If you’re interested in gauging how good your organisation’s IT security really is, you should consider applying for a Cyber Essentials certification. Read on to discover how this scheme can help you identify IT security threats and what you need to pass.
What is the Cyber Essentials scheme?
Cyber Essentials is a UK government-backed scheme that was launched in 2014. Its aim is to empower organisations of all sizes to take appropriate steps to make sure they are protected against cybercrime. Any organisation that works with or for the government needs this certification, but it’s beneficial for businesses of all kinds.
There are five different things that need to be done in order to get certified:
1. Have a firewall installed
We’ve already covered how important firewalls are to businesses of all kinds – you can read more about why you should use a firewall here. In short, small organisations with a limited number of devices can likely get away with using a host-based firewall. This will likely come preconfigured in their computers.
Larger companies with more devices benefit from the scalability and more advanced level of security provided by network-based firewalls. In order to get Cyber Essentials certified, you’ll need to have some form of firewall protecting all endpoints that have access to your organisation’s sensitive data.
2. Use secure configurations
In order to be as easy to use as possible, most software and devices come with “everything on”. This means that the product can access things like your files, location, camera and microphone. Unfortunately, this gives hackers many different ways to get access to your information.
To make sure you’re not helping out opportunistic crooks, make sure you only enable the settings and functions you’ll actually need. You should also make sure that you use a password, PIN or touch identification wherever you can. Using two-factor authentication (2FA) helps protect information on your most sensitive accounts, such as online banking.
3. Control user access
Only people who absolutely need it should have access to accounts that store sensitive data. This means giving administrator access only to the employees who need it. You should also control the level of access that these administrator accounts have.
You can also strengthen your cybersecurity by controlling the sources where your employees can download software and apps. You should restrict this to manufacturer-approved sources like the Apple App Store and the Google Play Store. This way, your employees are less likely to accidentally download harmful software.
4. Protect yourself against malware
Malware can be things like viruses and Trojan horses. These can be used to sabotage your business or gain access to your files. It can also be ransomware that steals your files and demands payment before they give them back to you. Malware can infect your computer through a malicious or infected website, email attachment, USB stick or hard drive.
As part of the Cyber Essentials scheme, you’ll need to have some form of protection in place against malware. Popular operating systems tend to come with antimalware protection built in and you could choose to rely on this.
You could also boost the antimalware in your operating system with whitelisting. Whitelisting requires a network administrator creating a list of applications that are allowed to run on a company device. Any applications not whitelisted can’t be downloaded or launched, reducing your chances of malware infection.
Another option you have is sandboxing which is something more and more applications support. This means that applications run “boxed in” their own space, virtually isolated from the rest of your computer and network. If hackers are able to corrupt a sandboxed application, they’re much less likely to gain access to your data.
5. Make sure software and devices are patched
Cybercriminals are constantly coming up with new ways to sabotage businesses. That’s why developers and manufacturers need to be constantly providing updates to software and apps to offer protection against data breaches.
Installing these security updates is called “patching”. In order to get your qualification in Cyber Essentials, you’ll need to have these patches regularly installed on any devices that are used for company work. Where possible, these updates should be installed automatically. Once your device gets so old it can’t support further updates, you should replace it with a new one.
Do I need Cyber Essentials certification?
The Cyber Essentials certification was built for SME’s. This is because smaller organisations usually don’t have an around-the-clock IT security team who can assess cyber threats at all times. If you’re lucky enough to have access to protection like this, you can probably o without the certification.
It’s usually huge banks and multi-national corporations that make the headlines when they fall victim to a cyber attack. However, small organisations are really no safer. They arguably face an even bigger risk because SME’s seldom have a dedicated IT security staff to fend against cybersecurity threats.
Having a Cyber Essentials certification helps build trust. Having the badge on your website shows your clients that you take the safety of their sensitive information seriously. It’s also a good “due diligence” move that can help you find any blind spots in your existing IT security.
There are two certifications you can go for: Cyber Essentials and Cyber Essentials PLUS. While the regular certification is completed through self-assessment, the “PLUS” certification requires an independent assessment. This makes the PLUS certification harder to pass if you haven’t prepared properly, but it’s also more highly regarded.
How do I get certified?
If you have your own IT department and they have the capability to do so, you can complete your certification internally. Otherwise, you can hire a third-party contractor to help you get certified. Keep in mind that if you’re going after the Cyber Essentials PLUS certification, your organisation needs independent assessment.
It’s important to know that the Cyber Essentials certification doesn’t make for a complete IT security strategy on its own. Instead, it should be supported by several other measures and regarded as the starting-off point to more comprehensive cybersecurity.
You should also know that after completing your certification, you’ll need to renew it annually. This is because the cybersecurity threat landscape is constantly evolving, meaning that your IT security strategy should do the same.
While for most organisations, a Cyber Essentials certification isn’t mandatory, it’s definitely a good step to take. It shows the world that your organisation takes cybersecurity seriously and helps you figure out any weak spots in your organisation’s IT.