I was recently shocked to read a post from a senior Cyber Security professional stating that Cyber Essentials is a test which captures a moment in time. The implication being – that it doesn’t hold much value as an ongoing security strategy. This should never be the case. Even though, it is wise to upscale the complexity of your cyber security in line with the growth in complexity of your organisation, Cyber Essentials should form a solid base to that strategy.
Successful cyber-attacks are on the rise and will continue to rise unless we start adopting the common sense approach that Cyber Essentials teaches us. As an IT consultant, who provides advice and support to organisations on a daily basis, the motivation for attaining Cyber Essentials certification is often part of a box ticking exercise during a tender process for government contract and not as part of a due diligence exercise to improve their cyber security posture.
Displaying your Cyber Essentials badge on your website or email signature should mean that you are maintaining the standards that you’ve alluded to during the assessment. Does passing your driving test mean that you should ignore the Highway Code after the day of the test? Saying that it captures only a moment in time, suggests that either that the candidate answered the questions dishonestly or that the controls that were in place at the time of the successful assessment are later changed to a non-compliant state. With the right guidance and support from the consultant, both scenarios seem unlikely.
Gaining a Cyber Essentials certificate should be a proud moment. Proof that you have achieved an important and well recognised standard. A clear demonstration to your clients that you take data security seriously. Remson’s future clients should expect an education during the entire process. We will ensure that you fully understand the reasons for the adoption of the technical controls, access management, policies and processes before even thinking about taking the assessment. More importantly, it will be made abundantly clear that the standard should be maintained henceforth and that failing to maintain the standard could have dire consequences.
I recently spoke to a senior sales executive from a UK-based car retail partner with around 50 dealerships around the UK. They were hit by a ransomware attack, which encrypted 3 significant servers in their head office, disabling access to every laptop, desktop and IP phone across the 50-odd sites. The system was down for 9 days. Loss of income from sales was estimated at just over £1,000,000 and the server recovery process cost around £3,900,000. The root cause of the attack was attributed to a malicious link being clicked in a phishing email. One click caused nearly £5,000,000 worth of damage! The story doesn’t end there. After the remedial work was completed, the inevitable compliance and security training began! As part of the post-incident training, the company underwent phishing attack simulations to test the newly educated staff. 12% of them clicked the link! This says more about the ever-increasing complexity of this type of attack than the gullibility of the unsuspecting 12%.
This is a horror story, and did irreparable damage to that particular company. No matter how successful your company is, paying out nearly £5,000,000 on a cyber cleanup operation is not likely to be factored into your budget. They had no Cyber Essentials certificate. If they had attained the certificate and adopted its standard, the attack is not likely to have been successful. Simple access controls required to pass Cyber Essentials restrict executables from being run on client devices.
Remson is proud of the standard set during all its advice, support and installations. A well configured email management system is likely to have flagged the phishing email as suspicious. As a Microsoft partner, we have access to specialist advice and support to ensure that our Microsoft 365 implementations are done to the highest standard and always with security best practice in mind. We will also build a solid remediation plan with guidance and documentation provided throughout the whole process in all our Cyber Essentials support packages, arming you with the skills and knowledge to fend off common online cyber threats.
Here at Remson, we believe that your security education starts with Cyber Essentials. Take our FREE Cyber Essentials Readiness Assessment using our Readiness Tool or get in touch for a chat .