Matt Rhodes explains why it is no longer enough for companies to simply claim they are proficient at dealing with incoming cyber threats – they must prove it with recognised certification
2017 was a year blighted by high-profile data breaches and cyber-attacks, with criminals becoming more sophisticated in their methods, and generally more successful in their attempts. In the past 12 months, 875,000 small and medium-sized businesses have been targeted by cybercriminals, costing a fifth of affected organisations over £10,000 in damages.
When selecting a partner or supplier to work with, clients are adopting much stricter vetting processes to select businesses that have a clean record when it comes to data security. Therefore, companies should be seeking Cyber Essentials Plus certification to help give assurance to procuring clients, while ensuring their own sensitive information and data is well protected.
There are currently two different certifications available to businesses – the standard Cyber Essentials and the Cyber Essentials Plus. Cyber Essentials represents the most basic level of cyber security, and requires organisations to complete a short questionnaire regarding their current security controls, before being sent to a recognised body for review.
The organisation will typically undergo an external vulnerability assessment from a certifying body, which directly tests that individual controls on the internet facing network perimeter have been implemented correctly.
This basic level of certification only offers a snapshot of the organisation at that time – it does not provide assurance that systems are effectively configured to defend against more sophisticated or persistent attacks.
Cyber Essentials Plus, however, requires an organisation to undergo a much more thorough assessment, which is based on internal security assessments of end-user devices.
Using a range of specialist tools and techniques, the Cyber Essentials Plus assessment directly tests that individual controls have been implemented correctly, and recreates various attack scenarios to determine whether a system is proficient in dealing with potential threats.
The Cyber Essentials Plus certification requires your organisation to have five technical controls in place, including;
- Boundary firewalls – these devices are designed to prevent unauthorised access to or from private networks, but require good setup to achieve maximum effectiveness;
- Secure configuration – ensuring systems are configured securely to suit the requirements of an organisation;
- Access control – only allowing those with authority to have access to systems;
- Malware protection – ensuring the most up to date virus and malware protection had been installed;
- Patch management – ensuring the latest supported version of applications is used and all the necessary patches have been applied.
Only once a company successfully passes these tests can they be awarded the badge, which can then be displayed on an organisation’s website, showing customers that they value cyber security and can effectively deal with any incoming attacks.
Staying vigilant – remaining protected
If your business is serious about improving its security, then Cyber Essentials Plus is the only option worth considering.
The Cyber Essentials Plus scheme provides a well-defined standard that is suitable for organisations across all sectors, including charities, schools, universities and local authorities.
While the basic Cyber Essentials certification is a good starting point, the additional checks and tests involved with Cyber Essentials Plus make it the best option when ensuring your security is up to scratch.
With new GDPR laws coming into effect later this year, it has never been more important to guarantee your company can defend against an incoming attack, as any data breach could cause serious financial damage to your business.
Cyber Essentials Plus and the procurement process
Since 2014, Cyber Essentials Plus has been a mandatory requirement when applying for government contracts, and it looks as though we are transitioning to a point where businesses must hold a badge to be considered for most public-sector work.
Cyber Essentials Plus offers procuring organisations greater levels of assurance that required controls and checks are in place.
If your business is looking to grow and win new business, specifically within the public-sector, achieving compliance should be at the top of your to-do list.
Achieving compliance – what to do next
If your company is serious about achieving Cyber Essential Plus status, then the first step is to visit the official www. cyberaware.gov.uk website, and select one of the official accreditation bodies listed.
In order to successfully hold a Cyber Essentials Plus badge, you must have first completed the basic Cyber Essentials certification process.
Once an independent assessor has reviewed your answers and performed the basic tests on your security controls, you will be awarded the Cyber Essentials certificate, allowing you to proceed to Cyber Essentials Plus.
Once you have received Cyber Essentials certification, you will then need to start the compliance process by introducing the appropriate controls to your system.
When looking for support to help you achieve Cyber Essentials Plus, it is important you contact an IT specialist with plenty of experience helping clients achieve compliance – they will then arrange for your security controls to be thoroughly tested, which will determine your effectiveness in defending against potential cyber threats.
Remember, different suppliers will offer varying levels of service and support, so make sure you select one that meets your company’s requirements.
Not only will achieving Cyber Essentials Plus compliance help protect your business, it will also put you at a serious advantage when bidding for work against competitors without the badge.
Once you have achieved Cyber Essentials Plus certification, it is important that you continue to improve your security, as attacks will become increasingly sophisticated as time passes.
More in-depth assessments are available to companies who are looking to push their security further than the Cyber Essentials scheme, including Penetration Testing and Simulated Targeted Attack and Response, which assesses specialist business functions with a market or country influence.
If you think your organisation could benefit from these madditional levels of assessments, then contact an IT specialist and achieve total security for your business and clients.
Matt Rhodes is Commercial Services Manager at Quiss Technology. Quiss is Microsoft 1-Tier Cloud Solution provider programme member and a Microsoft partner with gold competencies for hosting and midmarket solution provider, and silver competencies for small & midmarket cloud solutions, datacentre and content & collaboration.
For further information please visit: www.quiss.co.uk