As a digital agency, we work with sensitive client data every day, and with that responsibility, we need to ensure that we’re taking cybersecurity seriously. This is why we’re very happy to announce that we have just been Cyber Essentials Plus certified, taking another big step in reinforcing the safety and security of both our clients’ data and our own. We had already attained the basic Cyber Essentials certification in 2018, so this was our logical next step. But what is the Cyber Essentials certification, and why have we attained it?
What is Cyber Essentials?
Cyber Essentials is a cybersecurity certification program set up by the UK government in 2014 to encourage businesses of all sizes to establish a good cybersecurity foundation and reduce their vulnerability to the most common forms of attack.
- Password brute forcing – Where attackers repeatedly try to guess passwords to accounts, exploiting weak passwords to gain access.
- Phishing – Sending emails designed to encourage employees to click on malicious links or download malicious files in order to gain access to their computer.
- Device hacking – Hacking into an employee’s computer or phone to gain access to their files and the wider company network.
- Network hacking – Hacking into the company network from outside, either into the Wi-Fi network or from the internet, exploiting vulnerabilities in the company’s connection to the web to gain access.
Cyber Essentials is split into two certifications:
This is the first certification and involves an organisation following a checklist of requirements to increase their security such as setting up a firewall and updating company computers. The requirements are foundational, meaning that they are relatively simple to complete and are designed to establish a baseline of cybersecurity, rather than be the only measures taken. In line with the foundational nature of the certificate, Cyber Essentials is a self-certification, meaning that once the requirements have been met, the company can send in a completed checklist to gain the certification.
Cyber Essentials Plus
The next step after acquiring the first Cyber Essentials certification. This level of certification verifies that you have actually fulfilled the requirements of the Cyber Essentials certification – i.e. checks that you have done what you say you’ve done. This involves a security auditor coming on-site to your business and testing if your implemented security controls are working as they’re supposed to. If they are, then you’ll be awarded the certification. If not, you’ll be given a report indicating where you still need to improve against the requirements.
Why Cyber Essentials?
There are two primary reasons to get the Cyber Essentials certifications: data protection (Data Protection Act 2018 and GDPR) and company reputation.
Data protection is something any organisation managing data, especially any data that doesn’t belong to them, must be aware of and act upon. With data breaches becoming more and more commonplace, and even huge companies falling victim, businesses need to take their information security and privacy controls seriously if they wish to avoid joining the list of breached companies. A breach can mean attackers acquiring valuable information related to your company or your customers and clients, which could then be leaked into the public domain, used for extortion and blackmail or sold to competitors.
GDPR is designed to enforce data protection, and companies who lose data containing personal information and are found not to have adequate defences in place can be fined. These fines can be substantial, up to €20 million or 4% of global annual revenue, so businesses must act to put safeguards in place.
A data breach is not only potentially costly from a financial perspective, but also from a reputational one. 64% of customers say that they are unlikely to do business with a company where financial or sensitive data was stolen, and 50% say the same about a company where non-sensitive information was stolen. For an e-commerce business, this can be disastrous to long term growth. If you are a B2B company, this can affect sales, stop negotiations and close doors to new business.
Provable strong security is also becoming a pre-requisite for many organisations when entering into partnerships with other businesses such as agencies or sub-contractors. This is especially true of governments. Not having adequate security, or not being able to prove that you have taken the necessary steps, can end a potential new business deal before it’s even begun.
What we did to prepare
As a security conscious company, Storm had already put into place a number of measures to increase our security such as:
- Antivirus and antimalware programs deployed on every machine.
- Role-based permissions, ensuring that not everyone in the company has Admin privileges.
- Firewalls to filter external traffic and block malicious attempts to access our network.
- Information Security policies such as utilising encrypted emails, phishing awareness and strong passwords stored in a password manager.
- Multi-factor authentication enabled for all company login.
These measures are an essential foundation for any company, but to pass Cyber Essentials we needed to introduce additional steps and tools:
Opensource vulnerability scanner
Used to detect potential vulnerabilities on devices running inside our network and against our firewall which acts as a barrier between our network and the internet.
Looks at packets of traffic moving around our network and detects if any of that traffic looks potentially malicious.
Access request and approval process for accessing information
Using automation we are able to authorise requests for accessing systems and information, and then automatically grant users access on a time-limited basis – automatically removing access when that limit has been reached. It also gives us an audit log to see who had access to a resource at a particular time and who approved it.
Local Administrator Password Solution (LAPS)
For environments where users are required to log on to computers without domain credentials, LAPS prevents the usage of the same local administrator account credentials across devices, and domain administrators can grant read access to authorised users or groups, such as workstation helpdesk administrators.
Software Restriction Policies
Prevents users from running filetypes such as .EXEs from their downloads folder. This helps users think about running files directly from the browser, one of the common malware infiltration methods.
O365 Advanced Threat Protection
Used to provide an extra layer of defence against phishing attacks.
How can you improve your security today?
Cybersecurity can be daunting to begin with and it can feel like there are just too many things to do. Following the Cyber Essentials checklist can make this more manageable, and is based on five technical control themes:
It’s no secret the internet is a hostile place, and attackers are always probing for unprotected access points that they can potentially exploit and gain access to networks. A good firewall can block a great deal of this risk by only allowing the traffic you trust into your network.
When first delivered, a device’s manufacturer settings are often set to insecure defaults – e.g. “admin, password” – and also often come with unnecessary additional programs installed. Changing the default passwords and settings to more secure versions, and uninstalling any unnecessary software can help reduce the attack surface a threat actor has access to. Strong, unique passwords are part of this and should be utilised for everything that requires a login. If multi-factor authentication is available for these logins it should also be enabled.
User Access Control
Most employees have no need for admin rights on their devices. By restricting this access, if a malicious actor somehow gains access to their computer, it restricts what they can do and helps to minimise the potential damage they may cause. If you have staff who only occasionally need admin rights, consider setting up a system that grants temporary rights upon an approved request.
Malware comes in various forms and is a serious threat if it manages to get into your company’s systems. To mitigate it, first off make sure that Windows Defender, or XProtect on Mac are enabled, these are the in-built malware protection programs and do a good job at providing a base of malware protection. To enhance this protection, you can install a dedicated anti-virus and antimalware program as well as setting up whitelisting for apps so that only approved programs and processes can run on a company computer.
- Keeping operating systems and all software installed on company computers updated is an absolute must. Security holes are being found all the time, and only by making sure your patching is up-to-date can you mitigate these vulnerabilities. Setting up a patching policy in your company that either forces updates to happen at a set time, or pushes employees to ensure their devices are up-to-date, is a good way to enforce good patching practice.
Cybersecurity has never been as important as it is now, and while it may seem difficult to get right, pursuing certifications like Cyber Essentials can help businesses of all sizes begin securing their data and their reputation against malicious actors.
For us at Storm, achieving Cyber Essentials Plus is a positive next step, but we already have our sights set on the next, more rigorous certification of ISO 27001. Attackers are only getting more sophisticated, and in our ever more connected world, we want to make sure that we’re not just ready for the threats of now, but the future too.
If you want to know more about how we keep our client’s data secure or want to propose a new project to us, get in touch today and discover how Storm ID can help you.