As a Virtual IT Director, it’s my job to give strategic advice and build my clients an effective IT strategy to help meet their business needs and goals. Of course, one of our significant focus areas is improving business security, but how do we do that?
Security is achieved through a mix of people, processes and technology. Working towards a security certification helps you define your process and guides you on technology choices and how to best train your staff - reducing your cyber security risk.
Over the last four years, I’ve guided clients to achieve Cyber Essentials because it’s an excellent certification we believe everyone should have. It’s designed to make you considerably more secure whilst (with the proper preparation) being straightforward to achieve.
Cyber Essentials is the UK’s government-backed security certification. It is designed to protect against a wide variety of the most common cyber-attacks. It comes in two ‘flavours’ – the base Cyber Essentials, which applies to all businesses of any size and industry, and the more demanding Cyber Essentials Plus.
This post looks at how we achieve (and exceed) the Cyber Essentials Plus certification. It will also give you an idea of what you need to consider to do the same.
The base Cyber Essentials is an entry-level certification:
Having this as a starting point is a great idea. It’s full of recommendations that will make you much more secure, but it isn’t too expensive. The more people reach a base level of ‘Cyber Security Hygiene’, the safer we all are.
Cyber Essentials Plus builds on this:
At Netitude, we favour the Cyber Essentials Plus audit and certification for ourselves because we’re in an industry that requires a high level of security. IT support companies (aka Managed Service Providers) are targeted by cybercriminals because we hold the keys to many other businesses. Therefore, we need to show our clients that we invest in security and take it seriously. For us, Cyber Essentials Plus is just the starting point, and we have processes and technology above and beyond this.
The Cyber Essentials framework covers five control areas: Firewalls, Secure Configuration, User Access Controls, Security Update Management and Malware Protection. Although it doesn’t cover backups, the guidance gives them an honourable mention.
In brief, Cyber Essentials is looking for your network to have the following correctly configured; Unified Threat Management or Firewall devices in your offices, force enable firewalls on workstations, change default usernames and passwords, remove local admin rights, have an enforced strong password policy, use Multi-Factor Authentication everywhere, have centralised patch management and managed antivirus. For Plus, you’ll need a vulnerability scanner.
An IT audit and review process is key: the best firewall will not pass (or keep you secure!) if it is not correctly configured. If you’re not reviewing alerts or failures, you won’t know if antivirus agents are failing to update or if someone temporarily disabled Multi-Factor. If you’re fortunate, you’ll find out during a Cyber Essentials audit; if not, you may not find out until you’re dealing with a breach! Luckily, our clients don’t have to worry about these things because we’ve got it covered.
We meet the areas with the following:
We practice what we preach and apply at least the same standards that we do to our clients to ourselves, including our own internal audits, reviews, and reports to our management team.
We go above and beyond Cyber Essentials Plus for ourselves for two reasons:
We invest in the right additional tools to keep ourselves, and therefore our clients, secure:
We agree on a target date for Cyber Essentials Plus pass with our clients based on how large a gap our audit reveals and their requirements. Sometimes this will be a configuration update with existing systems; other times, hardware or software will need to be deployed as part of a project. In all cases, we fully deploy our ‘stack’ of support software and tools, which all helps get closer to a pass.
Our focus on proactive maintenance and additional quarterly auditing means we keep our clients at Cyber Essentials standards throughout the year – not just the assessment. In addition, our internal standards and processes mean that as standards change, we can update existing software and equipment, and new installations will go in Cyber Essentials ready.
Once we start the audit, we will complete the self-assessment questionnaire and send it back for review and approval. This is submitted to the Cyber Essentials auditor, and we can move on to the independent verification stage of the Plus certification.
Dates will be set for the independent auditor to undertake tasks like the ones below:
We use the same tools and processes on ourselves as we do with our clients. Everything is already set up to meet requirements before we start the audit, so we can be confident we can get our clients to pass Cyber Essentials Plus the first time.
All businesses should be working towards a Cyber Security certification nowadays. Basic Cyber Security Hygiene is not a secret, it has been established for years, and it can be as easy as configuring what you already have correctly. The security landscape has never looked so threatening, don’t be low-hanging fruit.
Cyber Essentials Plus is more rigorous and a better fit for organisations in high security, regulated, or highly targeted industries (manufacturing, financial, health care). As a result, you can feel more confident that you won’t suffer disruption or loss from more advanced or targeted attempts.
Netitude has been helping clients achieve Cyber Essentials since its launch in 2014. In fact, we were one of the first companies in the country to achieve a pass. Our support services are built to give clients the tools and processes necessary to meet and maintain Cyber Essentials Plus requirements.
If you'd like to talk to one of our experts about achieving Cyber Essentials Plus for your business, get in touch or book a meeting!