More companies are operating remotely now than ever before, perhaps not by choice, but to continue with business in the wake of COVID-19 they have needed to adapt, and working from home for many is the new norm. For some, this is just another day in the office, while for others it has been a complete change. But the transition is just part of the challenge – when your whole business is operating remotely security becomes paramount.
The pandemic has impacted the whole country, but where there is disaster for some, opportunity knocks for others. In particular, hackers who will be looking to exploit thousands of businesses struggling with this new way of working.
Last month, The National Cyber Security Centre (NCSC) urged the public to follow online safety advice as evidence emerged that hackers are using the virus to exploit people online.
One of the more preferred methods of exploitation is phishing attacks. Fake emails, texts and calls, with the former including links claiming to offer advice or updates. Once clicked, the link harvests passwords or infects the device. Just recently, hackers have posed as official bodies including the UK Government, World Health Organisation (WHO) and the US Center for Disease Control (CDC).
From an operational point of view, the businesses with smaller infrastructures will struggle to combat this threat more than others. SMEs in particular lack some of the resources to protect themselves and haven’t necessarily had the experience of dealing with these type of threats before.
One of the easiest things firms can do right now to protect themselves is to take advantage of the Government-backed Cyber Essentials scheme, which can help to identify and prevent around 90 per cent of the most common attacks.
Despite being available since 2014, just 30,000 certificates have been awarded to businesses in the UK – out of a possible 5.9 million. Which means there are millions of businesses not adhering to the basic principles of cyber security, or nor being able to prove that they are.
Some of the most common questions around the scheme are below, to help you understand how the accreditation works:
How do you get the Cyber Essentials accreditation?
~Business Game Changer Special Promotion~
There are two certificates that can be obtained – Cyber Essentials and Cyber Essentials Plus. The former is self-assessment based, with the certificate giving you peace of mind that your defences will protect against the majority of common cyber attacks. The process is easy, but it does cost around £300 for Cyber Essentials – more if you’re going for the Plus (based on the size and complexity of your organisation). Gaining the Cyber Essentials Plus is a more rigorous process, with a third party vulnerability assessment.
What is the process?
First you will need to review the requirements from the official Cyber Essentials partner, which is the IASME Consortium. You can see the requirements for IT infrastructure here. If you fall short of any of the requirements then you will need to make sure these are up to date before you can begin.
Next, you will need to fill out a self-assessment questionnaire, if submitting for Cyber Essentials.
How can I get my business prepared for it?
Initially, you should read the detailed set of requirements for your IT. Your business will be measured against the five control groups:
- Boundary firewalls and internet gateways (used to prevent attackers coming directly over the network)
- Secure configuration (to reduce the risk of malware being able to get on to your end user devices)
- User access control (to make sure users only have the right to do what they need to be able to do, this constrains any attackers that try and get in)
- Malware protection (to further reduce the risk of malware being able to get on to your end user devices)
- Patch management (to keep ahead of the attacker, who will try and exploit a weakness)
This process should be treated as an internal audit; once you have a list of areas where you are not meeting the standard, you can implement a set of corrective actions to resolve it.
Will my certificate expire?
Yes, it will expire every 12 months, so that you can ensure your cyber security essentials are kept up to date and refreshed every year.
Cyber Essentials will not only help you achieve cyber security best practice, but it will make you an attractive company to buy from, and work with, too – if shopping around you see that one business is accredited and another isn’t – which would you choose?
By Colin Robbins, Managing Security Consultant at Cyber Security specialist Nexor.
