Cyber attacks are a serious threat to businesses of all sizes and sectors. They can cause financial losses, reputational damage, legal liabilities, and operational disruptions. In 2023, the UK experienced some of the biggest cyberattacks in its history, affecting millions of customers, employees, and citizens.
Cyber Essentials and Cyber Essentials Plus are government-backed schemes that help businesses protect themselves from common cyber threats. They provide a set of technical controls and best practices that cover five key areas: secure configuration, boundary firewalls and internet gateways, access control and administrative privilege management, patch management, and malware protection. By achieving Cyber Essentials certification, businesses demonstrate their commitment to cyber security, gain a competitive edge, and comply with regulatory requirements. Cyber Essentials Plus certification offers a higher level of assurance, as it involves an independent assessment of the business’s cyber security posture by an accredited body.
In this blog post, we will take a look at some of the biggest cyber attacks in the UK this year, and from the information available assess the potential of these being prevented if the organisation had applied the controls found in Cyber Essentials and Cyber Essentials Plus. We will also show you how Forensic Control can help you achieve these certifications and protect your business from cyber attacks.
The Guardian
Hackers struck the Guardian Media Group on 20 December 2022, and the consequences from this affected the newspaper for months. All the information available on this attack points to this stemming from a successful phishing attack on an individual’s email account.
Would Cyber Essentials/Cyber Essentials Plus have helped prevent it?
Quite possibly. Successful phishing attacks are much more likely when an email account is not protected by multi-factor authentication (MFA). Once an account has been compromised an attacker can wreak far more damage if that account has administrator rights – as only administrator accounts can install applications or make configurations. Having a tailored cyber security staff-awareness/training programme in place helps staff spot potential phishing messages before it’s too late. Effective anti-malware and up-to-date operating systems and software further hinder the progression of such attacks.
All of the above recommendations are requirements of Cyber Essentials and Cyber Essentials Plus. They, along with further controls, will make it much harder for a phishing attack to succeed.
Royal Mail
Royal Mail was subject to ransomware delivered via LockBit. Lockbit frequently gains initial access by exploiting vulnerable Remote Desktop Protocol (RDP) servers or compromised credentials purchased from affiliates. Initial access vectors also include phishing emails with malicious attachments or links, brute forcing weak RDP or VPN passwords, and exploiting vulnerabilities like CVE-2018-13379 in Fortinet VPNs
Would Cyber Essentials/Cyber Essentials Plus have helped prevent it?
Quite possibly – CE/CE+’s requirements to remove older, unsupported applications, updating vulnerable software, using brute force protection, applying MFA would have likely made this take less successful.
Electoral Commission
The Electoral Commission was breached for over a year from August 2021 to October 2022 but they didn’t announce this until August this year. Although details of exactly what happened (beyond their email servers being breached) are scarce, we do know that the Electoral Commission had failed Cyber Essentials due to multiple devices running out of support operating systems.
Would Cyber Essentials/Cyber Essentials Plus have helped prevent it?
If the number of unsupported/not updated devices was reflected throughout the Electoral Commission’s network, it’s a distinct possibility that had Cyber Essentials controls been in place (particularly the requirements to remove unsupported devices, and to address high/critical security issues within 14 days of a fix being available) that the breach wou;dn’t have occurred and millions of votes data would remain a secret.
Sellafield Nuclear Power Plant
Most concerning of all are reports of very poor cyber security practices at the Sellafield nuclear power plant, the biggest store of plutonium on the planet. The Guardian reports that “sleeper” malware has been present on the network since 2015 The allegations, which Sellafield Ltd denies appear to show that basic cyber security measures are not being enforced. This is an emerging story with both the plant and investigative journalists making claims which demand clear answers. Now that Government ministers are involved, some light should be shed on the matter.
Would Cyber Essentials/Cyber Essentials Plus have helped prevent it?
Let us be clear, Cyber Essentials and Cyber Essentials Plus are baseline cyber security standards. They will not prevent skilled, determined hacker/s and are not designed to tackle the threat posed by malicious state sponsored groups. The Cyber Essentials scheme is designed to prevent internet based “commodity” attacks, that is using off-the-shelf readily available malicious applications.
Cyber security is most effective when applied in layers, and the Cyber Essentials scheme is an excellent starting point to this “defence in depth” approach.
As at the time of publication of this post, December 2024, the Guardian Media Group, Sellafield Ltd and the Electoral Commission, show as not having Cyber Essentials at the Cyber Essentials Certificate Check service. Royal Mail has a scope-limited certification, covering only their networks which connect to Government networks.
If you would like to discuss how Cyber Essentials can help secure your organisation, we’d be delighted to talk it through with you. Contact us here.
