Cyber essentials, what are they – Part II?
The Essential measures
In considering how your business currently meets the required standards, you should ask yourself the following questions.
Do you understand the scope of your business technology that requires basic protection?Does this include all desktop PC’s, laptops, smartphones, tablets, homeworking PC’s, email and web application servers, boundary firewalls and routers?
Have you changed the default or factory settings on PC’s, internet routers and personal mobile devices? Does this include changing default passwords, removing unnecessary software, disabling features that allow programmes to run automatically, enabling firewalls, and removing user accounts that are not needed?
Have you activated firewalls on all devices that connect to the internet?Have you changed all default settings, including passwords, blocking unapproved services, removing rules not required, and disabling services that are typically vulnerable to attack?
Have you restricted user access to only those applications required to do their job?Does this include documenting access approval, limited access for special privileges, strong passwords, regular password changes, and removal of access when no longer required or inactive?
Is malware protection software installed on all devices connected to the internet?Is your malware configured to scan automatically when downloading and opening files on removable storage, network folders, and web pages when accessed via a web browser?
Do you regularly update all software running on computers and network devices? Do you ensure that all software is licensed and supported by the vendor, updates and security patches are installed immediately or automatically, and out of date software removed?
If you can answer YES to most these questions, you will be well on your way to achieving the basic security measures required by the Cyber Essentials scheme.
Maintaining security
Of course, achieving certification for Cyber Essentials or Cyber Essentials Plus, provides merely a snapshot of your cyber security arrangements at that time. The business needs to put in place processes and procedures that enable appropriate and continuing action to maintain adequate cyber security.
This can be addressed through a risk management policy that includes information technology and cyber security risks and a supporting risk register. Such an approach, involving regularly identifying and assessing risks, ensures that as technology changes over time, appropriate mitigation can be adopted to ensure that security controls remain effective.
It is important that the agreed policies and procedures are properly documented and communicated throughout the business. These should include policies on the acceptable use of IT, supported by regular training and an acknowledgement of understanding by employees.
Data Protection
If your business handles personal information, a key principle of Data Protection legislation is that data is kept secure. Meeting the basic Cyber Essentials measures will undoubtedly support the Data Protection requirement that appropriate technical and organisational measures are taken to prevent data loss or misuse. However, businesses should be aware that new legislation in the form of the General Data Protection Regulation (GDPR), effective from May 2018, indicates that some enhanced security measures may be required.
New data protection legislation in the form of the General Data Protection Regulation (GDPR), will apply in the UK from 25th May 2018. Whilst the concepts and principles remain broadly the same as those in the current Data Protection Act, additional security measures have been indicated, including encryption, pseudonymising of personal data, appropriate business continuity arrangements and regular testing of agreed procedures.
Conclusions
The Cyber Essentials scheme is a good starting point in providing clear guidance on basic cyber hygiene that can protect your business from the most common cyber threats. Achieving certification provides assurance to your clients that you adopt government endorsed standards and will also help to address the compliance requirements of the General Data Protection Regulation (GDPR). It is important to sustain these levels of security and this can be achieved by developing and implementing an appropriate risk management process.
If you have any further questions, or would like advice on any of the following matters;
- achieving and maintaining Cyber Essentials;
- developing and implementing a risk management process, or
- meeting the requirements of the new General Data Protection Regulations (GDPR)
Please contact Peter.Ennis@assureuk.co.uk or call 020 7112 8300.