neil Furminger:

No, there is a level of sophistication with some of the attacks, but what we see is that sophisticated attacks can very quickly become very simple commoditized attacks in a matter of days nowadays, there’s many different things, but we with Cyber Essentials, we’re looking at those commoditised attacks because they’re the most common that they’re out there. They’re normally untargeted and they’re the ones people are most vulnerable to. Targeted attacks accounts for a smaller percentage, but even the targeted attacks start with these commoditised tools and attacks to start with because if they can find an easy way in to get these larger organisations, they can cause the disruption we’ve seen over the past year with some high profile names.

Adam Myers:

Yeah. And I guess it’s like sometimes it is known techniques and automation has probably played a big role in that. I’m obviously using the AI, but the scale now and how they can do that by tightening those common weaknesses, that’s I guess where they can do this now on a bigger scale and kind of push that out to more and more businesses through the sort of technologies we evolve, I guess.

Neil Furminger:

Yeah. And I think the AI, what it’s done is going to help defenders from these attacks, but it’s also helps the attackers and it’s just speeding up the whole process. And we’re starting to see a number of reports that are coming out, there was a report from the NCSC just a couple of weeks ago talking about this, about defending, using AI, but also the attackers being able to speed up and how we should defend against it by making sure you’re using the basic controls to start with.

Adam Myers:

Yeah. I guess that’s what Cyber Essentials does, isn’t it? It’s focusing on stopping those everyday attacks and the mass attacks that we see. I guess that’s what you’re trying to help with is with that benchmarks or raising everyone’s level. We kind of help and support one another in that, I guess.

Neil Furminger:

Yeah. I think by having a base standard, which Cyber Essentials is with the five basic controls that are built into it, they go outside sometimes the threat model of Cyber Essentials because they can inhibit all kinds of different kinds of attacks just by applying basic controls. And remember, the controls have been around for a long time. Cyber essentials is 12 years old this year. Those controls have been there. They fundamentally haven’t changed. They’ve had to adapt the faster technologies and wider adoption of cloud services caused by the pandemic, etc. But the fundamental controls have been in IT systems for the last 25, 30 years. It’s just, I find it remarkable, we still have to educate people on these basic things. And like anything, you can get your big-the biggest bang for your buck, I think cyber security is putting these basic controls in because they can really make a difference.

Adam Myers:

Amazing thought there. So I guess just for anyone new to it, what exactly is Cyber Essentials? We hear it a lot and I think people have a good understanding to some extent, but I guess why was it created and could you just maybe provide some sort of narrative on that for our listeners?

Neil Furminger:

There’s a lot of stories about why it’s created. A lot of people think it was created for SMEs, etc. But there was a period back in 2010, 2011, something like that, where there was a number of large contractors working for defence and UK government that were being attacked, but they were being attacked through these commoditised tools. And the NCSC, or it was the CESG at that time, decided that a scheme needed to be put together working with various government departments to try and prevent these attacks from taking place. And so they used what was 10 Steps To Cyber Security, which was made up of numerous amounts of controls, chose the five that prevented cyber attacks and built the scheme around those controls. And our CEO at IASME was there at the beginning being involved in this. So IASME has been well embedded into the Cyber Essentials ecosystem for quite a while now.

Adam Myers:

Listening to this episode, one thing should be really clear. Most cyber attacks don’t succeed because organisations are lucky. They succeed because basic security controls are not in place, and that’s exactly why we have Cyber Essentials. At CyberLab, we help organisations defend against the most common cyber threats by achieving Cyber Essentials, a UK government-backed standard, built on the NCSC’s guidance and designed to stop attacks that we see every single day. It focuses on the fundamentals that really matter, so secure configuration, access control, patching, and malware. And as an approved assessor for Cyber Essentials and Cyber Essentials Plus, we’ve helped over 1,400 organisations achieve their certification, and Cyber Essentials can actually be achieved from as little as £320 as a starting point. And if you do need greater assurances, we can also help you with Cyber Essentials Plus. So join over 120,000 organisations who are already certified and take a practical first step to stronger security by visit our website, cyberlab.co.uk. That’s Cyber Essentials with CyberLab, because defending against the most common cyber threat starts, we’re getting the basics right. Back to the episode.

Adam Myers:

We’ll be working very closely with the NCSC technical controls and best practise. I know a lot of our listeners will follow that best practise as well. But would you say it’s still achievable for all organisations and that’s kind of like everyone should try and aim. Do you think that’s a fair point to say that it is for all?

