Covid-19 has forced companies up and down the country to operate remotely while the Government tries to reduce the spread of the virus. Some businesses have been better set-up for the temporary change, with a smooth transition to their entire workforce working from home; others have struggled. While remote working has many fantastic benefits, if it’s not done securely then you’re leaving the door ajar for the hackers to slip in and steal your most valuable assets.
Hackers will exploit anything they can and Covid-19 is no exception. Businesses will be so busy trying to stay afloat right now that the cybercriminals will make the most of the distraction, and they are. Earlier this month The National Cyber Security Centre (NCSC) urged the public to follow online safety advice as evidence emerged that the hackers are exploiting the virus online.
Phishing attacks seem to be the most common form of exploitation, with bogus emails in circulation with links claiming to have important updates. Once clicked on, the device becomes infected. This is being seen across the globe and hackers are even impersonating official bodies including the UK Government, World Health Organisation (WHO) and the US Center for Disease Control (CDC).
Firms of all sizes are at risk right now, but SMEs in particular as they’re the ones most likely to forget to lock the door behind them, so to speak. One of the easiest things firms can do right now to protect themselves is to take advantage of the Government-backed Cyber Essentials scheme, which can help them to identify and prevent around 90% of the most common attacks.
Despite Cyber Essentials’ launch back in 2014, around 30,000 certificates have been awarded to businesses and organisations – out of around 5.9 million companies in the UK. We’ve answered the most common questions on the scheme to help firms take action, and fast.
How do you get the Cyber Essentials accreditation?
There are two certificates that can be obtained – Cyber Essentials and Cyber Essentials Plus. The former is self-assessment based, with the certificate giving you peace of mind that your defences will protect against the majority of common cyber attacks. The process is easy, and that’s what businesses need right now, but it does cost around £300 for Cyber Essentials. Gaining the Cyber Essentials Plus is a more rigorous process, with a third party vulnerability assessment. The price will also depend on the scope and size of your organisation.
What is the process?
The process has changed slightly from April 1 2020; before, businesses would apply for accreditation through one of five Accreditation Bodies. In order to make the process simpler and more consistent, there is now one Cyber Essentials partner in place, as opposed to the five Bodies. That partner is the IASME Consortium.
Once you’ve contacted the Consortium you will need to verify that your IT is suitably secure. You can see the requirements for IT infrastructure here. If you fall short of any of the requirements then you will need to make sure these are up to scratch before you can proceed.
After this you will need to fill out a self-assessment questionnaire, if submitting for Cyber Essentials. Your CEO will then need to sign that self-assessment to confirm your answers are a true representation of your security controls. Once submitted, you should get a response within days.
How can I get my business prepared for it?
First of all you should read the detailed set of requirements for your IT. You need to assess yourself against the five control groups:
- Boundary firewalls and internet gateways (used to prevent attackers coming directly over the network)
- Secure configuration (to reduce the risk of malware being able to get on to your end user devices)
- User access control (to make sure users only have the right to do what they need to be able to do, this constrains any attackers that try and get in)
- Malware protection (to further reduce the risk of malware being able to get on to your end user devices)
- Patch management (to keep ahead of the attacker, who will try and exploit a weakness)
This process should be treated as an internal audit; once you have a list of areas where you are not meeting the standard, you can implement a corrective action to resolve it.
Will my certificate run out?
Yes. This is another recent change. Prior to April 1 2020 there was no expiry date on Cyber Essentials certificates. Now they have a 12-month expiry date. This will help companies to continually maintain and improve their cybersecurity processes.
Not only will Cyber Essentials help protect your business from losing valuable information, and as a result money, it will also make you an attractive company to buy from, or work with, with the reassurance that you have the correct cybersecurity measures in place.
By Colin Robbins, managing security consultant at cybersecurity specialist Nexor.