Businesses are at greater risk than ever before from cyber attacks, but a lack of resources, expertise and awareness has left SMEs vulnerable. The increasing prevalence of security breaches in the headlines provides an indication of the changing threat landscape, and small businesses have largely considered themselves to be at less risk than large corporations or government, either because they don’t believe they have any information of value, or that they are not high-profile enough to warrant interest from hackers.
Recognising the potential losses that a security breach can involve for SMEs, the UK government has launched a cut-down version of its 10 Steps to Cyber Security, providing five achievable goals that it believes both small and large businesses should implement to secure their IT systems.
The Assurance Framework provides two certifications, Cyber Essentials and Cyber Essentials Plus, that SMEs can obtain with minimum effort and at low cost. Cyber Essentials Plus offers greater assurance through external testing of the implemented controls, and both certifications involve completing a questionnaire that’s approved by a company executive, and then verified by an independent certification body.
The five goals set out in the Cyber Essentials Scheme are as follows:
01 Boundary firewalls and internet gateways - these are devices designed to prevent unauthorized access to or from private networks, but good setup of these devices either in hardware or software form is important for them to be fully effective.
02 Secure configuration - ensuring that systems are configured in the most secure way for the needs of the organization.
03 Access control - ensuring only those who should have access to systems to have access and at the appropriate level.
04 Malware protection - ensuring that virus and malware protection is installed and is up to date.
05 Patch management - ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor have been applied.
Once a Cyber Essentials or Cyber Essentials Plus certification has been awarded, the company can display the relevant badge, giving business partners and clients confidence that adequate measures have been taken to minimize the risk of data loss and downtime caused by security breaches.