Cyber Ess Plus logo

Why do Businesses need the Cyber Essentials Programme?

The government’s Cyber Essentials Programme was developed in collaboration with industry and is intended to help businesses mitigate common, online threats.

Operated by the National Cyber Security Centre (NCSC), it was launched in 2014 and has become a key element of excellence for cybersecurity, in all its forms.

Helping build robust data security strategies 

Applicable to all sizes of organisations, from small to large, it offers help to those seeking to implement a robust data security strategy in order to protect both themselves and their clients.

It does this by encouraging organisations to adopt good practice in information security and includes a simple set of security controls to protect information from threats coming from the Internet.

Most cyber attacks are basic in form and are often implemented by unskilled individuals.  The controls, suggested by the Cyber Essentials platform, are designed to prevent such attacks.

Cyber Essentials formats

Cyber Essentials comes in two formats:

  1. Cyber essentials – a self-assessment application that addresses basic threats and helps to prevent the most common attacks.
  2. Cyber Essentials Plus – this is the same as for Cyber Essentials but rather than being self-assessed it instead, requires verification of cybersecurity, carried out independently by a Certification Body.  This is a more rigorous form of certification, better at demonstrating to potential customers that your data security position is good and tested.

Offering a sound foundation of basic hygiene elements that all types of businesses can implement and potentially build upon. The government believes that implementing these measures can significantly reduce an organisation’s vulnerability. However, it does not offer a silver bullet to remove all cybersecurity risk; for example, it is not designed to address more advanced, targeted attacks and hence, organisations facing these threats will need to implement additional measures as part of their security strategy. What it can do is to define a focused set of controls which will provide cost-effective, basic cybersecurity for organisations of all sizes.

The Assurance Framework for Cyber Essentials

The Assurance Framework, leading to the awarding of Cyber Essentials and Cyber Essentials Plus Certificates, has been designed in consultation with SMEs to be light of touch and achievable at low cost. The two options give a choice over the level of assurance given, as well as the cost of doing so. It is important to recognise that certification only provides a snapshot of cybersecurity practices at the time of assessment.  Maintaining a robust cybersecurity stance requires additional measures, such as a sound risk management approach as well as on-going updates to the Cyber Essentials control themes, i.e. patching. But, the scheme does offer the right balance between providing an additional commitment to implementing cyber security to third parties, while retaining a simple and low-cost mechanism for doing so.

Delivering many benefits

For businesses who are willing to adopt these measures, the benefits can be many, including: the ability to tender for contracts that require a Cyber Essentials Certified supplier, enhanced customer trust and confidence, the provision of market differentiation and competitive advantage, protection of company assets and IP, the mitigation of common cyber threats and reduced insurance premiums.

The General Data Protection Regulations (GDPR) 

And, becoming accredited helps to meet the requirements of GDPR. For example, GDPR talks about controlling who has access to data and understanding where PII data is held. Cyber Essentials covers this and therefore, is able to provide evidence for your GDPR statements/policies, that as an organisation, you have considered these areas and have had the controls verified by an independent assessor.

Businesses now live with the spectre of cyber attacks as the norm. Adopting the Cyber Essentials Platform is one way of taking control and starting the process of fighting back.

Every organisation can benefit from added protection. Give us a call on 0844 586 0040, or email [email protected], and we’ll be happy to advise you.

 

Man in hoody

Coming to terms with a ‘man in the middle attack’

The term a ‘man in the middle attack’ is becoming well known as more instances of them take place.

What is a ‘Man in the middle attack’?

What exactly does ‘man in the middle attack’ mean?  It is when a cyber-criminal secretly intercepts and possibly alters communication between two parties, who both believe they are directly communicating with each other.

A common example is where the cyber-criminal uses bogus emails to trick solicitors into issuing the proceeds of a house sale, to their own bank account, rather than the bona fide person.

Another example, is where an Internet connection is intercepted, often by a user not checking that they are using a valid Wi-Fi. The hacker uses a device to emulate the valid Wi-Fi in, say, a hotel and the unsuspecting victim connects to this. The hacker allows them to browse as normal until the victim goes to a site of interest, such as a bank account. Then the hacker will allow the user to log on to their account but will break the connection to the victim keeping the link to the bank open. The victim thinks the connection was lost due to the hotels’ poor Wi-Fi but the hacker continues to empty the victim’s bank account.

These kinds of attacks highlight weaknesses in an organisation’s data security strategy. Either the business has been hacked with malware, which allows the monitoring of systems, it may be due to an insider attack, where someone with internal system access is selling information to third parties, or simply poor user education or monitoring.

Data protection rackets

Increasingly today, incidents of data protection rackets, where malware is embedded and cunningly hidden, are being reported.  These attacks are designed to be undetected by the organisation and the data held by the organisation scanned. The objective is, that when valuable data is found or a file changed, such as an intellectual property modification, the content is sent to the hacker who can then sell on the information to competitors. Another data mine is where an organisation is bidding for a large contract and the hacker gains access to the proposal and sells it to other competitor bidders, so they can undercut. Over time the hacker might make the organisation aware of its activities and use this, just like the old fashioned protection rackets during the prohibition era, demanding money not to send out information.

And, a ‘man in the middle attack’ is not confined to email correspondence. It could also include voice communications, as most telephone systems use VOIP (Voice Over Internet Protocol).

Systems must be strengthened

Steps must be taken to strengthen systems against such attacks. Strong internal controls and audit procedures are needed in order to stop malware infiltrating systems in the first place, taking over the network.

Adopting advanced threat protection is vital as it stops bad processes starting, instantly blocking malware attacks. It can signal any unusual behaviour of staff and systems i.e. showing when an application is sending out data when it should not.

And of course, robust internal controls and checks should be employed when using support companies as well as the checking of system logs and user access, to understand who is touching the data, ensuring that access to it is normal. Anything odd should raise a flag.

Emails should be secure, especially if personally identifiable information is being sent and use clarification techniques, such as send and receive reports. These should not be under the control of the receiver, such as in Outlook, where a receiver can block read receipts.

Adopting Cyber Essentials Plus

The Cyber Essentials Plus Certification can offer solutions too. A government information assurance scheme, operated by the National Cyber Security Centre (NCSC), launched in 2014 and has become a key element of excellence for cybersecurity, in all its forms.

It does this by encouraging organisations to adopt good practice in information security and includes a simple set of security controls to protect information from threats coming from the Internet.

The Cyber Essentials Plus Certification requires verification of cybersecurity, carried out independently by a Certification Body, a more rigorous form of certification.

Joining up to the scheme can ensure that systems are regularly assessed and weaknesses dealt with so as to stop any security breaches, not just ‘man in the middle’.

Every organisation can benefit from added protection.

Give us a call on 0844 586 0040, or email [email protected], and we’ll be happy to advise you.