The UK Government Communications Headquarters, which is the centre for Her Majesty's Government's Signal Intelligence (SIGINT) activities, knows a thing or two about cyber security (including how to break into other systems), so their guide published in 2012 is worth considering.

They conclude that “Basic information risk management can stop up to 80% of the cyber attacks seen today, allowing companies to concentrate on managing the impact of the other 20%. We recommend that as a business, you take steps to review, and invest where necessary, to improve security in the following key areas:

• Home & Mobile Working: Develop a mobile working policy & train staff to adhere to it. Apply the secure baseline build to all devices. Protect data both in transit & at rest.
• User Education & Awareness: Produce user security policies covering acceptable & secure use of the organisation’s systems. Establish a staff training programme. Maintain user awareness of the cyber risks.
• Incident Management: Establish an incident response & disaster recovery capability. Produce & test incident management plans. Provide specialist training to the incident management team. Report criminal incidents to law enforcement.
• Information Risk Management Regime: Establish an effective governance structure and determine your risk appetite - just like you would for any other risk. Maintain the Board’s engagement with the cyber risk. Produce supporting information risk management policies.
• Managing User Privileges: Establish account management processes & limit the number of privileged accounts. Limit user privileges & monitor user activity. Control access to activity & audit logs.
• Removable Media Controls: Produce a policy to control all access to removable media. Limit media types & use. Scan all media for malware before importing on to corporate system.
• Monitoring: Establish a monitoring strategy & produce supporting policies. Continuously monitor all ICT systems & networks. Analyse logs for unusual activity that could indicate an attack.
• Secure Configuration: Apply security patches & ensure that the secure configuration of all ICT systems is maintained. Create a system inventory & define a baseline build for all ICT devices.
• Malware Protection: Produce relevant policy & establish anti-malware defences that are applicable & relevant to all business areas. Scan for malware across the organisation.
• Network Security: Protect your networks against external and internal attack.Manage the network perimeter. Filter out unauthorised access & malicious content. Monitor & test security controls.”

(For a copy of the full paper go to: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/73128/12-1120-10-steps-to-cyber-security-executive.pdf)

Cyber-Security in Corporate Finance

The UK’s ICAEW put together a working group of the great and the good in corporate finance including the Association of Corporate Treasurers, Cabinet Office, The Takeover Panel, etc. to examine this topic. Using the example of a corporate finance transaction to:

• raise awareness of the issues, threats and areas of vulnerability surrounding cybersecurity across the spectrum of corporate finance activity.
• provide those engaging in any form of corporate finance activity (such as corporate finance advisers and the companies undertaking the activity) with material and references for consideration that can help reduce the risk of security breaches associated with corporate finance activity.
• demonstrate that cyber-risk is another business risk to be considered across the spectrum of corporate finance activity, and managed like other business risks.

The report, available from here, contains some useful ideas and examples.