IT professionals must stay ahead of the unprecedented tech changes and resulting IT security challenges, often seeking to simplify IT security as much as possible, especially when their company’s critical data is on the line. Cyber attacks cost businesses thousands of pounds in lost work days, revenue, and lost data, as well as the significant fines associated with GDPR. According to the UK government's official report, nearly half of companies reported a cyber breach in the past year alone. So, how can you keep your network and cyber security up to date to meet the challenges?
The UK government-backed Cyber Essentials certification scheme ensures businesses have the essential tools and processes in place to defend against the common cyber attacks we’ve seen today, such as WannaCry, or Petya/NotPetya - a core framework to provide confidence and ownership over their cyber security strategy.
Cybercrime is industrialised, with hackers quickly and easily exposing vulnerabilities on unprotected systems to take money, data, and intellectual property from exposed organisations. All companies must take action to protect themselves, ensuring they have good basic protection in place. Cyber Essentials is the first step in putting those essential controls in place to offer good protection from the most common cyber threats. Cyber Essentials ensures a basic level of competence to fend off “known” cyber threats, making sure essential processes are in place to ensure you maintain your defences.
Before you embark on prepping your business for the certification, we’ve rounded up the 5 key steps you can take to ensure your business is Cyber Essentials-ready.
1. Will Your Business Benefit From Being Cyber Essentials Certified?
Unless your organisation already has an active cyber security strategy, with resources focused on maintaining your security, you will certainly benefit from the certification. An unpatched security update on a single laptop can expose your company to significant threats, like the WannaCry ransomware attack. Similarly, ensuring your Antivirus and other security technologies are deployed and up to date across your organisation will help detect and identify known threats.
These easy-to-fix breaches are easily avoided by ensuring an effective patch management process, considering both risk and priority. ‘Critical’ security patches should be patched immediately, with ‘High-risk vulnerabilities, etc.
Undergoing the certification process will identify your current threats and prepare your organisation to ensure protection from known threats in the future. That's why it’s an excellent idea to be certified, especially for those in retail, financial sectors, government, or healthcare. Many suppliers now require organisations to be Cyber Essentials-certified.
2. Conduct a Vulnerability Scan or Security Assessment
Suppose you haven’t decided to hire an external body to conduct your Cyber Essentials certification, known as Cyber Essentials PLUS, and you’re doing it yourself. In that case, you’ll need to perform a Vulnerability Scan to assess and report on the state of your network security as part of the certification process.
Vulnerability Scanning
Vulnerability scans use tools to assess your IT systems by scanning your network infrastructure, identifying unpatched software updates, incomplete deployment of security software, or open ports.
These scans should be performed both from within your network, internally, and when outside of the network, externally. It’s called a vulnerability scan because the tools identify the open doors - the known vulnerabilities most commonly exploited by hackers.
These scans should be performed quarterly as a minimum for Cyber Essentials compliance, but before you are certified, to prepare your organisation’s defences to ensure you have the correct processes in place to provide a continued level of protection from known cyber threats and resulting data loss.
74% of scans find critical vulnerabilities
Security Audit & Assessment
Assessing the policies, processes and effectiveness of your current security defences is a critical step in understanding the current status of your information security. Security audits and assessments provide a top-level security evaluation, providing a framework and road map to develop a robust cyber security strategy. They are also an essential step in preparing for General Data Protection Regulation compliance (GDPR).
When you (or an external body) are conducting a security assessment, you are aiming to understand the overall state of security, your current policies and process, data access rights, any ‘at-risk’ data from third parties (if external companies have access to your data), any undefended critical threats, as well as how to defend against an attack, any security technologies not being fully or effectively utilised, how you meet your compliance requirements - how you rank and compare against your industry peers in terms of security risk.
Understanding where your vulnerabilities and threats lie will help you get ready to be Cyber Essentials certified.
3. Research the Certification to Understand Its Components
External auditing bodies understand the steps to get you Cyber Essentials certified, but if you’re doing it yourself, you need to understand the exact steps and what questions to answer.
You’ll have to demonstrate that you have appropriate:
- Firewalls prevent unauthorised access.
- Secure Configuration, setting up systems securely.
- User Access Control, restricting access only to those who need it.
- Malware Protection, using anti-virus software.
- Patch Management, antivirusoftware.
4. Complete the Cyber Essentials Questionnaire
Once you’ve prepared and validated all of your processes to ensure your data security is assured, you can complete the Cyber Essentials questionnaire and send it off to a certified body for certification; alternatively, you can have an external auditor come in and conduct Cyber Essentials PLUS certification for you. An external body will run all necessary checks and tests and advise you on how to meet the requirements and maintain Cyber Essentials compliance.
5. Display Your Certification Badge
Cyber Essentials, particularly Cyber Essentials PLUS compliance, has become a recognised badge of confidence. Once you’ve gone through the other four steps to ensure your readiness and gained your certification, you can proudly display your certification. Cyber Essentials certification tells your customers that you take protecting their data seriously.
All businesses must work to protect themselves from data breaches and their customer data from being exploited, and avoid significant costs from business disruption, time, ransomware payments, and the fines associated with GDPR.