nformation security and information assurance specialists Xpertex have over a decade of deep expertise protecting the digital businesses of government and commerce. Information security is vital to any business, especially in the face of ever-increasing threats.
The Threat Picture
Information security threats exist within an increasingly connected economy of rapid digital communications and commercial transactions. This is a landscape where criminal groups, and state-actors – with dedicated infrastructure and resources based locally, or half the world way from their targets – can and will attack UK organisations. Many cyber-attacks are crude and relatively basic, but in an environment where many organisations still exhibit significant vulnerabilities somewhere in their digital business practices, attacks often succeed despite being unsophisticated.
The scale and nature of these information security threats is huge. Since 2016, the UK National Cyber Security Centre (NCSC) has been tasked with the digital protection of the nation, its organisations and citizens. NCSC has exposed the scale of the threat to UK business both financially and reputationally. Between 2016 & 2019, it took down over 177,000 phishing URLs, illustrating the huge number of fraudulent sites set up to trap and scam citizens and employees. In 2019, 56 UK banks were notified in a single episode where a compelling ATM ‘cash-out’ threat was identified. Attacks to steal company held bulk personal information to sell-on, or use for spear-phishing, are a constant concern. Airlines are reported to be an ‘attractive target’ in this regard. To add to the woe, the Information Commissioner can and will impose considerable fines for personal data losses by organisations. In the third sector, often where resources are constrained and reputations fragile, one small UK charity is cited as having lost £13,000 in one incident. This was the result of an email hack and a fraudulent instruction being given to release the funds.
Worryingly, NCSC adds that the most hacked password (identified in April 2019) was ‘123456’ with over 23M instances recorded. The password ‘liverpool’ was the most popular Premier League related, being hacked over 280K times, with ‘superman’ being the most common fictional character. Clearly, many people need to be more security minded in their password security.
What all this shows is that cyber-crime is big; it has financial and reputational implications for organisations affected and, that the ‘Human Factor’ of poor cyber practices – such as naive password practices – can greatly reduce cyber defence effectiveness. A succinct point made by the NCSC is that being affected by cyber-crime is not an ‘IF’ it is a ‘WHEN’. Cyber security cannot be treated as a silo for the IT department to worry about. It is an issue affecting each employee and legally a Board level responsibility.
Practice what you preach
As an information security expert, practicing-what-you-preach is vital if you are to know what customers can experience developing their cyber security capabilities. It also enhances the credibility of the organisation advising the customer. Xpertex has tangible credentials. It has national security cleared staff, Cyber Essentials PLUS accreditation and most recently certification for ISO 27001, the global quality standard for information security management systems (ISMS). It also is registered with the public sector Digital Outcomes and Specialists (DOS 4) Framework in the ‘Digital Specialists’ category. Consequently, clients can be confident that Xpertex is experienced in adhering to the same standards it is advising them about.
The tension of balancing risk and investment
Understandably, a tension exists between the cost of information security defences versus the probable financial and reputational losses that could occur. Fines for personal data losses can reach 20% of global turnover in the worst circumstances with 10% not unusual. Realistically though, an organisation usually needs help to audit, identify and act on developing and maintaining good cyber defences and associated processes. Finding the pivot point balancing the likely risk against the investment required to avoid it isn’t always easy to achieve without credible, specialist expertise on hand to help.
Xpertex has worked with several organisations as a client-side and trusted advisor on information security programmes. One example is the internationally active leading skills development organisation, City & Guilds Group. Andrew Wilson, its Head of Information Security & Data Privacy said, “Xpertex have supported City & Guilds Group as we develop our information security posture. Together we have developed an approach that has gained us Cyber Essentials Plus certification and is ensuring our active defences are at the core of our business operation. It is imperative that organisations based in the UK but who trade globally, can do so with confidence and with appropriate measures in place to support the delivery of their services and assure their supply chain.”
One distinct element in information security is the strengths and weaknesses created by employee behaviour. A big investment in cyber protection needs individual good practice to be sustained to get it to work. Furthermore, human weakness, naivety, or ill-will can greatly undermine an organisation’s information security operation. Employees succumbing to spear phishing attacks; having poor password hygiene and conducting careless email activity are all human factors that can hamstring an organisation’s defences. Xpertex focuses heavily on these human factors when working with customers.
Notes for Editors.
About City & Guilds Group
Using a portfolio of brands, the City & Guilds Group provides professional and technical skills education and corporate learning development training programmes. The Group works closely with governments, employers and other industry representatives to overcome their current skills challenges in the global jobs market. Having shaped skilled workforces since 1878, City and Guilds history provides a wealth of experience in developing quality products and services to help people and businesses develop the skills they need to succeed.
Formed in 2006, Xpertex has helped clients in defence, financial services, education, retail, central and local government deal with secure IT project delivery and highly complex cyber and information security challenges. Today, its core business are Cyber & Information Security, Secure Product Fulfilment, and Secure Government.
Technology and vendor agnostic, Xpertex efficiently provides information security services for organisations large and small, that are robust, flexible and effective. Our security focus always starts with an organisation’s human factors, in other words, its people, culture and processes, to which we then create the appropriate technology fit.
Xpertex builds long term relationships with customers, acting as a trusted advisor. We immerse ourselves in your business and add value with an up-front in-depth analysis of your requirements, to provide sustainable and strategic solutions, quickly and flexibly.
Xpertex Labs is the research and development arm of Xpertex that brings new ideas and innovation to the company’s mainstream business activities.