Cyber Essentials – Easy as 1-2-3?
The Government-backed Cyber Essentials scheme is becoming both increasingly well-known and applied for. We think this is a good thing.
Whether you’re a business owner, IT Professional or involved in IT decision-making in any way, everyone benefits from going through the process and obtaining this valuable certificate.
How can that be a good thing for all and what’s involved?
Whatever your role, we think you’ll find something interesting in this article.
If you’re a business owner, you did not set up a business to defend cyber attacks (unless you run an IT Security business!). You started to trade, make profits and grow. You may not know that this is made a lot easier once you get your certificate, though.
Potential customers are increasingly asking providers if they have the Cyber Essentials standard in place. In fact, it’s already mandatory if you want to trade with many Government bodies or larger companies. These customers also want to know that you take protecting their data (and yours) seriously. In brief – you get a competitive advantage.
On the other hand, if you’re an IT Professional, it’s easy to think the bar is set too low for what is generally considered a first-step on the security ladder. Don’t let that stop you going for it! You likely have a general responsibility for the security of your employer’s IT infrastructure and it’s widely agreed that Cyber Essentials certification helps you ensure you are protected from 80% of cyber-attacks. That’s a fair chunk covered and evidenced in one hit.
We’ve assisted many businesses with tailored advice and clear guidance on how to go through the process to virtually guarantee that you get certified at the end of it. These businesses may have their own IT department (so we work with the internal team), or they may outsource their IT to us or another provider or even support themselves with a bit of internal knowledge (so we work with the management).
Incidentally, we’re also aware that many IT providers will offer you help but, unless they are a certifying body (CB), they can only give you advice before passing you onto a certifying body like us – usually at a hefty mark-up. You should ask any one you approach if they are registered CB house. If not, you get the best specialist advice going direct and it will be better for your budget.
During our assessments, our specialist Information Security Consultant has uncovered three common stumbling blocks that we wanted to share with you to give a flavour of what’s required or what you may not have considered.
1. Mobile phones and other devices
Cloud services are currently out of scope for Cyber Essentials (e.g. Office 365, Google Drive, Dropbox) – not because they’re not important but because it’s less straightforward to map cloud services to the existing Cyber Essentials technical controls.
However, any device that has internet and business data access IS in scope – unless there are controls and policies to prevent data being downloaded from a cloud service and stored locally. This potentially brings mobiles (both company AND employee devices) and user/untrusted devices into scope.
Think about people checking work emails on shared computers in an airport business lounge or internet café. Or from an old home device – like a no longer supported iPad or home computer where the security updates/patching or AV aren’t up to date. Office-based machines can be a handful themselves…it gets more complicated when considering mobiles or remote access.
2. Managing installed software & patching
This is generally considered to be real bread-and-butter security, but we find it’s seldom being considered properly or applied to the standard.
Over time, if there isn’t a procedure in place to keep track of what software is installed on systems, we often find legacy software lurking around. E.g. old MS Office versions – the newer ones are installed but the older ones may not have been properly removed. It is also difficult to keep up with patching and removing unsupported versions – e.g. Adobe XI has not been supported since Oct 2017 but is still widely used according to our assessments.
Employees often have administrator rights on their computers and so can install software that is unsuitable. For example, if they installed a browser (which might not have been configured to warn on access to untrusted websites) then they may not have necessary controls in place to prevent unexpected or malicious downloads. With this ‘power’, users may also install software unknown to the IT department or the business owners who won’t know it needs to be patched/updated.
3. Open ports on firewall (legacy, undocumented)
All firewalls should have a documented business case for any open ports. This means IT shouldn’t be opening any services through the firewall without going through a sign-off process, where the need for the services is made clear.
This also provides an opportunity to ensure the service is protected against password attacks – which can be done by restricted IP, enabling two-factor authentication (2FA), ensuring that unsuccessful login attempts are blocked after a specified number of failed attempts or within a set timeframe.
Ideally, this should result in a list of valid open ports, which can be checked periodically to ensure none have been left open accidentally after being opened temporarily or associated with a legacy service which has since been decommissioned.
The firewall is your 1st line of defence/attack so it’s worth having management procedures in place to ensure and validate its security.
Whether you know how to implement these controls, pay a third party to do it or find it all a bit baffling, we can help.
To find out more about the scheme please call us on 0808 164 4142 or email firstname.lastname@example.org – it costs nothing to find out more.
Oh, and if your company is based in Scotland, there’s some really good news in that there are vouchers available to fully cover the costs. Get in touch HERE to find out if you’re eligible.