While it’s true there is a version of the Cyber Essentials Level 1 questionnaire for micro businesses, and the main Cyber Essentials Level 1 questionnaire is aimed at businesses up to 250 users, the principles the scheme promotes are good cyber security hygiene for any business.
Many large businesses (for example in the nuclear sector) are now required to have Cyber Essentials certification, as are those who are involved in supplying the UK government with goods or services.
In Scotland, the Justice secretary recently accountance that all 121 public sector organisations will be supported to achieve accreditation to the Cyber Essentials standard as a minimum requirement by 2018.
Cyber Essentials Plus offers a more comprehensive level of assurance by conducting automated penetration testing into your network to check for a wide range of known technical vulnerabilities – large business should be doing this as a matter of routine security practice anyway.
I would challenge businesses of any size to consider whether they are 100% happy with their current posture on:
- Firewalls
- are all the configurations audited and known-secure?
- Is every device running a host based firewall, especially those which spend time out of the office?
- Secure Configuration
- Are all your network devices configured with secure passwords?
- Are you certain there are no old, redundant user accounts configured anywhere on your network?
- User access control
- Is anyone in your IT department routinely logging in as a local or domain administrator?
- Do any of your users share passwords for line of business systems?
- Malware Protection
- Are all your endpoints running malware and virus protection
- Are all of them up to date? How do you know for sure?
- Patching
- Are all your software applications running the latest stable versions?
- Are all your operating systems supported and fully patched up to date? Definitely no Windows Server 2003 or Debian 6.0 running anywhere?
If you can answer yes to all of those (and you’ve not already got Cyber Essentials or another standard certification), you’re part of an exclusive club who are very much ahead of the game – well done!
If not, consider taking a harder look at IT Security across your business – we’d love to talk with you.