Cyber Essentials Guidance
It is only when you consider what sensitive or personal data your organisation holds and its potential damage should any of it be leaked into the public realm, that you realise the value of putting adequate protection in place to avoid an inevitable hack or data breach. Cyber Security should be a standing item on your board’s agenda, the responsibility for this cannot be placed solely with the tech team any more.
We have put together some frequently asked questions regarding the Cyber Essentials framework and hope that you consider as an organisation taking this on board and increasing the emphasis on protecting yourself and your member’s valuable data.
What is Cyber Essentials?
What's involved in the self-assessment?
Why should I do it?
What does it cost?
My organisation is small, do I really need it?
Where can I get advice?
What tools are available to help me achieve Cyber Essentials certification?
Cyber Essentials is a government backed initiative which, if followed, will give a business or charity a baseline protection level against most common forms of attack and vulnerability. It provides a kite mark to indicate that you have taken appropriate steps to mitigate simple and easily overlooked areas within your IT infrastructure as well as increasing the awareness and importance among your staff and board members.
Depending on the certifying body you choose and the associated accreditation body, each will have a slightly different self-assessment questionnaire. A basic version of this can be found here. As we chose to go with an IASME accreditation body, ours was slightly more detailed with over 112 questions, but with an added level of confidence in the robustness of our controls. These covered the main topics listed below:
- Organisation Scope
- Use of Cloud technologies and their security levels
- Board-level awareness
- HR and specific cyber security policies
- System risk assessments
- Data Protection adherence
- Removable media and encryption
- Staff training
- Machine account and password policies
- Firewall rules and business cases for exceptions
- Vulnerability scans (Free software is available to carry this out)
- Patch Management
- Mobile Device Management
- Incident recording and management procedures
It is undoubtedly only a simple matter of time before you are subject to some form of network breach, malware or ransomware attack or even data loss. You will have most likely got away with it up until now and potentially think that only the big, multi-national corporations, ISPs or financial institutions are the only ones are risk.
“Why would anyone want the information we hold?”
Take a minute to think about what details you have in your database, the spreadsheet on your desktop, the documents or pictures in your cloud storage, the emails that you send internally to your colleagues. Now take a minute to consider what would happen if any of that was leaked to the media. Would your organisation fare well in whatever story was printed? What about the lives of those whose information you have just made public? Their families? Your reputation? Legal costs?
The consequences are unthinkable. You are responsible for protecting the information you have been given in confidence, only you can take the action required to ensure that you look after it properly.
Bear also in mind that it may well soon become mandatory for some tenders or for some funders, it already is for government tenders. It also includes free Cyber Liability Insurance covering up to £25,000 for legal, investigation or recovery costs.
The basic Cyber Essentials certification costs £300 plus vat. This consists of a self-assessment questionnaire regarding many details of your security systems, staff policies and training. There assisted versions of this at an additional premium.
The Cyber Essentials Plus certification cost will be around £1200 and will involve a security professional coming to your site to verify the answers you have given and performing some security scans and testing.
For more pricing information contact Cyphra
If you hold any information related to any member of the public or other organisation, Yes. You could be a one-man band with a laptop and an internet connection, but you still need to take measures to protect your systems and your data. In a way, being smaller should make it a simpler process.
There are 4 accreditation bodies (Crest, QG Management Standards, AMPG and IASME) which manage certification and certifying bodies. There are only a few certification bodies based in Northern Ireland, they can be found listed on each accreditation bodies website. We have teamed up with Cyphra ([email protected]), the first certifying body in Northern Ireland and one which we have become certified through.
Please feel free to contact me for further information and assistance [email protected], or check independent advice sites such as www.getsafeonline.org or www.cyberstreetwise.com
You will no doubt need technical help in the form of in-house IT staff, or by contacting your IT support provider, they should be well aware of this scheme and what will be entailed in getting your organisation in shape to get certified.
You will need to ensure that your Chief Executive and board members are aware of it and what their responsibilities are going forward. This certification process should be driven by the top down to ensure the message is spread and that proper due care and attention is given to the undertaking.
There are many guides available online to assist you in the practicalities of covering both the technical and non-technical points in the certification process and we have tried to gather a few of the most helpful below, along with some we have created ourselves. I would also encourage companies to join the Northern Ireland section of CiSP, a joint industry and government scheme, administered by the police which enables its members to exchange information on threats and vulnerabilities as they occur in real time. Contact us for more information on joining, or click here
Cyber Essentials Toolkit:
(Some downloadable files are available at the top of this article)
10 Steps to Cyber Security – published by GCHQ
Cyber Essentials Framework – A guide to the certification
CyberStreetwise – Practical advice to securing your network
Staff Training Toolkit – from Microsoft
Are your passwords secure? – NICVA Article
Demystifying Social Media Security – NICVA guide to securing your social media account
Microsoft Baseline Security Analyser - Patch vulnerability scanner