Neil Furminger:

As I’m heavily involved in working on the annual requirement updates, etc, it is something we always look at when we do the requirements. We are making sure it is accessible for all and whether everybody can do it. We start off with a base point when we look at it, can you apply the control to a single laptop? And that’s the thing, you can apply it to a single laptop. And obviously what we have is challenges. So small organisations may not have the technical expertise around to put some of these controls in place. And as you go up and scale up and size of organisations, it becomes more complex when you’ve got to maintain the controls over thousands of devices. But the whole point of Cyber Essentials is all five controls should be able to be applied within any size of organisation, and that’s how it’s always been thought about and designed. So it’s a one size fits all.

Adam Myers:

Yeah. Yeah. So it’s probably where then that Cyber Essentials was built on that sort of NCSC guidance, as you said. I guess from your perspective, how does that translate into real protection? And I know there’s the sort of five core technical controls. Could you maybe just expand a touch and take us through that a little bit?

Neil Furminger:

Yeah, so there’s five. So the point is with Cyber Essentials is this overall thing is to prevent a cyber attack taking place. These are the common cyber attacks. So we talked about them, phishing and vulnerability exploitation, password guessing, all add up to help prevent most common ransomwares when applied correctly. And there’s five control areas. So there’s the firewalls, which is your boundary to the internet, whether it’s on your device or an organization’s network or the cloud services they use. And then you have some secure configurations, things you can do to your devices that maybe will help secure them a little bit more by not having so many open doors to the internet. So removing software you don’t use that may be vulnerable, if not kept up to date, etc. Removing unwanted user accounts or default accounts that are supplied on those devices to start with. If you disable or remove them, that will reduce the attack surface against that device. Vulnerabilities is something that comes up all the time. So this is your patching and making sure those vulnerabilities, those holes in software and your operating systems are closed off by regularly applying patches and updates, and those should be achieved as soon as possible. And then we have how you use user accounts. So that’s your standard user account for your day-to-day operations, reading email, writing documents, filling out spreadsheet, account software, etc, and how you use your administrator accounts as well. Make sure your standard user doesn’t have administrator rights because administrator writes some permissions, gives the attacker, if they got hold of that account, the ability to instal software. So that could be encryption software from clicking on a link that starts off a ransomware attack or something. So if you keep those two accounts separate, you reduce that risk if one gets compromised, especially the standard user account that it should be used for 95% of your daily activities unless you’re an administrator would use it more, but we’d still encourage users to have standard accounts and administrator accounts to do the different high privileged access with a completely different account. And then finally, the final thing is about malware protection. So this used to be known as antivirus software, but it’s developed in something else called malware protection. There are many suppliers of this, but we want something that is there regularly checking and scanning the devices on access, etc, for these threats and vulnerabilities that may be coming through, can check suspicious links, etc. We want them to be configured to vendor best-practice and make sure they are kept up to date. Those are the five control areas.

Adam Myers:

Amazing. Yeah. I guess for anybody that just needed a little snapshot of what they should be doing, five steps, really good takeaway from that topic perspective. So what we see is, I guess, when should organisation consider Cyber Essentials Plus instead of basic certification? I guess a lot of businesses are thinking of maybe going for Plus. What would be your advice there and how they go about that and when to maybe take that step?

Neil Furminger:

So Cyber Essentials Plus, so we haven’t talked about the two different levels actually. So there’s two levels to Cyber Essentials. So Cyber Essentials, the verified self-assessment, which is where you fill out a questionnaire, and then it’s independently verified by an assessor who goes through and checks your answers on what you’ve submitted to make sure what you think you have in place aligns with the controls and they will pass it off. The Cyber Essentials Plus that you’re talking about here is then gives that additional level of assurance on it because you’ll have some audit tests carried out on your devices, your network, and against your cloud services to show whether you have those Cyber Essentials controls in place. Now the controls are Cyber Essentials, and this is important thing to bring over. They are technical controls. And what we’re doing with the CE+, the Cyber Essentials Plus is to make sure those technical controls have actually been put in place and tested and offer that resilience part to protect and prevent these basic cyber attacks taking place. So they check for account separation. They check if all your updates have been applied within 14 days release of the vendor on a sample of devices. They check if you’ve got open ports open on your firewalls, etc. So it adds that extra level of assurance. And it’s something we’re seeing big take up for those supply chain requirements coming when you want a contract or something with local or UK government or something. They’re using it as that extra level of assurance to show that their networks and devices have been tested.

