As a Virtual IT Director, it’s my job to give strategic advice and build my clients an effective IT strategy to help meet their business needs and goals. Of course, one of our significant focus areas is improving business security, but how do we do that?
Security is achieved through a mix of people, processes and technology. Working towards a security certification helps you define your process and guides you on technology choices and how to best train your staff - reducing your cyber security risk.
Over the last four years, I’ve guided clients to achieve Cyber Essentials because it’s an excellent certification we believe everyone should have. It’s designed to make you considerably more secure whilst (with the proper preparation) being straightforward to achieve.
Cyber Essentials is the UK’s government-backed security certification. It is designed to protect against a wide variety of the most common cyber-attacks. It comes in two ‘flavours’ – the base Cyber Essentials, which applies to all businesses of any size and industry, and the more demanding Cyber Essentials Plus.
This post looks at how we achieve (and exceed) the Cyber Essentials Plus certification. It will also give you an idea of what you need to consider to do the same.
Why do we go for Cyber Essentials Plus over standard Cyber Essentials?
The base Cyber Essentials is an entry-level certification:
- The audit costs up to £500
- It is self-assessed and independently verified by an auditor
- Depending on your setup, you may not even need additional equipment or licenses
Having this as a starting point is a great idea. It’s full of recommendations that will make you much more secure, but it isn’t too expensive. The more people reach a base level of ‘Cyber Security Hygiene’, the safer we all are.
Cyber Essentials Plus builds on this:
- The Plus audit costs up to £2,900 for 200 devices
- A qualified and independent auditor verifies and tests your security in practice
- You will likely need to spend on hardware, software, and services to reach and maintain a pass level
At Netitude, we favour the Cyber Essentials Plus audit and certification for ourselves because we’re in an industry that requires a high level of security. IT support companies (aka Managed Service Providers) are targeted by cybercriminals because we hold the keys to many other businesses. Therefore, we need to show our clients that we invest in security and take it seriously. For us, Cyber Essentials Plus is just the starting point, and we have processes and technology above and beyond this.
What’s required to pass Cyber Essentials Plus?
The Cyber Essentials framework covers five control areas: Firewalls, Secure Configuration, User Access Controls, Security Update Management and Malware Protection. Although it doesn’t cover backups, the guidance gives them an honourable mention.
In brief, Cyber Essentials is looking for your network to have the following correctly configured; Unified Threat Management or Firewall devices in your offices, force enable firewalls on workstations, change default usernames and passwords, remove local admin rights, have an enforced strong password policy, use Multi-Factor Authentication everywhere, have centralised patch management and managed antivirus. For Plus, you’ll need a vulnerability scanner.
An IT audit and review process is key: the best firewall will not pass (or keep you secure!) if it is not correctly configured. If you’re not reviewing alerts or failures, you won’t know if antivirus agents are failing to update or if someone temporarily disabled Multi-Factor. If you’re fortunate, you’ll find out during a Cyber Essentials audit; if not, you may not find out until you’re dealing with a breach! Luckily, our clients don’t have to worry about these things because we’ve got it covered.
We meet the areas with the following:
- WatchGuard Firewalls are configured to an established process, with no external access to admin interfaces. Workstation firewalls are enforced using Policy or Mobile Device Management for cloud-only clients.
- Secure Configurations across network equipment, computers and servers by following a build process and putting best practices into our build scripts. All devices require authentication before access.
- User Access Controls with VPN and Remote Desktop protected with multi-factor authentication, and Azure AD Conditional Access to enforce multi-factor for Office 365. Strong password policies are enforced via Windows Server or Azure AD. We encourage staff to choose good passwords through Security Awareness Training.
- Malware Protection with the best-in-class Endpoint Detection and Response software, centrally managed and updated, and supported with best practice device configurations.
- Security Update Management with our Remote Monitoring and Management tool. For Plus, we use a vulnerability scanner to detect and prioritise critical vulnerabilities across any device connected to the network.
