Back in October 2021, I wrote about Renewing Cyber Essentials in the pandemic environment. Along with the pandemic and other factors, such as moving from office to remote working, the renewal process had many challenges and considerations.
Here we are three and a bit years later. We still have Cyber Essentials accreditation and in January 2023 we decided to increase our accreditation to Cyber Essentials Plus. This adds additional peace of mind because rather than being based upon self-assessment, a selection of devices are chosen and tested remotely to ensure compliance.
What is Cyber Essentials?
If you haven’t heard of Cyber Essentials it’s driven by the National Cyber Security Centre (NCSC) and its delivery partner IASME. There are numerous assured providers available, we use Cyber Strategies. We’ve always received very good service and communication throughout each application.
The scheme helps to ensure that we have adequate measures (via policies, systems and software) to cover five areas in the agency:
- Firewalls and routers
- Security updates
- Access control
- Malware protection
- Secure configuration
If you plan to get Cyber Essentials Plus for your organisation, one thing to note is that you have to implement Cyber Essentials Plus within three months of attaining the standard Cyber Essentials accreditation.
Why do we do it?
It’s very easy to underestimate the multiple risks involved in our daily (cyber) lives. With over 7 million cyber crimes against UK businesses every year, it’s a subject to take seriously.
The program helps provide confidence throughout our processes to our team, current clients, and prospective clients.
Our clients range from charities such as RNIB and Kinship to public sector organisations including HS2, His Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS), and UK Parliament.
It’s important to us as an organisation to offer the assurance that this program brings. It is also becoming a reoccurring requirement for prospective clients who see the value and reduced risk of using an accredited supplier.
Reflections on the accreditation process
Two-factor authentication: There are some adjustments to what is or is not included in the scope of the assessment(s). There is now far more of a focus on 2FA (Two-factor authentication) and SSO (Single sign-on) as these are now becoming more of a requirement than an option. This can become hard work if you rely on staff using a downloaded authenticator app. We use 1Password as it can store lots of useful shareable (internally) information and we get a free personal account for use on our own devices.
An office move: We moved to a managed office which means the entire network is managed by another organisation. This is helpful as it leaves us free to focus on our internal network, computers, and online services.
Coordinating diaries: A sample set of users from our team (randomly selected) had to have their computers tested for compliance. Ensuring that the right people are available at the right time proved tricky the first couple of times due to their other meetings and obligations.
We also found that Microsoft Teams has a sixth sense for these things and occasionally decided it didn’t want to work, which is a bit stressful for those trying to join a meeting for compliance testing!
Apple updates: Apple were also very busy with their latest version of Mac OS Sequoia which has various changes for both security and OS features such as Apple Intelligence. This meant that some of our current software used for AntiVirus and AntiMalware needed a major change to an alternative version for compatibility. Luckily with the tools we have in place, it was easy to monitor and roll out the update.
However, there was one fun surprise. If you upgrade the AntiVirus and OS software in the wrong order it blows up all network connections. That’s a mistake you only make once!
Cyber security day-to-day
Having gone through the combined process of Cyber Essentials and Cyber Essentials Plus eight times now, I’m definitely finding it easier than at the beginning. I now have reporting and monitoring in place for most aspects of the assessment, so it’s mainly a case of collating all of the information.
Cyber Essentials is recognised as an essential requirement for the agency. The team is happy I’m not forcing service limitations, procedures and policies on them on a whim (and that I’m not on a power trip). There is a wider understanding of why we have these steps in place.
After implementing the required limitations and settings across the company, there are some very useful gains to be had for personal cyber security too:
- In everyday work, use your computer as a standard user with the ability to escalate to an administrator if required. This lessens the chances of malware or hijacking attempts to install anything without your knowledge. This is easily achieved on most operating systems.
- Use 2FA wherever possible. Most cases I hear of where accounts have been hacked, especially social media, are usually avoidable by having an additional authentication method enabled.
- Use diverse passwords and logins, centrally managed by a secure password management tool. These tools also reduce the need to save passwords in browsers as they have plugins that can fill in this information securely for you.
If you want the peace of mind of working with a Cyber Essentials Plus accredited supplier get in touch to see how we can help you.