Cyber Essentials has been developed by the Government in association with the Information Assurance for Small and Medium Enterprises (IASME) and the Information Security Forum (ISF).
It wasn’t invented as another piece of red tape businesses have to jump through, it’s industry backed by a number of organisations including the Federation of Small Businesses, and is a set of basic technical standards to ensure organisations are protecting themselves against digital security threats to the best of their ability.
Why does my business need Cyber Essentials?
With the introduction of GDPR in May 2018, being able to display the Cyber Essentials logo in your company literature to show that you are certified, is a great way to reassure customers that you’re working to keep their data safe.
Some government contracts require any businesses putting to tender have the Cyber Essentials certification and, aside from government contracts, it can help attract new customers, showing that you have cyber security measures in place.
The Cyber Essentials certification looks at five main technical controls.
1. Use a firewall
Although a firewall isn’t a literal wall of fire (more’s the pity!) it does act as a barrier between your IT network and potential external threats. It decides whether to block or allow traffic based on a set of previously defined security parameters.
The type of firewall you have, and the security parameters it uses can be set by you (or your IT company) based on the specific security needs of your business.
2. Make sure your devices and software are the most secure they can be
Recently, there was a video of Kanye West in the White House unlocking his phone using the code ‘0000’. Although this got the internet laughing, it does raise an important point about device security: it’s likely that this is the default code set by the manufacturer, as it’s their aim to make new devices as accessible as possible and Mr West should really think about changing the default!
It’s important to look at things like password protecting devices, making sure the defaults are changed if they are already set up. If it’s a device you use for online banking, or that holds important data then setting up two factor authentication is also advised.
The way we use modern technology, means that devices not only hold important information, they often hold the login details for important online accounts – so password protection is a must.
3. Control permissions
By limiting the permissions of staff accounts to only the software, settings, and online accounts that they need, should a member of staff have their account compromised by an attack, if the hacker only has access to a standard user account as opposed to administrative privileges the damage they can do to an IT network can be minimized.
4. Virus and malware protection
‘Malware’ is a shortened version of malicious software. Recently the example of this you’re most likely to have heard of is ‘ransomware’ which has been mentioned in the news when some prominent companies and the NHS were hit. This type of malware sees systems rendered unusable, until the victim meets the demands of the criminals – usually involving payment.
For more information about defending against malware, visit the Cyber Essentials website.
5. Install updates!
We say this often. You’ll see it in lots of our posts and across social media. Installing updates rather than clicking on ‘remind me tomorrow’ for months on end is really important. Not just from the point of view that not installing updates can stop your device from working quite as well as it should, but updates often contain security fixes for known vulnerabilities called ‘patches’. If you don’t install the updates, the patches don’t get applied and your device is left open to potential security breaches.
Not only are we Cyber Essentials Certified ourselves, we can help you with the process of becoming certified. If you would like to learn more about this, download our comprehensive security guide for small businesses.