From AI scams to phishing emails — how secure is your IT system?

With the possibility of mandatory cyber security certificates on the horizon for some major companies, SoGlos speaks to the tech experts at Cheltenham-based ReformIT to find out what this means and how to get ahead of the competition to make sure your business is certified.

By Sarah Kent  |  Published
A basic cyber security certificate could soon be compulsory for some businesses, says Nathan Warren from Gloucestershire-based ReformIT.

According to industry insiders, companies in the finance, legal and manufacturing sectors may soon be told by regulators, governing bodies and even by their suppliers and customers that they must be Cyber Essentials certified. But what exactly does this mean for the future of the business sector?

SoGlos speaks to Nathan Warren, technical manager at managed IT service provider, ReformIT, to find out what companies will need to do if this mandate is passed.

Nathan, what is Cyber Essentials certification and why might it be a requirement for some companies?

It demonstrates that your business has a basic level of cyber security controls in place and that you are taking your cyber security seriously. It is the first step on a journey that evolves over time with your business. It will stand you out from the crowd and allow you to tender for new contracts.

The majority of security and data breaches happen via a phishing email, so with a basic Cyber Essentials certificate, and ensuring that any identified controls are in place, a company will be protected from cyber attacks by up to 80 per cent, meaning its customers, clients and suppliers also have peace of mind.

How does it work?

Any company that wants to become Cyber Essentials certified can come to us at ReformIT, or search for a provider on the IASME website, and select from either the basic level, or upgrade their basic certificate to plus — however you must first have the basic certificate to get plus.

At the basic level, they fill in a self-assessment questionnaire, which covers a variety of cyber security questions about their own IT systems. Controls that are covered in the certification include firewalls, secure configuration, access control, malware protection and patch management. With the controls in these five domains implemented to the requirements, this will enable the 80 per cent protection rate.

The next level up is Cyber Essentials Plus — this is a verified assessment carried out by a Cyber Essentials auditor where we test to ensure the controls you have in place, as per the self-assessment questionnaire, are correct and working — this gives you and your customers or suppliers that extra level of reassurance.

What sort of companies might get asked to officially secure their IT systems and why?

Companies that hold MOD contracts or work for central government, for example, are now being mandated to have Cyber Essentials, but we're also hearing that some of the big financial and legal firms are being told to hold at least the basic certificate, if not the plus.

Some will be mandated by governing bodies and others may be required by suppliers or clients, depending on the industry sector.

Do you think this potential requirement may come into force as a result of recent cyber security breaches?

Yes, 100 per cent. It's becoming more and more common — especially with AI advancements. And it's the smaller businesses that need to be taking cyber security seriously because they're the ones that have potential access to data, and are maybe storing it, too, for larger organisations. Some smaller organisations incorrectly believe that they won't be targeted because they aren't as visible; but they absolutely can be — and often are — attacked.

The benefit of coming through a certification body like ReformIT is that we can do the whole process end-to-end for you and advise on any kind of gaps that need to be secured.

What other common IT safety shortfalls do you see?

One big thing I'm seeing is companies not having visibility as to who has access to their data and from what devices. For example, if an employee works from home and logs into the company system from their home device, then that may be open to potential breaches. Recently there's been two or three big breaches that have come from employees' home machines, where cyber criminals have targeted a company through a phishing email and then gained access to an organisation's usernames and passwords.  

If an employee using a home device is connected to their organisation's data, and that home device isn't managed by the organisation's IT system, then it's got no control over where the data is being accessed from.

We understand that you are now one of Gloucestershire's only Cyber Essentials and Cyber Assurance certification bodies with Cyber Advisor status. How does this help businesses?

Alongside the Cyber Essentials certification, we can also assess on Cyber Assurance. We seeing smaller clients being asked to complete detailed compliance and risk assessments which align to the industry recognised ISO27001. IASME have this certification, aimed at smaller businesses, called Cyber Assurance which we can also assess, that will ensure your complete cyber security — not from just a technical stand point but also from a policy and procedure standpoint — is water tight.

This is about the process and procedures that you might have in place around risk management, an asset register and keeping track of who's got access to what.

Cyber Essentials is more around the technical controls you have in place, such as updating machines, firewalls and admin accounts; whereas cyber assurance is making sure that your processes and procedures are in place. For example, risk assessments of external USB drives; or information assets such as physical paperwork and electronic paperwork — asking questions like where it's being held and who has access? Making sure that staff follow procedures and are properly trained in them.

And touching on all the hype surrounding AI at the moment — what are your thoughts on it as a cyber security expert?

I don't think we're ready! Companies aren't ready for it and they're still getting used to technology that's still in the 90s, advancement wise — to bring AI in now is pretty scary. I've seen scams such as people doing voice notes on WhatsApp via voice-changing AI.

A cyber criminal sent a voice note to an employee of a company pretending to be the director of that company, saying 'I need £2,000 moved to this bank account' and the employee did it without checking with someone first because they believed it was their boss. This director's Instagram account was being watched, and at the time he was on a boat somewhere in the middle of the ocean, so the scammers knew he wasn't in the office and that it was a perfect time to send a voice note. The hackers are watching your every move.

Another scam that's not quite as common is SIM swapping where a cyber criminal will call your mobile provider posing as you and say, 'I want my number moved to a new SIM'. And they just do it, with no kind of security checks.

For help with your company's IT security and to find out more on Cyber Essentials certification, call (01242) 236999 or visit reformit.co.uk.

In partnership with ReformIT  |  reformit.co.uk

More on ReformIT

More from Business