With the continued rise in hybrid and remote working, the risk of a possible cyber-attack on your business becomes a real possibility. Four in ten businesses have been the victim of a cyber-attack in the last year alone.
Quite amazingly, 4 in 5 businesses, still have no form of cyber security certification in place at present.
A cyber-attack on your business could have a serious impact in several areas. In many cases your data may be held to ransom, preventing you from trading effectively until the breach is fully resolved. Run your business through online banking? Advanced attacks could potentially gain access to that information too. Aside from the potential theft of funds, data and the time in which you are unable to trade, there is the reputational damage to consider.
Many businesses and organizations will not be willing to trade with a business who has recently been hacked. In fact many organisations now require that you be Cyber Essentials Certified before entering into a trading relationship.
As experts in this field, this is exactly what we recommend as a first step to becoming more cyber resilient – get Cyber Essentials Certified.
What is Cyber Essentials?
Launched in 2014, Cyber Essentials is a Government-backed and industry-supported certification scheme that helps businesses protect themselves against the growing threat of cyber-attacks and provides a clear statement of the basic controls organisations should have in place to protect them. Each year the certification is updated with the National Cyber Security Centre (NCSC) to make sure that it adapts to the ever growing cyber threats.
Why should I get it?
Cyber Essentials is an excellent starting point for all businesses wanting to gain an entry-point into Cyber Security best practice. Below are some of the key benefits of obtaining CE accreditation.
- Reassure customers that you are working to secure your IT against cyber threats by protecting their data, as well as your own.
- Attract new business with the assurance you have cyber security measures in place
- Display the logo on your website to market your accreditation
- Gain a better understanding of your organisation’s cyber security
- Allows you to tender for Government contracts that insist on certification
- Free Cyber Security Insurance
The 5 Security Control Points
When achieving cyber essentials the questions in the workbook will focus on addressing the 5 key security control points below. These control points are the key ways in which cyber threat actors will attack your business, so it’s best to have a good understanding and show the methods and evidence of your resilience in these areas.
Boundary Firewalls and Internet Gateways
These questions cover your network boundaries and how they are protected. This is often the first port of call for attackers and will likely be the first thing they will see when looking at your network. Think of this as managing the perimeter of your building, locking all of your doors and windows so an intruder cannot just walk in.
Your router and firewall are the first blockades an attacker will encounter when scanning your network, it is vital that these are configured correctly and are as secure as they can be.
This focuses on the configuration of your systems – making sure that they are adequately managed to prevent unauthorised actions and disclose as little information as possible to prying eyes. By default, your devices may advertise ports to be able to communicate effectively over the internet. Without secure configuration, your devices may have an excess of advertised ports that attackers can exploit to gain access to your network.
Cyber Essentials will cover your devices and their configuration, with a specific focus on internet-facing services and how these are managed.
The primary focus of access control is to make sure that access is restricted to the minimum necessary for a specific need. When attackers are looking for a way to compromise your systems, it is much easier for them to focus on highly-privileged machines which will allow them to execute system-level commands.
Access control ensures that all staff have access to data on a need-to-know basis, and that their devices are not capable of executing downloaded files, running commands or performing certain system-level tasks without authorisation to do so.
Over time, software installed on your devices can become out of date. At the same time, attackers are persistently exploring this same software to identify any vulnerability. Outdated software can often harbour many vulnerabilities that attackers can identify by scanning your devices and compromise with already discovered exploits.
This section of the Cyber Essentials questionnaire will focus on your strategy for software patching, how this is managed both manually and automatically, and whether you have any software that must be kept at an older software version for a business need.
Another very critical access-point you have into your network is from the devices you are using on a daily basis. Malware protection is designed to ensure that your devices are protected from the vast collection of malicious software available online, blocking dangerous websites and also scanning your device on a daily basis to ensure it is sanitary.
Attackers will often embed malicious code into applications, often disguising them to look legitimate, as a way of fooling users into downloading and executing them. Malware protection, combined with effective access control, significantly reduces the risk of this happening by scanning files when they are downloaded and preventing users from executing them without authorisation.
How can we help?
Our expert team at CYBX provide consultancy against the Cyber Essentials standard to help you comply with the five controls mentioned above. Our team will take you through the assessment step-by-step and help you not only pass Cyber Essentials, but also to understand exactly how your business is protected. You can find out more about Cyber Essentials and our other services by visiting: https://cybx.co.uk/cyber-essentials/