Cyber Essentials – does it really help?
Since 2014 when the Government launched the Cyber Essentials, in Chartered Accountants Hall, the take up by businesses and organisations has moved slowly along its own exponential curve. The pace of take up over the last two years has increased significantly and this has been driven by: - i) requirements within primarily Central Government contracts and more recently by wider Government contracts; ii) supply chain requirements from security aware and focussed entities; and iii) greater awareness by businesses that they need to safeguard their data to comply with GDPR and, in turn, to protect their business.
I spend the majority of my time either undertaking or managing the independent assessments of businesses who wish to achieve the higher level of Cyber Essentials Plus. This does not require any further work on the part of the business beyond submitting their answers to the Cyber Essentials online portal and also checking that infrastructure configuration is correct. The independent assessment is carried out based upon a Government test specification.
So how does Cyber Essentials help?
The standard in essence requires IT infrastructure to be securely configured – there is rarely a need to invest in further systems to achieve the standard unless unsupported software remains in use, such as Windows XP and potentially Windows 7 when support ends in January 2020. The problems I find on almost every site visit relate to: - i) software still installed that is not used which in turn usually means it has not been updated and creates vulnerabilities as a result, examples include Adobe products, pdf readers, zip apps; ii) user accounts still active for staff who have left, and some day to day users having administrative privileges; and most importantly, iii) security patches not up to date.
The key message is that many businesses think their systems are secure but when tested many holes are found. Once the remediation work has been completed, there is little doubt in my mind that the business is not only far more secure but has also learnt a great deal more about security along the way.