Protect your Business, your Clients and your Supply Chain with the UK Government’s Cyber Essentials Security Standard
Jon Towers – one of our Directors here at Grant McGregor Ltd explains how businesses can readily protect themselves from the majority of rising cybercrime threats AND demonstrate best practice and due diligence to their customers and stakeholders at the same time…
Cyber Security or cybercrime seems to be always in the news today, doesn’t it?
Whether it’s ransomware attacks on the NHS and other high-profile businesses, embarrassing data breaches costing many thousands in fines or sophisticated spear-phishing attempts and identity theft designed to elicit fraudulent payments, there’s no doubting the massive spike in cybercrime this past 12 months!
In fact, Cybercrime and attacks on businesses large and small is increasing at a rapid rate; according to the Government’s 2017 Cyber Security Breaches Survey, just under half (46%) of all businesses identified at least one breach or attack in the last year.
The most common types of breaches related to staff receiving fraudulent emails (72% of those who identified a breach or attack), followed by viruses and malware (33%), people impersonating the organisation online (27%) and ransomware (17%).
With such a range of cyber-attacks that are increasing in severity and frequency, the consequences of ignoring this threat are truly serious.
An ongoing program of measures and counter-measures to combat the evolving cyber threats is now a top priority for many. Being able to readily demonstrate a high standard of security and preparedness is now becoming an important business requirement to reassure both existing and potential customers and clients.
So, how can this be achieved?
Cyber Essentials (CE) is a UK Government-backed Security Standard to help organisations and businesses protect themselves against common cyber-attacks.
It’s backed by industry including the Federation of Small Businesses, the CBI and a number of insurance organisations which are offering incentives for businesses.
Cyber Essentials defines a clear set of controls which, when properly implemented, will provide businesses and other organisations with essential protection from the most prevalent forms of cyber threats coming from the Internet.
In particular, it focuses on the types of threats which require low levels of attacker skill, and which are widely available online. Those are the very threats faced by most SME businesses and other organisations.
Why would Cyber Essentials help you in a practical way?
Put simply, the Cyber Essentials certification allows you to advertise that you meet this Government-endorsed IT Security standard. Furthermore, it demonstrates to your customers, stakeholders and supply chain that you take IT security (and the protection of information you hold on them) seriously.
Yet it is not just a badge.
The Government also realised that the most common types of cyber threat could be mitigated by some basic IT Security measures – more on that in a moment – and that 80% of cyber-attacks could be prevented or reduced if businesses put these simple cyber security controls in place!
That’s a whopping 80% of the most prevalent threats!
Yet 39% of SMBs still think they’re too small or off the radar of cyber attackers and cyber criminals. The very businesses who are most vulnerable.
If that were not reason enough, imminent data protection changes in May 2018 in the form of the General Data Protection Regulation (GDPR), mean that businesses will need every means possible of evidencing their due diligence when it comes to the security of the data they hold.
So, think again!
Cyber Essentials is already mandatory for suppliers of most Government contracts (and increasingly their supply chain too!) which involve handling personal information and providing some ICT products and services.
However, it’s also a sensible accreditation to obtain if you want to be sure they you have the essential elements of IT Security in place for your business or organisation – and show that you take it seriously to your customers, suppliers and other stakeholders. You can show that you carry less risk than your competitors who don’t hold this standard and it can certainly help you to save the hefty costs associated with cybercrime, breaches and fines and other cyber damage and disruption.
What’s required to become Cyber Essentials accredited?
To mitigate the main threats from phishing, infection, hacking and other common exploits or vulnerabilities, Cyber Essentials requires implementation of the following five controls for essential technical cyber protection:
1. Boundary firewalls and internet gateways
2. Secure configuration
3. User access control
4. Malware protection
5. Patch management
Whilst many companies feel that, on the face of it, they have these measures in place, the truth is that many fail to have adequate protection, management processes or consistency of both across their entire business.
David Lawrence, also a Director of Grant McGregor cites his experience of assessing businesses IT Security controls:
“We frequently find that some are still using unsupported, outdated software. Others have poor password or user access controls. Many companies have little or no documentation to track their IT assets and users – with old user accounts that can be an easier way-in for the criminal.
At the very least, you need to have in place an effective patch management system for your software to swiftly push out security updates. This should be combined with effective, layered cyber-defences around your data, properly configured firewalls and other CE techniques to provide strong protection against malware strains & evolving (so-called zero-day) threats.
There are other non-CE aspects that are key to cyber security such as having a reliable back-up regime with fast recovery that is regularly tested. Plus businesses need suitable policies and processes in place to manage security around your IT. Finally, include regular training of computer users to be vigilant for unexpected or suspicious emails, links and attachments!”
Want some help to achieve your Cyber Essentials or Cyber Essentials Plus Accreditation?
The Cyber Essentials certification process includes a self-assessment questionnaire (SAQ) and an optional external vulnerability scan to check that there are no known vulnerabilities present on your network.
Grant McGregor has various Cyber Essentials services to enable businesses to become accredited to either the Standard or Plus levels. We can process your DIY questionnaire only or we can walk you through the whole process. And we work with many shapes and size of organisation and businesses to provide Cyber Essentials assessments from micro-businesses with less than 10 staff to companies of 250+ employees and their own in-house IT team.
Grant McGregor’s Guided CE Services further aid you in navigating the whole accreditation process to virtually guarantee you a first-time Cyber Essentials pass. As a multi-award-winning, Managed Security Services Provider, we can add a wealth of proven security expertise to recommend best practices to you & review the most common areas of risk to provide you with a tailored Security Action Plan.
Cyber Essentials fees start from as little as £295+VAT but it’s best to talk to our Cyber Essentials team first to ensure the right fit of service for your needs and shape of organisation.
Contact Jon Towers on 0131 603 7910 to discuss how Cyber Essentials could benefit you or find out more by getting in touch online.
A little background to why we do this…
In 2016, Grant McGregor – a well-established Edinburgh-based Managed IT Services Provider and Support Company – sought to be in a position to help our service customers and other client businesses that want to ensure they have best practices in place for IT Security and to attain these key IT Security standards.
1. The Cyber Essentials and Cyber Essentials Plus Schemes
2. IASME and IASME Gold
3. The General Data Protection Regulation (GDPR)
Grant McGregor is proud to have been fully accredited as an IASME Gold Accredited Cyber Essentials and Cyber Essentials Plus Assessing & Certifying Body. This means we are properly trained and accredited to assess Cyber Essentials and the IASME Standard and to audit those seeking these accreditations.
We’ve been assisting and assessing companies and organisations in Finance, Property, Construction, Logistics and Not For Profit to achieve the Cyber Essentials standard and are working with businesses in other sectors right now too.
We can now certify your business or organisation against these standards for both the self-assessment and the audited levels of Cyber Essentials and IASME.
The new General Data Protection Regulation (GDPR) will also come into effect in May 2018. When the GDPR takes effect, it will replace the existing Data Protection directive and make information security an essential element of your Business risk management plans and actions.
Get in Touch!