Cyber Essentails

Why Adopt The Cyber Essentials Programme?

Why Adopt The Cyber Essentials Programme?

The government’s Cyber Essentials Programme was developed in collaboration with industry and is intended to help businesses mitigate common, online threats.

Operated by the National Cyber Security Centre (NCSC), it was launched in 2014 and has become a key element of excellence for cybersecurity.

Applicable to all sizes of organisations, it offers help to those seeking to implement a robust data security strategy, to protect both themselves and their clients. It does this by encouraging organisations to adopt good practice in information security and includes a simple set of security controls, protecting information from external and internal threats.

The controls, suggested by Cyber Essentials, are designed to prevent basic cyber attacks and come in two formats:

  1. Cyber Essentials – A self-assessment application that addresses basic threats and helps to prevent the most common attacks.
  2. Cyber Essentials Plus (CE+) – The same as for Cyber Essentials, but rather than being self-assessed, it requires verification of cybersecurity carried out independently by a certification auditor and includes a vulnerability scan.

Cyber Essentials offers a sound foundation of basic hygiene elements that all types of businesses can implement and potentially build upon. The government believes that implementing these measures can significantly reduce vulnerability. However, it isn’t a silver bullet to remove all cybersecurity risk; for example, it is not designed to address more advanced, targeted attacks, and hence, organisations will need to implement additional measures as part of their security strategy.

The Assurance Framework, leading to the awarding of Cyber Essentials Plus Certificates, has been designed to be light of touch and achievable at low cost. It is important to recognise that certification only provides a snapshot of cybersecurity practices, at the time of assessment.

It is always advisable to have an internal and external network scan before a certification test is booked, as the scan will highlight any areas of weakness giving time to fix issues and avoid having a failure on certification day, or a few ‘last minute’ fixes whilst the assessor is on-site!

The CE+ process falls into two sections, external and internal. Within these sections the assessor checks the following areas:

External System test details:

1          Review of customer questionnaire information on ports

2          Full-service scan / TCP and UDP service scans

3          External vulnerability scan

4          Web application testing for common known vulnerabilities, if in scope.

Internal system test details:

1          Internal vulnerability scan

2          Facility walkthrough.

3          Manual system checks:-

    • Un-necessary user accounts
    • Weak passwords
    • User access control (privileges check)
    • Un-necessary software
    • Auto run feature check
    • Security firewall and malware protection checks
    • Review password, Internet security, starter & leaver policies, Patch Management.

4          Email system checks to test possible weaknesses.

5          Mobile device checks to confirm the latest operating system is installed and password enabled.

During the test, evidence is required such as audit logs from firewalls and servers.

For businesses who are willing to adopt these measures, the benefits can be many, including the ability to tender for contracts that require a Cyber Essentials Certified supplier (mandatory for public sector work) and enhanced customer trust and confidence.

Becoming accredited helps to meet the needs of GDPR as it covers the requirement to understand where Personally Identifiable Information (PII) data is held and therefore, can provide evidence for GDPR statements/policies, showing that as an organisation, you have considered such issues and had controls verified by an independent assessor.

Businesses now live with the spectre of cyberattacks as the norm. Adopting Cyber Essentials Plus is one way of taking control and starting the process of fighting back.

Every organisation can benefit from added protection. Call us on 0844 586 0040, or email [email protected] and we’ll be happy to advise you.

Cloud security

Should You Rely On Your Cloud Providers Security?

Should you rely on your cloud provider’s security?

Storing data in the Cloud has really only been ‘a thing’ during the last decade but most enterprises now have some kind of cloud presence.  So the question arises, just how secure is your data when there?

Many organisations consider that because data is stored in the Cloud by a third party, the burden of responsibility moves from themselves to their service provider, but they would be wrong, the final responsibility remains theirs.

Of course, cloud storage offers convenience, reliability, scalability, cost savings, and yes, security.  However, this needs to be underpinned by some baseline strategies before being moved across.

Firstly, ensure data is secured using multi-factor authentication.  This should be set up generally, but especially for administrator accounts, where hackers are particularly active due to their high-level access privileges.

As human error remains the number one cause of cyber attacks, ensuring employees are continually trained, kept up to date with security protocols, and employ strong passwords is critical, and, only allow access to areas essential for employees to carry out their work. Controlling who has access to data will reduce the chances of it falling into the wrong hands.

When an employee leaves the company, do not forget to remove all their access rights and delete them.

Know what data you have and where it is stored. This is important not only as a good security practice but for any Subject Access Requests you may receive under GDPR. If your data is scattered, your only resort is to use a data discovery tool to find it.

Realise the importance of each category of data and ask yourself what are the consequences should this data get leaked, tampered with, or deleted? Would you face regulatory fines, incur revenue losses, would it impact you operationally?

Email is critical to any business operations and we can’t live without it.  Be sure that your email service is as secure as it can be and remember, it’s always best to be sceptical of any email you get and keep in mind the spam warning signs.

Finally, back up! You can choose to back up with another cloud provider, or locally on an external hard drive or disk. You can also keep them off-site but make sure the data is encrypted for extra protection.

Data protection is not only an important part of maintaining trusting relationships with customers, suppliers, and stakeholders, it’s also a legal requirement, and you could suffer real consequences if you experience a breach because you’ve not taken the necessary steps to keep your data secure.

Relying solely on your cloud provider is not an option.

Every organisation can benefit from added protection. Call us on 0844 586 0040, or email [email protected] and we’ll be happy to advise you.