The Cyber Essentials Policies Your Business Needs
Cyber Essentials is a UK Government scheme that all businesses and NFP organisations should undertake. It helps you to ensure that you have the basic security systems and processes in place to help mitigate a cyber-attack.
The stakes couldn’t be higher: a 2017 survey for the National Cyber Security Alliance found 60 percent of small and midsized businesses that suffer a cyber-attack go out of business within six months.
Yes, you read that right: significantly more than half didn’t survive a cyber-attack.
What can small and mid-size organisations do?
As we’ve noted in an earlier blog post, sometimes doing enough is simply about ensuring that your organisation isn’t the low-hanging fruit that attackers can go after easily.
This is what Cyber Essentials is all about: it gives you the assurance that you have covered the obvious bases which criminals could use to launch a cyber-attack.
The Government says that simply by undertaking its Cyber Essentials scheme, you can reduce the likelihood of your business falling victim to cyber attack by as much as 80 percent.
The scheme is run in conjunction with the National Cyber Security Centre (NCSC) and is designed specifically to help organisations “guard against the most common cyber threats” as well as be able to demonstrate your commitment to cyber security to the other companies in your supply chain and your other stakeholders – effectively giving you a competitive advantage, too.
There are two options from which to choose: Cyber Essentials and Cyber Essentials Plus.
Which is right for my organisation: Cyber Essentials or Cyber Essentials Plus?
Cyber Essentials is a certification process that is based around a self-assessment questionnaire. This requires you to answer questions about the essential defences you have in place, including: boundary firewalls and Internet gateways, secure configuration, user access control, malware protection and patch management.
Cyber Essentials Plus is recommended for those organisations which want to demonstrate a higher level of cyber security. While it includes all the elements of the Cyber Essentials assessments, it is considered to be more rigorous because it is tested and verified.
You must have Cyber Essentials in place before seeking the Plus level.
Grant McGregor can assist organisations to attain either of these certifications. Find out more here.
What policies are covered under the Cyber Essentials Schemes?
While there are significant competitive advantages for gaining accreditation under the Cyber Essentials scheme, the main objective is the security of your business. It offers a framework by which your organisation can think about and assess your readiness for the most common types of cyber threats.
These fall into several key areas:
• User access control
• Malware protection
• Patch management
• Device settings
Let’s take a look at each of these in turn.
Cyber Essentials: Firewalls
Firewalls should be configured and used to protect all of your devices – especially any that connect to public or other unknown/trusted networks.
Cyber Essentials: User access control
You need to control who can access your data and that high-level administrator accounts are only given to those that need them.
As well as implementing user access management and offering staff advice about good password management, such as leveraging password blacklists, you need to ensure that you have timely and effective procedures in place to deal with new starters, leavers, lost devices and compromised passwords.
Cyber Essentials: Malware protection
Maybe more commonly known as antivirus. Do all your devices have it and is it kept up to date?
Cyber Essentials: Patch management
Not keeping your operating systems and software up to date is one of the most prevalent vulnerabilities – but it is also one of the most simple to fix. We’ve spoken about the need to retire old software and undertake good patch management extensively and Cyber Essentials underlines this.
Cyber Essentials: Device management
You need to think about how your organisation is ensuring that only safe and necessary devices can hold or access your data.
The trend for employees to bring their own devices to work (BYOD) and the proliferation of “smart” connected devices does complicate this picture considerably. You’ll need to think about the policies and restrictions you have in place for mobile devices.
What next: Does my business need Cyber Essentials?
If you don’t already have Cyber Essentials or Cyber Essentials Plus, the easy answer to this question is “yes”.
Find out more about the scheme and how we can help HERE.