For those of you who may not have heard of the Cyber Essentials scheme, it is an accreditation-based program created by the UK government and backed by the industry in both the UK and Ireland, to show that basic cyber security measures have been put in place that will block most cyber attacks. It was designed as an affordable alternative to ISO27001, which may be financially out-of-reach for many small/medium enterprises, and is a requirement for any businesses that deal with the UK government. So, it may have come as a surprise to many to find out that the IASME Consortium, one of six accrediting bodies in the UK, has suffered a data breach which exposed the company names and email addresses of their applicants. While no other information such as these companies’ security configurations were leaked, the breach could well open the exposed companies to phishing attacks from cyber criminals.
A list of Cyber Essentials applicants, including their company names and corporate email addresses, may have been leaked to hackers.
Affected companies were notified of the potential breach by IASME chief exec Dr Emma Philpott, who stated “We would like to make you aware that, due to a configuration error in the Pervade Software platform we use for Cyber Essentials assessments, the email address you used to apply for an assessment and your company name may have been released to a third party”. The notice went on to say “We would like to make it clear that the security of the assessment platform has not been compromised. Your account, the answers you provided in the assessment and the report you received are secure. No information other than your email address and your company name was accessible to the third party”.
Pervade Software is the supplier for the assessment platform used by IASME Consortium, through which companies submit their application to become Cyber Essentials certified. The platform itself is not believed to have been breached, with the error occurring “through a configuration error on the part of one of the Pervade systems engineers”.
According to Javvad Malik, security advocate at AlienVault, “The incident illustrates that even the most security savvy organisations can make errors that can leave them exposed. Therefore it is essential to have robust threat detection capabilities in place that can monitor and alert where unauthorised access is being attempted so that the appropriate response may be taken. Having ongoing detection in place across both the network and critical hosts allows enterprises to have the assurance that systems are working as intended under the control of authorised persons.”
Some of the companies affected by the breach are understandably unimpressed that the body accrediting their cyber security application itself suffered a breach and exposed their details, with one affected worker telling The Register “We paid to be audited and registered with the UK Govt Cyber Essentials scheme, in order to be able to do business with govt organisations. Turns out that the info has been leaked, which I guess means that someone now has a list of companies that work with the govt”.
Despite the perhaps unfortunate irony of such an incident, the breach is considered by experts to be minor, and the companies affected should, as required by the Cyber Essentials scheme itself, have the necessary controls in place to protect against such an attack.
It can be very difficult to predict when and where the next cyber attack may take place, with companies no longer just focusing their efforts and budget on prevention, but also on attack detection and recovery methods. Unfortunately, for most businesses, cyber attacks are a matter of when, not if, they will occur. We always recommend a thorough, robust approach to cyber security with both proactive and reactive measures in place. In particular, we recommend cyber security awareness training for staff, as phishing and scam emails continue to be the largest means of spreading ransomware and other forms of malware.
Cyber Essentials is an excellent starting point for small/medium businesses who are seeking to ensure that their data and critical systems are safe, in addition to being able to demonstrate this to potential customers, clients or even investors.