Cyber Essentials – does it really help?
Since 2014 when the Government launched the Cyber Essentials, in Chartered Accountants Hall, the take up by businesses and organisations has moved slowly along its own exponential curve. The pace of take up during 2017 has increased significantly and this has been driven by: - i) requirements within primarily Central Government contracts and more recently by wider Government contracts; ii) supply chain requirements from security aware and focussed entities; and iii) greater awareness by businesses that they need to do something to safeguard their data and, in turn, their business.
I spend the majority of my time either undertaking or managing the independent assessments of businesses who wish to achieve the higher level of Cyber Essentials Plus. This does not require any further work on the part of the business beyond submitting their answers to the Cyber Essentials online portal. The independent assessment is carried out based upon a Government test specification.
So how does Cyber Essentials help?
The standard in essence requires IT infrastructure to be securely configured – there is rarely a need to invest in further systems to achieve the standard unless unsupported software remains in use, such as Windows XP. The problems I find on almost every site visit relate to: - i) software still installed that is not required which in turn usually means it has not been updated, examples include Adobe products, pdf readers, zip apps; ii) user accounts still active for staff who have left; and most importantly, iii) security patches not up to date.
The key message is that many businesses think their systems are secure but when tested many holes are found. Once the remediation work has been completed, there is little doubt in my mind that the business is not only far more secure but has also learnt a great deal more about security along the way.