This week the Government launched a review to find out what’s needed to make UK business leaders take cyber security seriously. In our view, a good place to start is the government’s Cyber Essentials scheme, which is based on advice from the UK’s National Cyber Security Centre (NCSC), part of GCHQ.
Cyber Essentials is designed to help organisations protect themselves against the most common cyber threats, give them a solid security baseline which will mitigate the majority of these threats, and demonstrate to their customers that they take cyber security seriously. Having certified cyber security measures in place may also help to attract new customers, and it’s becoming an essential requirement for pitching for public sector contracts, so any business bidding for public sector contracts should be implementing it as a matter of priority.
Having become certified ourselves to the advanced level, Cyber Essentials Plus, we believe the scheme gives organisations a solid security baseline which will mitigate the majority of cyber attacks. The controls it recommends are those which should most directly and measurably mitigate the risk of attack: those which will make a tangible difference to an organisation’s cyber security, and would, for example, minimise the damage if something does go wrong, e.g. someone accidentally opens a malicious attachment. This can happen all too easily, even with the best security training.
Cyber Essentials also includes mobile device protection and basic security policies, and will help with GDPR compliance by demonstrating that the organisation has clearly defined security processes in place, so can be used as a bridge to a more comprehensive standard such as ISO 27001.
The five basic controls recommended by Cyber Essentials are to:
- implement firewalls
- configure equipment securely, including setting effective passwords and, where appropriate, using two-factor authentication
- control who has access to your organisation’s data and service
- implement malware protection, such as antivirus software
- keep devices and systems up to date with patching.
These may seem like obvious security measures, and many organisations will have at least some of them already in place, making the step to Cyber Essentials accreditation relatively straightforward. However, all too often we find that organisations let one or more of these slip as they focus on other priorities. For example, administrator access is given out all too easily to those who do not need it. Instead, we recommend that organisations implement least privilege and default deny policies for each user and each system, with clear processes to elevate rights on approval.
We also find that many organisations have let patching slip down their ‘to-do’ list. It can then quickly become too onerous to tackle! One option is to automate it, using tools such as SCCM, which many organisations will have within their existing software licences. For those with limited time or expertise, patching can be provided via a third party managed service and is even available through the cloud.
Achieving Cyber Essentials certification gives an organisation confidence that it has put the core measures in place to protect its business and its staff against the majority of common cyber attacks. Going through the certification process also reminds users of their own security responsibilities – and no security policy will be successful unless employees adhere to it. Education is key, as users are much more likely to comply if they understand the risks rather than seeing security as a set of annoying rules which prevent them working as they wish. Everyone should be clear on exactly what is and is not allowed, as well as the penalties for policy violations.
However, even the best cyber security cannot be 100 percent effective. Every organisation should have an appropriate level of security monitoring, so it knows if it has been breached and to what extent. As a minimum, this means monitoring and analysing internet traffic flowing out of the organisation to help identify any potential compromises on internal systems. It should also adopt the mentality that one day it will be breached and as a minimum ensure it has a cyber security incident response procedure in place, a backup of all business critical systems and a disaster recovery plan.
If you’d like to discuss your security requirements please contact us for a no-obligation chat with one of our consultants. You can also read a longer discussion of this topic in my recent article in Data Protection magazine.