The Cyber Essentials scheme is a valuable, and simple, way for SMEs to keep cyber secure. But all too often it is treated as a tick-box exercise.
Applying for the Cyber Essentials (CE) certification makes sense for many small and medium sized organisations. Not only is it a requirement for companies wanting to pitch for work with many government and other large organisations. It is also a simple way of self-auditing basic cyber hygiene.
Take Cyber Essentials seriously and you are a good way towards making yourself reasonably cyber secure. Indeed certification can come with free cyber insurance for small businesses which indicates that it makes a substantial difference to your security profile.
The problem with Cyber Essentials however is that it is a snapshot of what organisations have in place rather than a continuous evaluation of how they work. There is a tendency to think "Now I've got the CE tick I can forget about cyber security for a year": that's a dangerous way of thinking. But this tick-box attitude is all too common.
Australian cyber security specialists Huntsman Security have a way of fixing this problem. Their new Cyber Essentials monitoring solution is designed to boost an organisations cyber risk posture throughout the year, and not just on the day of certification.
This system enables organisations to track the performance of their Cyber Essentials controls in real-time. The solution supplements the yearly CE audit process, by allowing organisations to gain a deeper view of their cyber risk posture and ensure their cyber hygiene is adequate every day and not just once a year.
The solution continuously monitors technical Cyber Essentials controls, allowing organisations to gain greater insights into their conformity with the scheme, including:
- Firewalls – including policy changes, admin logons and flagging vulnerable services passing through firewalls
- Secure device configuration – including password strength, Microsoft operating system and Office security settings, and key events from security controls and MDM solutions
- Access controls – including sharing of generic accounts, identifying account changes, and flagging inactive accounts
- Malware protection – including anti-virus events, changes to applications whitelists and banned software execution
- Patch management – including non-application of critical patches, flagging outdated software and issues raised by MDM solutions.
Piers Wilson, Head of Product Management at Huntsman Security.explains that the new service is not designed to replace the annual audit process but instead, complement it. The continuous insight into the risks organisations face allows them to take corrective action to address any security shortcomings whenever they need to.
Huntsman have long been supporters of schemes, like the Essential 8 framework in Australia. "This pinpoints weaknesses in security controls and informs organisations how they can mitigate that risk to improve their cyber posture and so, better protect themselves" Piers Wilson says. "Cyber Essentials gives UK businesses a framework to ensure they are following cyber security best practice."
The controls in Cyber Essentials are just that - essential. But despite that, compliance with Cyber Essentials is not difficult. However, SME bosses adopting the standard need to accept that the controls are important and add value to their organisation. They are not just there for decoration, or PR value. And because of this, it's important that they are operating properly, not only on the day of an audit, but any other days of the year too.