Are you preparing for your Cyber Essentials Certification? Here are 7 tips to help you pass the certification at the first attempt!
I recently helped our company pass the Cyber Essentials Accreditation. It’s a certification awarded by the IASME, one of just five organisations appointed as Accreditation Bodies for assessing and certifying against the UK Government’s Cyber Essentials Scheme. The key focus of the Scheme is on the five most important technical security controls. These controls were identified by the UK government as those that, if they had been in place, would have stopped the majority of the successful cyber attacks over the last few years. Find out more here. The official list of companies that currently hold the Cyber Essentials kite mark is available here.
Here are 7 tips that will help your company pass the certification, and in the process help your organisation better protect its digital assets against cyber criminals:
1. Security Policy
Create a Data Protection Policy document for your organisation, laying out the requirements for processing personal data pertaining to customers, prospects, business partners, and employees. The document should include guidelines such as what IT users can and cannot do, password policy, Internet usage guidelines, base network device configuration recommendations, employees’ devices usage on corporate IT systems, recommendations for control and access of IT resources, etc. The document does not have to be very complex and long. As an example, our company document is only 10 pages!
2. Data Protection Officer
Nominate a Data Protection Officer (DPO) to enforce your Data Protection Policy throughout your organisation. Even if your organisation is very small, this is worth the effort. This will help all IT users have a single point of contact for all information security related issues and queries. Moreover, it helps to ensure that you maintain an on-going best practice routine and keep security as a top priority throughout the organisation, not just to pass the Cyber Essentials Accreditation time and time again, but to gain good habits required to consistently maintain the strongest security posture.
3. Digital Assets Tracking
Keep an inventory of corporate software and devices used throughout your organisation including details of vendors supported software versions. This is best practice for on-going software patch management and to know what’s on your network and why. Knowing what’s on your network and why will help you keep a close watch on vulnerabilities on end point devices accessing corporate network resources.
4. Access Control
Enforce and maintain strong access control on all corporate IT systems. Use Role Based Access Control (RBAC) to ensure that only enough privileges are granted to IT users for their respective roles. Enforce multi factor authentication wherever possible. Passwords are one of the weakest links when it comes to cyber security in general. Enforcing multi factor authentication throughout your digital infrastructure is one way to strengthen your cyber defence against the growing cyber attacks.
5. Keep Improving Your Defences
Know your organisation existing cyber defence strengths and weaknesses and keep tuning it to improve your on-going security posture. Understand what devices are used to access your digital infrastructure and applications. Track end point devices by types, operating systems versions, and vendors for mobile phones, tablets, and laptops. Understanding what software versions and potential vulnerabilities you have on your corporate network will help you put in place an effective strategy to detect and respond effectively to cyber attacks.
6. On-going Security Reviews
Document, track, and review the effectiveness of your Data Protection Policy and make it a living document. Update it on a regular basis with best practices so that IT users can benefit from on-going and effective security guidelines. Moreover, by make it a living document; it will help you put in place security processes and routines that will make it easier to comply with future security assessments.
For organisations with Internet facing online systems handling sensitive data make sure you have a defence-in-depth architecture. This does not necessarily mean using a lot of expensive technologies, but using several layers of defence where possible. A defence-in-depth design will include prevention, detection, and mitigation. For small organisations, this can be achieved by using Unified Threat Management Systems that will include a network firewall, real-time content inspector, intrusion detection and protection, web application firewall, and cyber threat monitoring system, all integrated to work as one cyber defence platform.
Good luck with your Cyber Essentials Accreditation and don’t forget to show your badge wherever you can. It’s a well-deserved effort!
— — — — — — — — — — — —
About The Author
Marco Essomba is a Certified Application Delivery Networking and Cyber Security Expert with an industry leading reputation. He is the founder and CTO of iCyber-Security, a leading edge UK based cyber security firm providing complete and cost effective digital protection solutions to SME’s.
Other Articles By Marco Essomba
- Internet of Things (IoT) — Is Your Business Ready?
- Single Password Authentication should be banned. Here are 5 reasons why.
- Dilemma: Cyber Security vs. Convenience vs. Usability. I Just Can’t Uninstall WhatsApp. Here is Why.
- Banking-As-A-Service (BaaS) Will Disrupt Banking Whether Bankers Like It Or Not.
- Protecting your network infrastructure and apps against DDoS attacks: Here is how.
- Protect E-Commerce Apps Against Cyber Fraud
- 7 Proven CyberSecurity Tips For Effectively Fighting Sophisticated DDoS Attacks
- 7 reasons why organisations get hacked
- What’s the Point of a CISO?
- 7 Lessons I Learned From Investigating A Major Cyber Security Breach
- The word hacker has been hacked by the media — ‘hackers’ used to be heroes.
- The Rise of SecOpsDevOps
- Cost to global businesses to cyber crime will reach $2 trillion by 2019! Fight back with best of breed.
- 7 Reasons Why Network Engineers Must Master At Least One Application Delivery Controller (ADC)
- Part 1: General Fights Back Cybercrime in NeverHackLand.
- Part 2: General Fights Back Cybercrime in NeverHackLand
- 7 Awesome Skills That Will Make You Stand Out As A Network Security Engineer