Cyber Security: – shouldn’t be news – servers need regular patching

You should patch your server at least every thirty days…not only to achieve your Cyber Essentials Plus requirement once a year

The benefits of the Government backed Cyber Essentials scheme as a first step to cyber security for your business are shared by the National Cyber Security Centre, The Information Commissioners Office and Devon and Cornwall Police.

As a tool for your business it demonstrates that you are a trusted partner. Not only does it help to protect your business against low level cyber-attacks, but it demonstrates to your customers, staff and partners that you have at least the basic controls in place to protect your business and their information.

The Cyber Essentials controls

Cyber Essentials is designed to be a self-assessment tool to check that your business has put the key controls in place to protect them from the most common internet threats. The key controls are:

Access controls

Perimeter security

Updates and patching

Malware and antivirus protection

Secure configuration

In Cyber security terms this is your five a day to protect your business, there are significantly more steps you can take to help protect your business but this is a great start.

Next steps: Cyber Essentials Plus

Cyber Essentials Plus is the natural next step and involves the Certification body independently verifying that the controls are in place and are achieving the results they were designed for. The organisation will be independently assessed during a site visit to ensure that the controls are in place by a series of tests including internal and external vulnerability scanning.

Because the Certification body are independent assessors they are unable to carry out the remediation for you, as this would be effectively ‘marking your own homework’, but as a business you do want to ensure that the controls are in place and are continually working for you.

Where does it go wrong?

 As a Cyber Essentials certification body, Securious believe that Cyber Essentials and Cyber Essentials is a great low-level health check. These controls are designed to continually protect your business not just on the day of assessment, so using them as party of your cyber security process can really help protect you.  Often, we will go to site for a Cyber Essentials Plus and the organisation will fail because the server has not been patched in the last thirty days. Patching your server is designed to ensure that any vulnerabilities found in software are updated to protect your business.  A process needs to be in place to ensure that this is regularly done, not just once a year to achieve Cyber Essentials Plus. If a business outsources its IT function, they need to ensure that this process is in place and is being carried out. Maybe even checking with a quarterly internal vulnerability scan by an independent provider.

As organisations with Cyber Essentials and Cyber Essentials Plus, let’s ensure that the controls are embedded in our processes and continually working hard for as part of our cyber security journey.

Shouldn’t be news –  servers need to be regularly patched

 Securious is a cyber security compliance company based in Devon serving businesses and organisations across the South West and beyond. We offer rapid Cyber Essentials certification, ISO 27001 Compliance and PCI DSS Compliance as well as PEN testing (penetration testing) and cyber security consultancy.