With security breaches and stolen user credentials almost constantly in the national headlines, no organisation can consider itself safe from cyber attack. The revelation of the medical records of Olympic athletes demonstrates that even organisations which know they are likely to a target can be penetrated by a determined hacker.
Fortunately, most of us are not high profile athletes and therefore unlikely to be of interest to the ‘Fancy Bears’, but with organisations from Lincolnshire County Council to Bournemouth University reporting ransomware attacks, there are clearly are lots of people out there with malicious intent.
One baseline security posture that should be in every organisation’s cyber security portfolio is Cyber Essentials. This is a scheme set up by the Government that aims to help organisations implement basic levels of protection against cyber attack, as well as demonstrating to their customers that they take cyber security seriously. Since 1 October 2014, it has also been a minimum requirement for bidding for some government contracts.
The scheme is available at two levels:
- Cyber Essentials - an independently verified self-assessment. Organisations assess themselves against five basic security controls and a qualified assessor verifies the information provided.
- Cyber Essentials PLUS – a higher level of assurance. A qualified and independent assessor examines the same five controls, testing that they work in practice by simulating basic hacking and phishing attacks.
Security is of course is at the heart of all Fordway’s managed cloud services, so we recently carried out the self-assessment ourselves to check that everything we do meets the recommended standards. I’m happy to say that we gained Cyber Essentials certification immediately. As we were already ISO27001 accredited and security is embedded into the Fordway culture, our security baseline surpassed that of Cyber Essentials. We are now scheduling the Cyber Essentials PLUS audit. We can also now confidently recommend the scheme to our customers as a great starting point for ensuring that they have a solid security baseline which will mitigate the majority of cyber attacks.
The scheme does two things. First, it mitigates the common causes of cyber attacks. Its recommendations may seem to be obvious security measures but are an essential part of ensuring that your organisation is protected. Too often we find companies jumping ahead of themselves and looking at expensive security technology before they’ve got the basics right. Second, the scheme looks at the five basic technical controls that organisations need:
- Boundary firewalls and internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
These were chosen because, when properly implemented, they will help to protect against skilled and unskilled internet-based attackers who are increasingly using commodity capabilities which are freely available on the internet and other cloud services, such as Ransomware as a Service and Crimeware as a Service. The scheme also covers mobile device protection and touches on some basic security policies.
It’s important to note that even the best technology cannot provide 100 per cent protection against cyber attack, so we strongly advise organisations to regularly review and monitor their back-up and DR protection. If you’d like to discuss Cyber Essentials or any other aspect of security, please contact us. Fordway also offer Patch Management as a Service.