While rapid technological developments have provided vast areas of new opportunity and potential sources of efficiency for organisations of all sizes,
these new technologies have also brought unprecedented threats with them.
Cyber security – defined as the protection of systems, networks and data in cyberspace – is a critical issue for all businesses.
Cyber security will only become more important as more devices, ‘the internet of things’, become connected to the internet.

Introduction to cyber risks

Cyber risks can be divided into three distinct areas:

Cyber crime

Conducted by individuals working alone, or in organised groups, intent on extracting money, data or causing disruption, cyber crime can take many forms, including the acquisition of credit/debit card data and intellectual property,

and impairing the operations of a website or service.
Cyber war

A nation state conducting sabotage and espionage against another nation in order to cause disruption or to extract data.

This could involve the use of Advanced Persistent Threats (APTs).
Cyber terror

An organisation, working independently of a nation state, conducting terrorist activities through the medium of cyberspace.

Organisations that have to consider measures against cyber war or cyber terror include governments, those within the critical national infrastructure,
and very high-profile institutions. It is unlikely that most organisations will face the threat of cyber war or cyber terror.

For additional information on this subject, our book CyberWar, CyberTerror, CyberCrime and CyberActivism offers a no-nonsense discussion.

Introduction to cyber criminals

Cyberspace is unregulated and cyber crime is increasingly simple and cheap to commit: the Fortinet 2013 Cybercrime Report found that an effective botnet – a network of private computers infected
with malicious software and controlled without the owners’ knowledge – can be established for as little as $700 (about £420), or can be rented for just $535 (about £320) per week.
Cyber criminals can now even buy off-the-shelf hacking software, complete with support services.

Congruent with the rapid pace of technological change, the world of cyber crime never stops innovating either.
Every month, Microsoft publishes a bulletin of the vulnerabilities of its systems, an ever-growing list of known threats, bugs and viruses. For a more complete overview of cyber security threats, mailing lists such as Bugtraq can provide up-to-date resources listing all new bugs.

Types of malware

Cyber criminals operate remotely, in what is called ‘automation at a distance’, using numerous means of attack available,
which broadly fall under the umbrella term of malware (malicious software). These include:


Aim: Gain access to, steal, modify and/or corrupt information and files from a targeted computer system.
Technique: A small piece of software program that can replicate itself and spread from one computer to another by attaching itself to another computer file.


Aim: By exploiting weaknesses in operating systems, worms seek to damage networks and often deliver payloads which allow remote control of the infected computer.

Technique: Worms are self-replicating and do not require a program to attach themselves to.

Worms continually look for vulnerabilities and report back to the worm author when weaknesses are discovered.


Aim: To take control of your computer and/or to collect personal information without your knowledge.

Technique: By opening attachments, clicking links or downloading infected software, spyware/adware is installed on your computer.


Aim: To create a ‘backdoor’ on your computer by which information can be stolen and damage caused.

Technique: A software program appears to perform one function (for example, virus removal) but actually acts as something else.

Attack vectors

There are also a number of attack vectors available to cyber criminals which allow them to infect computers with malware or to harvest stolen data:


An attempt to acquire users’ information by masquerading as a legitimate entity. Examples include spoof emails and websites. See ‘social engineering’ below.


An attack to redirect a website’s traffic to a different, fake website, where the individuals’ information is then compromised. See ‘social engineering’ below.

Opportunistic attacks against specific weaknesses within a system.

‘Man in the middle attack’ where a middleman impersonates each endpoint and is thus able to manipulate both victims.

Social engineering

Exploiting the weakness of the individual by making them click malicious links, or by physically gaining access to a computer through deception. Pharming and phishing are examples of social engineering.
Cyber security for organisations

An effective cyber security posture should be proportional to the risks faced by each organisation, and should be based on the results of a risk assessment.

Critical Issues – Cyber Security looks at the cyber security challenges facing business today and proposes a fully structured approach to achieving both cyber security and cyber resilience.

All organisations face one of two types of cyber attack:

They will be deliberately attacked because they have a high profile and appear to have valuable data (or there is some other publicity benefit in a successful attack).

The attack will be opportunistic, because an automated scan detects the existence of exploitable vulnerabilities. Virtually every Internet-facing entity, unless it has been specifically tested and secured,

will have exploitable vulnerabilities.

Cyber criminals are indiscriminate. Where there is a weakness, they will try to exploit it. Therefore, all organisations need to understand the cyber threats they face, and safeguard against them.

The Cyber Essentials scheme

The Cyber Essentials scheme has been developed by the UK Government to help businesses deal with the business-critical issue of cyber security and cyber resilience.
The scheme provides a set of controls that organisations can implement to achieve a basic level of cyber security.

ISO 27001 and cyber security

As well as protecting your critical assets, customer details and your operating systems,
effective cyber security can also help organisations win new business by providing assurances of their commitment to cyber security to their supply chain partners,
stakeholders and customers.

In order to achieve real cyber security, today’s organisations have to recognise that expensive software alone is not enough to protect them from cyber threats.
The three fundamental domains of effective cyber security are: people, process and technology.

ISO 27001 is the internationally recognised best-practice Standard for information security management.
It forms the backbone of every intelligent cyber security risk management strategy.
Other standards, frameworks and methodologies need ISO 27001 in order to deliver their specific added value.
Implementing ISO27001 will help you protect your information assets in cyber space,
comply with your regulatory obligations and thrive by assuring your customers and stakeholders that you are cyber secure

ISO 27001 solutions

We have created a range of packaged solutions that will enable you to implement ISO 27001
at a speed and budget that is appropriate for your individual needs and preferred project approach.

Each fixed-price solution is a combination of products and services that can be accessed online and deployed by any company in the world.

Nazish Tabassum
IIIT Allahabad

While rapid technological developments have provided vast areas of new opportunity and potential sources of efficiency for organisations of all sizes, these new technologies have also brought unprecedented threats with them. Cyber security – defined as the protection of systems, networks and data in cyberspace – is a critical issue for...