Adam Myers:

I guess it’s ideal for regulated sectors, supply chain, like you mentioned, and high risk organisations, that’s probably where maybe they should consider plus. Are you seeing a big uptake? More people, sorry, more organisations make the move to plus through your experience, you see that more and more are trying to hit someone get to plus level. Is that what they’re doing?

Neil Furminger:

Yes, there’s a higher percentage growth in the Plus area, but we still get a very good growth on both schemes, especially with the announcements from government, etc, talking to the FUTSE 350 companies back in October, there’s so much more awareness, especially over the high-profile attacks and what people can do. So we’re fully backed by UK government. It’s spoken about by ministers, etc. And it’s being promoted everywhere. There’s been a recent advertising campaign on social media for the first time properly about Cyber Essentials has proved very effective and has got a lot of uptake. The conversations about Cyber Essentials are really, there’s a real upshift in talking about it because of those high profile attacks, what can people do? That’s what Cyber Essentials has got people talking about because they are achievable controls that can genuinely prove or prevent, sorry, prevent a cyber attack in the majority of cases. About 80%, if you put the controls of Cyber Essentials in place, you’ll prevent about 80% of cyber attacks.

Adam Myers:

A big stat there. Yeah. Great listeners to take that advice onboard. And I guess what role do awarding bodies like CyberLab play in helping organisations achieve and maintain Cyber Essentials? Because I know it’s not always that easy to go through that journey and that path, and I guess that’s where we try and help. And could you maybe just provide some advice on how we maybe play a role in that?

Neil Furminger:

So IASME, we oversee and administer the scheme and help create the scheme and do all that work with the government. So we’re that link between. But also we have a UK-wide network of certifying bodies such as CyberLab who are the frontline people working out there in the wild with these organisations to help secure them and show them the way forward with these controls. So you are the frontline, CyberLab is the frontline here who are working with those organisations, trying to protect them from these cyber attacks taking place. So you are the ones who are actually delivering Cyber Essentials. You’re delivering the Cyber Essentials Plus audits, etc, but you’re also possibly providing other services that are all linked to the Cyber Essentials, ecosystems, cyber advisor services, etc, that are out there now and providing that core advice and implementation skills on how to apply these controls.

Adam Myers:

And I guess we are trying to support, I guess before, during and after certification, that’s kind of where we try and help and I guess use it as a foundation to build out a cyber strategy and hopefully help organisations. So it’s not just always a tick box through what you shared here and how we try and identify gaps and avoid failed assessments, we’re in there trying to help there.

Neil Furminger:

Yeah. Cyber Essentials is an education piece. It’s your first rung on a ladder to getting involved with cyber security, but as I said earlier, it gives you, I think, big bang for your buck because these controls really have been proved to be very effective. I think you need to…when you start on the Cyber Essentials journey, that’s not the be all and end all. You’ve got to continue. There’s other things you can do. There’s other resilience pieces you can do around it, but your Cyber Essentials should be maintained 12 months of the year, 365 days to get that protection you get from applying the controls. Don’t treat it as a tick box exercise, “I need it for a contract.” You should be … When an organisation starts on this journey with Cyber Essentials, they’re buying into something that needs to be maintained 365 days a year. That is most important because if you give up after 30 days or so of having it, you’re not going to get the benefit. You may get the benefit of holding a contract, but it’s not going to help you if you don’t maintain those controls all the time.

Adam Myers:

Yeah. Amazing answer there, I believe. So I guess I always ask this to all our guests. If you could leave organisations with just one principle when it comes to defending against common cyber threats and one piece of advice they could take away from this podcast, what would that be? And yeah, I’m interested to hear your answer on this one because I think going to be a good …

Neil Furminger:

One piece of advice….

Adam Myers:

Yeah.

Neil Furminger:

I’ve got five pieces of advice. Apply all five controls. Follow the guidance of the NCSC. Listen to them and follow these five core controls. – it’s as simple as that. They’re made up of things that apply… And I suppose this is my one piece of advice. The things you can do in Cyber Essentials, you can also and need to do in your personal life on your own personal devices. They will help. The exact same controls don’t apply to organisations. They apply to your laptop, your personal laptop you use at home, your personal mobile phones, etc. Apply the same security principles and it will protect you not only in your organisation, but in your personal life as well. So use things like multifactor authentication on your social media, in your work environment, when you use it there, use it in your home environment as well on your own personal social media accounts so you’re not getting those attacks against them and losing personal information as well. That’s the real thing is the five controls can be applied on any device in business environment or in your personal life.

Adam Myers:

So that concludes this episode of Tales from the CyberLab. Join us next time for a brand new episode. Until then, Stay Secure.