Listen to article
An organisations IT estate is likely to be organically grown over many years, very often with decisions based on what’s needed that week, perhaps not on the basis of a long-term plan or strategy. This is usually where potential weaknesses occur. Machines are often past their sell by date – no longer supported by the manufacturer, no maintenance agreement, no regular servicing – the kind of thing that can frustrate users too.
An IT strategy that aligns with your business goals can be very powerful in terms of success and the security of your IT systems. This strategy should include security and the potential risks and impacts on your business of certain scenarios occurring. A loss of internet connectivity, a fire, or a pandemic could have a huge impact on your ability to trade.
So how do you sort it out?
If you ask most people, they will talk about having anti-virus software, a long and complex password, fingerprint, or face ID etc. The problem is that everyone has an opinion on what good cyber practise looks like. If you consider the complex nature of a business’s IT systems then the problem is further compounded.
My advice is that your first port of call is asking your IT provider what they think good cyber practise look like. Before jumping into the conversation though, you should confirm that they themselves are cyber essentials certified. It goes without saying that a company that practices what they preach will be in a much better position to provide sound advice. Otherwise, you may find that a providers view on the subject will be swayed by the products and services that they have agreed to resell. The products are usually profiled for suitability based on ease of management, ease of installation, ease of reporting and above all profitability. This is not a good way of managing the cyber risk, and remember the risk is YOURS. Working with an IT provider with cyber at its core is a sure-fire way of getting the basics right from the outset.
So, what to do? Ever heard of Cyber Essentials?
The Cyber Essentials Scheme is the official bible for this stuff; it’s trustworthy and is always going to be the right thing for your business.
Why?
Because it’s the official Cyber Scheme of the governments of both the UK and Scotland and is designed to protect our national interests by making us all a much harder nut to crack for the hackers. It succeeds because it has no partisan interests in terms of profit or opinion. The scheme is run by the UK National Cyber Security Centre (NCSC) a part of GCHQ. Who better to look after us? Organisations are taken through 60 questions that ask you how you manage your IT systems and by going through these you will begin to understand the risks and what can be done to reduce them. The questions are mapped against 5 controls – firewalls, secure configuration, user access control, malware protection and patch management.
Legal obligations
The dreaded GDPR or now the UK GDPR is still there! In simple terms it states that all organisations that process personal or intellectual information need to have appropriate technical measures in place to mitigate the cyber threat. This potentially means that if you don’t, and you have a data breach, the Information Commissioner can fine you. This is a very real risk that needs to be considered.
Commercial benefits
It is now often a prerequisite for winning tenders, especially in the public sector, to have a Cyber Essentials or Cyber Essential Plus certificate. This allows the procurer to sort the secure from the insecure in terms of the risk that doing business may present to them in engaging with a supplier. If you are working in the defence sector, then it is mandatory to have Cyber Essentials.
These principles look at how you manage your connections to the internet, your operating systems and applications, your passwords and multi factor, your anti-virus protection, and the way you regularly update operating systems and software. By optimising these areas, you will greatly increase the protection from bad actors and make it much less likely that you will be the victim of a ransom attack or data breach.
Once completed, your organisation can be certified as Cyber Essentials compliant. And as already outlined, this can help with winning contracts as well as demonstrating that you take the risk seriously.
The scheme is run by the IASME Consortium and you’ll find some fantastic resources on its website – www.iasme.co.uk. Additional free resources are available at https://www.ncsc.gov.uk/cyberessentials/overview