- Backups (Honourable mention) even if Cyber Essentials doesn’t cover this, they recognise the need. Servers are backed up to a physical server and The Cloud. Office 365 is protected with backups into an Amazon data centre. Failures are alerted on, and recovery is tested.
- Process we have a team dedicated to quarterly audits of our client’s networks, a manual check that everything is in order, and updating our clients on evolving compliance regulations.
How does Netitude exceed Cyber Essentials Plus standards?
We practice what we preach and apply at least the same standards that we do to our clients to ourselves, including our own internal audits, reviews, and reports to our management team.
We go above and beyond Cyber Essentials Plus for ourselves for two reasons:
- We know IT Support providers are prime targets because of the access we have to our client systems. Therefore, protecting our clients’ businesses is paramount, and we take this responsibility seriously.
- Our clients expect us to provide guidance. By being at the forefront, we have hands-on knowledge of technologies and processes that will end up in certifications like Cyber Essentials as they become more common. As a result, we can continually improve our clients’ IT by updating existing equipment and software configurations, processes, and practices.
We invest in the right additional tools to keep ourselves, and therefore our clients, secure:
- Endpoint Detection & Response (goes beyond traditional antivirus for much better detection and faster remediation of modern attacks, it looks at what things are doing on your computer, not just what they are)
- Phishing Attack Simulation
- Security Awareness Training
- Investment in staff training and certification on the latest technologies
- Change Management Platform
- SIEM & SOAR (advanced security platforms that draw together information from all our other platforms and use AI to alert and respond quickly)
- Members of CompTIA IASO Cyber Security Information Sharing and Analysis Organisation
How we help our clients achieve Cyber Essentials Plus
We agree on a target date for Cyber Essentials Plus pass with our clients based on how large a gap our audit reveals and their requirements. Sometimes this will be a configuration update with existing systems; other times, hardware or software will need to be deployed as part of a project. In all cases, we fully deploy our ‘stack’ of support software and tools, which all helps get closer to a pass.
Our focus on proactive maintenance and additional quarterly auditing means we keep our clients at Cyber Essentials standards throughout the year – not just the assessment. In addition, our internal standards and processes mean that as standards change, we can update existing software and equipment, and new installations will go in Cyber Essentials ready.
Once we start the audit, we will complete the self-assessment questionnaire and send it back for review and approval. This is submitted to the Cyber Essentials auditor, and we can move on to the independent verification stage of the Plus certification.
Dates will be set for the independent auditor to undertake tasks like the ones below:
- External Vulnerability Scanning (not to be confused with a Penetration Test – in Cyber Essentials Plus, a scan is run to detect incorrect configuration. A Penetration Test goes beyond detection and attempts to gain access via the detected vulnerabilities)
- Internal Vulnerability Assessment – what devices are on the network? Is there anything not up-to-date? Phones, printers, and anything on the network are in scope here.
- Mobile Device Review – Are mobile phones correctly configured to secure company data?
- Antivirus Checks – Is the auditor prevented from downloading a test file designed to look like a virus.
- Software Review – Are you using any unsupported software?
- Evidencing Audit – Providing extra details, exports and reports to prove that the answers to the audit are accurate
We use the same tools and processes on ourselves as we do with our clients. Everything is already set up to meet requirements before we start the audit, so we can be confident we can get our clients to pass Cyber Essentials Plus the first time.
Your next step
All businesses should be working towards a Cyber Security certification nowadays. Basic Cyber Security Hygiene is not a secret, it has been established for years, and it can be as easy as configuring what you already have correctly. The security landscape has never looked so threatening, don’t be low-hanging fruit.
Cyber Essentials Plus is more rigorous and a better fit for organisations in high security, regulated, or highly targeted industries (manufacturing, financial, health care). As a result, you can feel more confident that you won’t suffer disruption or loss from more advanced or targeted attempts.
Netitude has been helping clients achieve Cyber Essentials since its launch in 2014. In fact, we were one of the first companies in the country to achieve a pass. Our support services are built to give clients the tools and processes necessary to meet and maintain Cyber Essentials Plus requirements.