Organisations that are just starting out on a journey towards improving their cyber security posture often come to us and ask – What should we be doing?

Funnily enough the recent COVID crisis has seen an increasing volume of such enquiries. Some organisations may find themselves “sold” on the latest hot tech vendor or perhaps starting with a full penetration test when in reality they will get more benefit by adopting a security framework like the governments Cyber Essentials programme.

Sounds great sign me up

The brainchild of the National Cyber Security Centre (part of GCHQ) Cyber Essentials covers 5 core areas with technical controls and is designed such that organisations of any size (from coffee shop right up to NHS or MOD contractor) can achieve the accreditation through an IASME certification body.

Organisations can choose between self-assessment (Cyber Essentials) that still needs to be approved by an assessor and independent assessment (Cyber Essentials Plus) where the independent assessment includes additional testing with both assessments covering:

  • Use a firewall to secure your internet connection
  • Choose the most secure settings for your devices and software
  • Control who has access to your data and services
  • Protect yourself from viruses and other malware
  • Keep your devices and software up to date

We’re already certified, but what about changes we’ve made to allow for new ways of working?

As organisations extend the corporate network to homes over VPNs and services like Zoom or Microsoft Teams are adopted it’s worth revisiting your last assessment and checking for areas that might require a different response against last time.

In particular documentation for new services is key; for example, that VPN server which is exposed to the internet – has a risk assessment been conducted and signed off by management? In deploying Slack or Zoom are you keeping track of accounts enabled with administrative permissions? If previously using WSUS or SCCM to patch client devices can they access those same patch management services while outside your offices?

By reviewing these questions again ahead of your next assessment you can identify areas for improvement and ensure continued compliance.

Passwords, passwords, passwords

A significant quantity of the self-assessment questions relate to the controlled use of passwords with the IASME questions asking for a minimum length of 8 characters (following our own internal research we recommend a minimum of 14 characters) and the NCSC being a big proponent of passphrases and staunchly against password reuse. This is not surprising given that many attacks will begin with compromised credentials but early warning systems like ‘Have I Been Pwned?’ can provide a measure of protection and enable administrators to force password changes based upon threat intelligence instead of archine mandatory reset periods.

The ultimate solution here is MFA, but that’s something for another blog post.

Today we ask…

  • Have you adopted any security frameworks to guide ongoing improvement?
  • If yes have you identified projects (and assigned an associated risk/complexity to each one) to remediate any outstanding issues?
  • Have you reassessed your organisation following any changes you have made to accommodate new ways of working?

Useful links – Cyber Essentials by the NCSC – Cyber Essentials delivered by IASME – Check if you accounts have been included in breaches

I may be looking to add a short webinar to this blog series over the coming weeks.  If you feel that that would added value then please add a comment into social link post.

As a business we are committed to providing help, guidance and support to our customers, particularly those on the front line and in critical industries.  We want to do our part to help, so if you have questions, want to chat some things through, you know where we are.