Cyber Essentials accreditation should be the first step on your cyber security journey

There are lots of articles on the internet about small businesses not taking cyber security seriously.  Just take a look at some  recent research on the subject. 

Even if you have every intention of tackling this in your business, the danger is that it just stays on the to-do list.  Too daunting or too scary to delve in to.  After all, you’ve been ok so far so what are the chances of a cyber-attack in the future?  

Firstly, what is a cyber-attack?  In basic terms, this is when someone or something accesses your network, either via the internet or from your office, with the intention of damaging or stealing your data.  A virus-like application could encrypt all the data on your server and computers and then demand a ransom.  You could pay the ransom but there’s no guarantee that your data will be unencrypted.  You may think that you won’t be targeted, after all you’re not a large corporation.  But that’s no guarantee.  These criminals have systems that scan the internet and look for vulnerabilities.  So, for example, if you have a poorly configured or out of date router they may be able to get past it and log in to your computers. 

If your company relies on your data then it’s up to you to keep it safe!  You don’t want your client records compromised or anyone else having access to client payment details. What about your confidential staff and financial information?  All your development work exposed….your business will be massively disrupted.  

So, where do we start?  

The Cyber Essentials accreditation is a good starting point.  This was launched in June 2014 by the Government and is backed by the Federation of Small Businesses, the CBI and a number of insurance organisations.  

The scheme has been developed to fulfil two functions. Firstly, it provides a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats.  And secondly, through the Assurance Framework it offers a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions, leading to the awarding of Cyber Essentials and Cyber Essentials Plus certificates. 

A company that obtains this certification demonstrates that it has reached a good level of IT security, has minimised its risk of a cyber-attack, shows that if the business has a cyber-attack, it can recover quickly, and that it can bid for Government contracts.  

Obtaining the basic Cyber Essentials certification involves completing an online questionnaire, requiring a high level of technical detail. But don’t let this put you off.  As you go through the questionnaire, you’ll find out what you don’t know.  It’s these unknowns that are probably keeping you awake at night (especially when you watch the news about another company that’s been hacked and held to ransom).  The Cyber Essentials Plus certification is a bit more complicated as it involves someone coming out to your office to check everything.  So let’s start with the basic one. 

The questionnaire will ask for information on: 

  • Your network, including physical locations, management and IP ranges.  This is just a summary of your network – nothing too in-depth.  In fact, there are various examples on the questionnaire so you can get a good idea of the sort of thing they are looking for.  
  • The firewall and how it’s configured and managed.  For example, have you just taken it out of the box, plugged it in and away you go?  Or do you regularly connect to your firewall to update the software and change the password? 
  • How your team access the data and how you manage their accounts.  Is all your data spread over various computers, kept on the cloud or on a local server?   
  • Do you have wireless networks and is there a separate one for visitors?  Or do you just hand out the password to anyone that asks you?  
  • How you share your data and can your staff only see the information they actually need?  This may be a good time to ensure that your staff can only see the information they need for their job.   
  • Whether you just have the applications that you actually need.  Or is it a bit of a free-for-all when it comes to installing software?  Can anyone download anything?  
  • Summary of all your virus and malware protection policy.  If different PCs have different antivirus applications with varying expiration dates then maybe now’s the time to simplify it all.  It will probably work out quite a bit cheaper too which is always a bonus  
  • Remote working policy.  If you have staff working from home and they keep company data on their home PCs then you need to make sure this is safe too.  The same goes for data that’s stored on laptops.  What would happen if the laptop was left on a train or stolen?  These things happen all the time.  
  • Backups (of course!).  If the worst comes to the worst and all your data is destroyed, how quickly can you restore it? 

If you didn’t setup the network in your office and all the above questions sound like a nightmare then it’s probably a good time to get some outside help involved.  You may be reluctant to do this because you think you’ll be opening a can of worms.  But if you find a reputable local IT support company, they’ll be able to supply a quote for a security audit and assistance with the Cyber Essentials questionnaire.  They’ll highlight the unknowns and work with you to make sure your network is secure.  But don’t forget, this is an ongoing process. There’s no point getting everything nicely secured and everyone trained on cyber-risks only to get a new computer or wireless device that introduces another vulnerability.   

So why not start with the Cyber Essentials accreditation?  It will show that your business takes IT security seriously and clients can be confident that their data is secure.  What have you got to lose?  Ah yes, all your data. 

Liz Turner, Director of IT Support at Waytime Technologies 

Image Credit: Den Rise / Shutterstock