Inspire's Odyssey - Some certificates matter more than others
by David Dwyer on 22/02/2019
As we highlighted recently, no matter how effective your online presence might be, it is all for nothing if you’re compromised by malicious actors.
How would you handle the impact of reputational damage, or worse, that comes from a lack of resilience to criminal attacks? Remember this is your responsibility?
The field of cyber security is as arcane and confusing as any speciality within I.T. and it is easy to think that nothing short of a raid on the corporate piggy bank will secure your company.
If you want to armour-plate your business, that may be true, however there are some practical steps that can be taken that are well within the reach of most of us, particularly when you can get funding of up to £1,000 towards improving your business resilience.
The National Cyber Security Centre, part of GCHQ, has an excellent certification scheme, Cyber Essentials which has been running for a couple of years and is designed to help businesses achieve a stronger level of security without having to delve into the darker arts of security.
This is a route that Inspire has been planning to take for a very long time. At the outset we wanted to evidence/display what we’d applied to ensure our businesses resilience, but like most things we know we need to do we’ve procrastinated and the cyber threat has continued to evolve.
Having said that we are delighted and relieved to have now gone down the Cyber Essentials route and achieved our NCSC certification.
It was neither excruciatingly painful or expensive to complete, both of which we were very concerned about before planning.
Choosing your partner to progress this with is very important though and we were delighted to have worked with the team at m3 Networks for guiding us through the journey to certification.
It’s very important to point out that NCSC certification doesn’t make an organisation totally bomb-proof, but what it does do is address many of the common routes of exploitation.
Certification covers five important areas:
Proper implementation of firewalls protects against intrusion and denial of service attacks. It gives you control of what enters and leaves your corporate network.
Ensuring a secure and managed configuration reduces the possibility of attacks which exploit weaknesses in the way operating systems and applications are configured and installed. Linux is famously installed with everything set to ‘open’ despite the fact that as an operating system it can be configured to be exceptionally secure. Remember “Open Source” means literally it’s open and available to anyone, and that includes criminals.
Access control is one of the golden rules of security – if you do not know who has access to your systems, and you don’t ensure that access is appropriate to each user’s needs, you have no security at all. This is one of the most common failings within organisations – failure to delete old employee accounts, failure to ensure that access is matched to the job requirements, failure to enforce a viable password policy. Often the argument is that all this takes up valuable resources and who really cares? Well it may take effort whether that be time, reallocated manpower as well as the software to manage but it’s still far less costly than attempting to recover from a breach.
Malware protection. Most companies are familiar with the concept of anti-virus routines however it is another area that requires ongoing attention. Simply installing software isn’t enough – software cannot protect your enterprise against a poor decision to allow access to your system because the other party is a “good fellow”.
It won’t adequately protect against consultants who use Apple laptops and blithely claim that they “can’t get viruses”. Despite Apples best efforts yes Mac Malware and viruses do exist. Countering malware is one more vital block in the wall you build against attackers.
Finally, patch management, not the most exciting subject, but vital. A failure to update Windows in good time cost the NHS an estimated £92 million.
Unfortunate given it could have been avoided had the available security patches been applied by the NHS; an expensive oversight. Ensuring that you are on top of applying patches and updates is critical to your security.
For us at Inspire, achieving our Cyber Essentials certification was not about gaining another bauble accreditation logo to add to our website but about practicing what we preach and giving us the peace of mind that we’re not only looking after our business resilience, but ensuring our clients know we have the business resilience in place to support them “come what may”.
We firmly believe that over the coming years our digital sector will continue to evolve towards a regulated market place and that this exercise will ensure future clients know we’ve invested in not only our resilience but their peace of mind.
The steps encompassed by the scheme go a long way to eliminating the common routes of entry and compromise that many businesses fall prey to. If, like us, you believe that all businesses have a responsibility for their own security and safety, the NCSC Certification scheme is an excellent and systematic way to establish a standard and to tell others that you care about security.
If you would like to talk about our experience with the Cyber Essentials scheme, or about anything concerning your websites, marketing and social media campaigns, contact us for a free initial consultation.
Continuous Professional Development, Cyber Essentials, Cyber Security, Cyber Security Vulnerabilities, Digital Trends 2019, Frequently Asked Question's, GDPR, General Data Protection Regulations, Inspire Web Development, Internet of Things, Online Fraud, Security, Server Security, SSL