Cyber Essentials Blog Banner

Security is important to all organisations and that importance pre-dates the new data protection regulations, which define new legal responsibilities around maintaining the security of personal data.  A challenge for many organisations has been in identifying what needs to be protected, how to provide protection and how to demonstrate a commitment to security.

International standards, such as ISO 27001, exist which provide a framework for organisations to achieve an accreditation that demonstrates that they have an Information Security Management System that covers the processes, technology, documentation and people aspects of a secure framework. A challenge for many organisations is the time and expense of achieving and maintaining that level of certification.

What Benefits Can Cyber Essentials Provide?

Cyber Essentials is a Government-backed scheme, which has the backing of key business bodies, and sets out a practical framework of 5 key control areas that organisations can use to secure information.  Cyber Essentials provides certification that can be applied to any business size and which can be implemented as a standalone certification or alongside ISO 27001.

Adoption of Cyber Essentials, which, according to the UK Government, should prevent the vast majority of the types of cyber security attacks that organisations face, has been driven through a combination of education and encouragement.  Adoption has also, in part, been driven by it being a requirement in bidding for some Government contracts.

Achieving Cyber Essentials certification:

  • Reassures customers that you take cyber security seriously
  • Lists you in the Directory of organisations that have been awarded Cyber Essentials
  • Can attract new business
  • Protects your assets, productivity and people

The 5 Control Areas that Cyber Essentials Covers Are:

1  Secure Your Internet Connection

Internet connectivity can be secured by boundary firewalls at the perimeters of your networks, but, in an increasingly mobile world, you also need to consider the protection of information and devices when they are outside the more traditional boundaries. By default, you should define what traffic is necessary and allowed and block unnecessary connections. This can be achieved with network controls, such as a firewall, and also on individual systems and devices with the use of suitable software.

2  Secure Your Devices and Software

Ensure that you don’t use default settings for applications and passwords – these are likely to be widely known. Ensure that password policies are well implemented and are followed.

It is increasingly easy now to add “two-factor authentication” to systems. This greatly enhances security by requiring access to have a combination of something you know, such as a password, and something you have,  for example a fingerprint or access to a mobile device that has an authenticator application or can simply receive verification texts.

User Access Control

A common way in which systems can be attacked is through users who have privileged access to information and systems when there is no justification for them to do so. This opens up the risk of both deliberate attacks and also for malicious software, in background, to take advantage of the permissions that have been given to users to steal information or cause damage.

Another weakness that organisations face arises from people being allowed to install their own software from unauthorised and unverified sources. Controls can be easily added to ensure that people are restricted to installing software from verified sources.

Malware Protection

Malware (Malicious Software) is a very common way in which systems can be attacked. It can arrive in authorised software, through e-mail, portable media, such as USB memory sticks and weaknesses in out of date software.  It is a further reason why user access control is important.

Protecting against Malware can be achieved with simple and well-known methods:

  • Install anti-virus and malware protection on servers, workstations and mobile devices
  • Use a robust e-mail filtering system, such as Mimecast, to protect against email threats
  • Restrict what applications users can run and which websites they can visit
  • Use “sandboxed” environments to isolate the access that applications have from the rest of your systems

Keep Devices and Software Up-to-Date

Some of the most widely reported and severe data breaches have arisen due to software not being kept up-to-date. It is essential that systems are kept up-to-date with “patches” which contain feature updates and bug-fixes. It is also important that an inventory is maintained so that you know when the support for an application will expire and when you will no longer receive security patches.

A lot of patching can be easy and free: most software suppliers provide a simple way for you to enable applications to “auto-update”. However, you also need to consider compatibility between applications and new software releases, which may incur licence fees.

Compatibility of new releases is a consideration: updating one system could cause difficulties with another and you may need regular help and advice in developing a policy for keeping systems up-to-date, planning ahead for new releases and also looking at the lifecycle of your inventory.

How We Can Help You to Achieve Cyber Essentials Certification?

Brighter Connections provide a number of solutions to help you achieve Cyber Essentials Certification, many of which are available to buy online at www.managedservices.co.uk.  We do this through a combination of our partnership with IT Governance, who provide toolkits, advice and certification and our own products and services that will get you in shape and then maintain your systems.

The Cyber Essentials Certification itself costs £300, with an additional 15% discount available until 31/07/18. It can be ordered by any organisation that is ready to go for certification with no further assistance.

If you need to “get a little help” then we provide the Cyber Essentials certification toolkit, which will provide access to the certification, a helpful toolkit and 2 hours of online advice.

We also provide full support to get you through the process and would be very happy to discuss your needs with you. Examples of the areas that we help with are:

  1. Secure Your Internet Connection: Boundary firewalls and also firewall software that can be installed an managed on your devices.
  2. Secure Your Devices and Software: We configure new and existing systems for customers and provide advice and assessments. Our managed services include ongoing management and enforcement of your password policy.
  3. User Access Control: Help, audits and ongoing management of your user access controls. We have particular skills in securing Office 365 and are asked to provide independent assessments of Microsoft configurations.
  4. Malware Protection – We provide a comprehensive set of solutions to protect against malware, this includes e-mail protection, anti-virus and mobile device management controls.
  5. Keep Devices and Software Up-to-Date: Our fully managed service includes maintenance of your software and hardware inventory, software patching and we will notify you when you need to plan for solution upgrades to keep your systems current.

Next Steps

Cyber Essentials provides a great framework to health check your security provision, to protect your organisation from the most common types of attacks and demonstrate your commitment to security to customers, suppliers and employees.

Cyber Essentials accreditation toolkits can be ordered online here

For more information on Cyber Essentials and other ways in which certifications and technology can be used to protect your organisation, please call us on 0330 088 9999 or email online@managedservices.co.uk