Complacency in Cyber Security still runs high
The Covid-19 pandemic has clearly given cybercriminals a new set of targets to exploit as businesses implement remote working and relax access to corporate data so employees can keep productivity at an acceptable level.
According to a study published by Software Advice, at the end of 2021 SME’s reported a 62% increase in cyber attacks over the last 24 months.
Software Advice also published a worrying statistic that clearly showed that complacency in cyber security is also on the rise, with 68% of SME respondents admitting that they either don’t have or don’t know if they have a cyber security response plan.
Even if you have recently completed a security audit for a Cyber Essentials accreditation, it’s always good to remember that cyber security is a moving target and a good cyber security consultant should be promoting a proactive stance when it comes to the cyber security services that they deliver.
In the latest update, which was published in January 2022, headlined as the “biggest update to Cyber Essentials technical controls since its launch” Cyber Essentials includes revisions to the use of cloud services, home working, multi-factor authentication and password management. The revision has been published, after taking input and advice from NCSC technical experts reacting to the latest threats. It’s a clear indication that both this subject and certifications as a whole are a moving target for everyone.
For more information on the 2022 updates see the following link:
Other new guidance includes new definitions of what corporate VPNs encompass, more guidance on what security is required for BYOD use, updated recommendations on where software firewalls can exist at internet boundaries, a redefinition of what “patch” management covers, including what automatic update controls should be considered and what additional external and third-party access controls should be applied to secure corporate information.
Vissensa, on its own accreditation to the new 2022 standards, went through a number of process changes and modifications of our already tight security in order to be at the highest point of security posture for all aspects of our business.
For most businesses, there is still a great deal of complacency when it comes to security, not helped by the growing complexity of IT systems and the impact of IT change on the business. The different elements detailed on a Cyber Essentials checklist seem far too difficult for the untrained eye to determine. The reality is that any Cyber Essentials requirement will need input from the business in order to capture all the necessary elements of IT to proceed with a successful Cyber Essentials certification, regardless if it is competed in house or through a cyber consultancy services company – there is no silver bullet.
What is apparent, is that a business being accredited is going to be viewed very similarly to a person being vaccinated against Covid, in that not having the certification may preclude the business from certain opportunities and contracts. This means many businesses will be left wondering how to get the Cyber Essentials certification.
How Long Does Cyber Essentials Certification Last?
There is still a huge misconception that a Cyber Essentials self assessment questionnaire or a Cyber Essentials Plus checklist is a one-off activity. Nothing could be further from the truth. It’s a continual, proactive task that should be reviewed when something changes in an organisation, on a pre-determined review date or when a specific threat is identified. Its also valid for a year, so re-certification is required each year to stay on top of current guidance.
Much of the misconception and failure to gain a successful accreditation is that the task is seen as a set of self-selective activities, where the minimum amount of effort can get you an accreditation.
The NCSC recommend the following:
“We strongly recommend that the scope* should include the whole IT infrastructure, if possible, to achieve the best protection.”
(*Scope in this context means the extent to which all of the elements of an organisation’s IT systems are reviewed).
The uncomfortable truth is that many organisations are aiming for the lowest bar to gain cyber security accreditation forsaking the real objective of the NCSC initiative of hardening as many businesses in the UK from any Cyber threat vector as possible.
Where can I get cyber security information that will help with my Cyber Essentials Certification?
Conversely, although the subject is considered highly technical and should only be attempted by security consultants, there is a wealth of impartial free information and guidance available which will prepare any business for the task of gaining cyber security accreditation. This information not only forms the basis of the certification process but signposts highly useful information that can be distributed to users around a business to give them a better understanding of the part they play in keeping an organisation’s digital assets safe.
Cyber security companies in the UK or otherwise, do produce varying levels of information that can be used to start a self-assessment. For example, at Vissensa we have developed a 10-part jargon free self-help guide, written to give a high-level understanding of the different actions organisations can take to strengthen their cyber security. The guide can be downloaded here:
IASME and the NCSC have created another great resource which is easily digestible. This is the Cyber Essentials self-assessment questionnaire which details the questions that you will need to answer when conducting your own Cyber Essentials certification.
