You should patch your server at least every thirty days…not only to achieve your Cyber Essentials Plus requirement once a year
The benefits of the Government backed Cyber Essentials scheme as a first step to cyber security for your business are shared by the National Cyber Security Centre, The Information Commissioners Office and Devon and Cornwall Police.
As a tool for your business it demonstrates that you are a trusted partner. Not only does it help to protect your business against low level cyber-attacks, but it demonstrates to your customers, staff and partners that you have at least the basic controls in place to protect your business and their information.
The Cyber Essentials controls
Cyber Essentials is designed to be a self-assessment tool to check that your business has put the key controls in place to protect them from the most common internet threats. The key controls are:
Updates and patching
Malware and antivirus protection
In Cyber security terms this is your five a day to protect your business, there are significantly more steps you can take to help protect your business but this is a great start.
Next steps: Cyber Essentials Plus
Cyber Essentials Plus is the natural next step and involves the Certification body independently verifying that the controls are in place and are achieving the results they were designed for. The organisation will be independently assessed during a site visit to ensure that the controls are in place by a series of tests including internal and external vulnerability scanning.
Because the Certification body are independent assessors they are unable to carry out the remediation for you, as this would be effectively ‘marking your own homework’, but as a business you do want to ensure that the controls are in place and are continually working for you.
Where does it go wrong?
As a Cyber Essentials certification body, Securious believe that Cyber Essentials and Cyber Essentials is a great low-level health check. These controls are designed to continually protect your business not just on the day of assessment, so using them as party of your cyber security process can really help protect you. Often, we will go to site for a Cyber Essentials Plus and the organisation will fail because the server has not been patched in the last thirty days. Patching your server is designed to ensure that any vulnerabilities found in software are updated to protect your business. A process needs to be in place to ensure that this is regularly done, not just once a year to achieve Cyber Essentials Plus. If a business outsources its IT function, they need to ensure that this process is in place and is being carried out. Maybe even checking with a quarterly internal vulnerability scan by an independent provider.
As organisations with Cyber Essentials and Cyber Essentials Plus, let’s ensure that the controls are embedded in our processes and continually working hard for as part of our cyber security journey.