If you were looking for help to improve your business’s cyber security, a good place to start would be the UK’s National Cyber Security Centre, part of GCHQ, whose role is to keep the country secure against cyber attacks. So when they provide free advice, you’d expect most businesses to be rushing to implement it. However, you’d be wrong. The NCSC has developed a security tool to help organisations protect themselves against the most common cyber threats, but although it’s been available for almost five years, less than ten per cent of UK businesses have implemented it.
This is the Cyber Essentials scheme, which will help to protect your business against the most common cyber threats. Having been certified ourselves to the advanced level, Cyber Essentials Plus, we believe the scheme gives every organisation a solid security baseline which will mitigate the majority of cyber attacks and minimise the damage if something does go wrong e.g. someone accidentally opens a malicious attachment or clicks on a link. It also covers mobile device protection and basic security policies.
The scheme covers five areas of control:
- Ensuring that firewalls are implemented, either for an individual device’s internet connection or for the organisation’s network as a whole.
- Configuring equipment securely, including setting effective passwords and, where appropriate, using two-factor authentication. Fordway tips: it’s also vital to educate users about good password practice. For two-factor authentication, we find that solutions that allow use of a hardware or software token and/or mobile application with a one-time password are preferable, as those that ring or send a text message to a mobile phone are easier for someone with malicious intent to circumvent.
- Controlling who has access to the organisation’s data and service. This includes limiting the number of people who have administrator access, something which we find is given out far too easily. Fordway tip: remember to address this at the design stage of any new IT system, so that security is embedded from the beginning.
- Implementing malware protection, such as antivirus software (e.g. Windows Defender, MacOS XProtect), whitelisting and sandboxing. Any member of staff could bring in a virus from their home computer, but it can quickly be quarantined by local antivirus software.
- Keeping devices and systems up to date with patching – an area which we find many organisations let slip down their ‘to-do’ list. One option is to automate patching, using tools such as SCCM which many organisations will already have within their existing software. Fordway tip: if your organisation has limited time or expertise, patching can be provided via a third party managed service and is even available through the cloud (patching as a service).
There are two levels of accreditation. Cyber Essentials is an independently verified self-assessment against the five controls, with a qualified assessor verifying the information provided. Cyber Essentials Plus is a higher level of assurance in which a qualified and independent assessor examines the five controls and tests that they work by simulating basic hacking and phishing attacks.
These five controls may seem like obvious security measures. However, get them right and you will protect your organisation against the most common cyber attacks. Don’t just take our word for it – listen to the experts at the NCSC.