IASME is a body that developed a government funded and backed governance standard to create a cyber security standard which would be an affordable and achievable alternative to the international standard, ISO27001. The associated certification allows small companies to demonstrate their level of cyber security for a realistic cost and indicates that they are taking the necessary steps to adequately protect their customers information. The IASME Governance assessment includes a Cyber Essentials assessment and GDPR requirements and is available either as a self-assessment or on-site audit.
The IASME guide is available here:
What is critical to understand is this initiative is aimed at the smaller organisation because it was understood that cost and complexity was a barrier to entry for small businesses, but the threat from cyber attacks was equally as dangerous as that faced by larger corporations.
To highlight this point, the table below published by IASME shows the Cyber Essentials Certification Cost in 2022 and demonstrates how little the self-assessment costs.
The Easy First Step – Cyber Essentials Self Assessment Questionnaire
It’s inevitable that having the Cyber Essentials accreditation at minimum will be an important enabler to doing business, and many new contracts being written demand that suppliers have at the very least this standard, if not the more rigorous Cyber Essentials Plus certification, so taking the first step now has been made as pain free as possible using the downloadable Cyber Essentials audit document.
These are a number of independent organisations that are accredited to issue Cyber Essentials and Essentials Plus certifications including Cybersmart, who worked with Vissensa to provide independent accreditation of our 2022 Cyber Essentials and Cyber Essentials Plus certifications.
For more information visit Cybersmart here:
Downloading the guide as suggested above will give an organisation an idea of how exposed they are today and what actions are required to bring them to a point where they have increased their security posture – but also moving them to a good position to go for accreditation.
Vissensa can help – Firstly we have worked though our own 2022 certification so have first-hand knowledge of the updated guidance. We also have been providing security expertise and products to large and small organisations of over 15 years so can advise on the most appropriate hardware and software required to implement a coherent security stance.
What If I Fail The Accreditation?
The concept of the Cyber Essentials accreditation and the follow-on additional certification Cyber Essentials Plus is to develop a organisation's understanding of all of the business practices that are carried our and where in each of these practices a cyber threat could manifest itself.
Once a cyber essentials self-assessment questionnaire has been submitted, an assessor is appointed within the cost of the submission fees detailed above, who reviews the answers given and will come back with further questions if it is apparent that the answer wouldn’t give the level of protection to meet the standard.
These highlighted gaps are great examples. They demonstrate that if the required expertise to resolve the gap is not in house, then a cyber security consultant is a sensible next step to helping with this aspect of the accreditation while keeping external security consultant costs to a minimum.
Big software vendors are playing their part in the cyber security services market
It seems that the many companies are using Microsoft products for their day-to-day operations. Microsoft have been addressing the growing security threats for some time and have developed a suite of security products that address specific aspects of the security requirements outlined by the Cyber Essential and Cyber Essentials Plus certifications.
This suite of security products are being baked into some of the advanced Microsoft products we use as standard, such as Microsoft 365 Business Premium, and are detailed in the recently updated set of Microsoft Defender products and the soon to be released Microsoft Defender for Business.
Vissensa have written number of blogs that detail the features contained in these Microsoft Defender tools. You can find them here:
How Much Does The Cyber Essentials Certification Cost?
The Cyber threat landscape is only moving in one direction, more threats from more places which are becoming more sophisticated. If you have never suffered a cyber-attack then count yourself lucky, left ignored, the odds are against your continued safety.
Business insurance now contains cyber security policies to mitigate the cost of reparations following a successful attack, but it also clearly stipulates that like any insurance, the policy holder must demonstrate that they took reasonable steps to protect themselves and the insurance company from losses. Ignoring industry guidance may lead to claims being rejected.
And on the final note of what’s the cost of doing nothing? The statistics around the financial damage caused by successful cyber-attacks are well published with clean-up cost to SME’s in 2021 between £6,500-£15,000 per incident. The reputational damage and lost earnings of not having systems available to trade are a lot higher.