In 2019, pretty much everyone and everything is online, always connected, in an environment with porous perimeters. That means known vulnerabilities can be easily exploited because of a lack of security and oversight by businesses - many of whom think they are too small to be a target.
Theft, whether of a financial nature or of proprietary data we know is a growing problem that UK small businesses are suffering the consequences of. But in addition criminals are also trying to capture and decrypt our online activities, steal our identity and fool us into engaging with fake websites.
One of the most common forms of hacking is stealing your login credentials, to use your identity to be able to gain access to business applications, removing valuable personal data or stealing money.
Cybersecurity is an ever-hotter topic in today’s business world, as brand perception and supply chain integrity join regulatory pressures such as 2018’s introduction of GDPR to argue the case for maintaining best digital security practices in all enterprises, especially SMEs.
A vital foundation for SMEs in terms of cybersecurity protection is to maintain a level that follows the government’s recommended cybersecurity guidelines. Cyber Essentials is the entry point for all organisations, of all sizes, and in all sectors in the UK.
Organisations that achieve Cyber Essentials can demonstrate that they have considered and committed to boosting their defences against the threats of cybercrime and have reduced the vulnerability of their business by meeting the accredited government standard and industry-backed scheme.
Cyber Essentials - a quality standard for cybersecurity
Cyber Essentials is the UK Government backed scheme launched in 2014 that is administered through the National Cyber Security Center (NCSC) that aims to show organisations how to protect themselves and prevent the most common cyber attacks. The NCSC claims Cyber Essentials can help eliminate the risk of 80% of cyber attacks.
The Cyber Essentials scheme is not covered by binding regulation, instead, it offers organisations and businesses a means to demonstrate their cybersecurity commitment by achieving an accredited and registered certification standard over different levels.
Not every organisation has the time, resources or situation that dictates that they need to develop a full-on approach to cybersecurity. So the Cyber Essentials scheme has been designed to fit with whatever level of commitment an organisation is able to sustain.
It may be worth considering in the future if your business wants to expand into a sector where certification is mandated or that you are likely to develop a close business supplier relationship with a ‘mandated’ sector - because you’ll be required as a business to hold the Cyber Essentials Plus accreditation. Cyber Essentials is a necessity for businesses looking to win certain government contracts.
The simplest way is to start to familiarise yourself with cybersecurity terminology, gaining sufficient knowledge and awareness to begin securing your IT using a self assessment approach.
If as an organisation you need more certainty on how you apply cybersecurity, you can obtain basic or entry level Cyber Essentials.
For those organisations who need to take their cybersecurity to a higher level, you can go for Cyber Essentials Plus certification.
It aims to help all organisations protect themselves against cyberattacks. When an organisation is fully compliant, they will receive a certificate to show stakeholders and customers that they have the necessary safety measures in place to reduce the risk of a cyber-attack.
Importance of Cyber Essentials
Cyber Essentials is an increasingly important certification to achieve for businesses and organisations of all sizes in the UK.
The rise in awareness of the impact of a cyber attack or the financial and reputational consequences of a data breach, have rightly seen an increased demand from customers and stakeholders that your business takes its responsibilities seriously.
Cyber Essentials reassures customers that you are working to secure your IT and their data against cyber attack.
Businesses must be prepared to be asked to show their commitment to maintaining cybersecurity and with Cyber Essentials certification it shows you have made a promise to respond to incidents and take your responsibilities seriously.
For smaller businesses with little or no IT support or expertise, it provides a basic first step towards cybersecurity and can help build a relationship with a trusted IT supplier.
Cyber Essentials Plus – taking cybersecurity to the next level
Small businesses in the UK are the target of an estimated 65,000 attempted cyber- attacks every day, according to new figures from a study from Hiscox, a specialist insurer.
According to Hiscox, almost one in three (30%) UK small businesses suffered a cyber breach last year – equivalent to over 4,500 successful attacks per day or one every 19 seconds.
Businesses in the UK are facing a growing threat of cyber-attacks, with the number of incidents increasing in scale and complexity. The shift from crime to cyber-crime hasn’t changed the "modus operandi", but it has provided these criminals with an additional set of tools to attack businesses.
Yet there is a gap emerging between an evolving threat landscape and the resources organisations are allocating to defend against such cyber-attacks.
When it comes to cybersecurity, you’re only as strong as your weakest link - which means any business can be at risk from cyber-attacks targeting vulnerabilities.
Against this backdrop, while the basic Cyber Essentials accreditation can reduce the risk of a cyber-attack, the Cyber Essentials Plus certification delivers additional peace of mind and benefits.
The Plus certification builds on the self-assessed Cyber Essentials with exactly the same requirements with one difference, the Cyber Essentials Plus requires an independent assessment of your security controls.
You’ll need to conduct a vulnerability scan, a verification of your cybersecurity carried out independently by your appointed Certification Body to report on the state of your network security as a part of the certification process. With an assessment of your policies, processes and current effectiveness of your IT security defences.
The information gathered will guide any remedial actions needed and ensure your company can demonstrate that it meets all the necessary requirements, offering a higher level of assurance as well as the benefit of showing a compliance logo on corporate material.
One of the advantages of taking an in-depth look at your security is that it provides a road map on how to improve what you are doing and a strategy to follow. So, knowing your vulnerabilities is also an essential step in making sure you are set for the General Data Protection Regulation compliance (GDPR) obligations.
Preparing for Cyber Essentials Plus
The following five technical controls are what an organisation needs to have in place to prepare it for Cyber Essentials Plus:
1. Use a firewall to secure your internet connection
Protect your Internet connection with a firewall which creates a ‘buffer zone’ between your IT network and other external networks. Within this buffer zone, incoming traffic can be analysed to find out whether or not it should be allowed onto your network.
While minimising security threats from the outside is important, securing the internal network ranks just as high and requires a different sort of security protocol.
Password-protect access to your network with strong password hygiene, or require users to authenticate using two factor authentication. If users access the network through one password, put in place rules that they need to regularly change it, and if possible create a separate network for visitors.
You could use a personal firewall on your internet connected laptop (normally included within your Operating System at no extra charge).
Or, if you have a more complicated set up with many different types of devices, you might require a dedicated boundary firewall, which places a protective buffer around your network as a whole.
2. Ensure the most secure settings are enabled
Manufacturers often set the default configurations of new software and devices to be as open and easily connectable as possible. Unfortunately, these settings can also provide cyber attackers with opportunities to gain unauthorised access.
So, you should always check the default settings of new software and devices and where possible raise your level of security. For example, by disabling or removing any functions, accounts or services which you do not require.
Your laptops, desktop computers, tablets and smartphones contain your data, but they also store the details of the online accounts that you access, so both your devices and your accounts should always be password-protected.
3. Control access to systems
To minimise the potential damage that could be done if an account is misused or stolen, staff accounts should be limited to access only what they need to perform their role. Extra permissions should only be given to those who need them.
Standard accounts are likely to be used by most of your employees. By limiting the number of users who have rights to an administrative account you limit the risk of compromising an account that could potentially have far more serious consequences in the hands of a hacker.
This is important because an attacker with unauthorised access to an administrative account can be far more damaging than one accessing a standard user account.
According to research in the UK by Citrix a survey of 2,000 workers found that almost half of those polled regularly use passwords to protect home documents, whereas only one in three do so at work.
Often employees use devices at work to perform work duties that are not provided by their employer, yet these personal devices typically lack the same level of security that a business would apply.
As an organisation you need to be able to control access to your data through user accounts, that administration privileges are only given to those that need them, and that what an administrator can do with those accounts is controlled.
4. Install and use antivirus software
Antivirus packages offer protection from malware and viruses and should be enabled by default on your system.
Malware is short for ‘malicious software’. One specific example is ransomware, a form of malware that makes data or systems it has infected unusable - until the victim makes a payment.
Viruses are another well-known form of malware. These programmes are designed to infect legitimate software, passing unnoticed between machines, whenever they can.
There are various ways in which malware can find its way onto a computer. A user may open an infected email attachment, browse a malicious website, or use a removable storage drive, such as a USB memory stick, which is carrying malware.
5. Enable auto-updates
No matter which phones, tablets, laptops or computers your organisation is using, it’s important they are kept up to date at all times. This is true for both Operating Systems and installed apps or software as manufacturers will regularly issue updates that patch the latest known vulnerabilities.
Applying these updates is one of the most important things you can do to improve security, plus you can opt for automatic updates.
However, all IT has a limited lifespan. So when you find that your software or hardware is no longer supported and new updates cease to appear, you should consider an update to a newer system.
Cyber Essentials is just one step of the journey towards securing your organisation against cyber attacks. As an outside provider Worktools can do initial security assessments and ensure that everything is secure, both locally and through remote access.
We can also help create your cybersecurity plan so you know how to prepare and if necessary respond to an incident.
Image source: www.freepik.com