Cyber Essentials and Cyber Essentials Plus provide a simple but effective framework for cyber security in UK businesses. Getting certified is an excellent first step toward protecting your data and demonstrating to your customers that you take digital asset protection seriously. More and more companies are making this certification a mandatory requirement for their suppliers, and anyone involved in UK government supply chain contracts will be required to hold an up-to-date qualification. Gaining a cyber security qualification can be a daunting prospect, particularly for smaller businesses, but we can help guide you through the process.
Step 1. Develop a cyber security policy for your organisation
If your employees know what is expected of them, they’re more likely to adopt safer cyber security practices. IT knowledge can vary vastly across your organisation, so a comprehensive information security policy can ensure that everyone is working to the same standards. Your policy doesn’t have to be overly complex – the key thing is that it can be understood and executed by everyone.
Essential items that it should cover include:
- The requirements for handling and processing personal data of customers, employees, and third parties.
- A password policy that describes the minimum requirements for passwords, length, complexity and additional authentications.
- A set of guidelines that define what users can and cannot do, including access controls and internet usage, both on the premises and working remotely.
The security policy should be distributed to everyone within your organisation, and regularly updated as required.
Step 2. Nominate a Data Protection Officer
This might not be an essential step in every organisation, appointing a data protection officer (DPO) can help implement your new policies throughout the company. A DPO is a single point of contact for any queries relating to data protection and can act as a coordinator for all business security initiatives.
Cyber Essentials requires the completion and submission of a self-assessment questionnaire and providing relevant evidence to support your answers, so it’s useful to have someone to take charge of the process.
Step 3. Take inventory of your digital assets
If this step is worrying you, it’s probably because you have no clue about the devices in your company. It’s not uncommon, especially for smaller businesses that are just starting out. But it’s important to know what hardware and software are being used by your employees in order to keep it secure and up to date. Using the latest versions of software and implementing security updates promptly is paramount to keeping your data secure.
It’s important to note that you also need to know which mobile devices are accessing your data and email, not just laptops. This also includes staff-owned mobile devices. You need to ensure that there aren’t security gaps on mobile phones/tablets, just as you do with laptops. If you know which devices are connected to your network, it’ll be easier to spot any unauthorised connections from unfamiliar devices and to take action to remove or isolate them.
Step 4. Access control
Sensitive information should only be accessible to those who need to use it for their role. Restricting data access based on user requirements forms part of the Cyber Essentials certification.
User access should be regularly monitored, ensuring access levels change based on the demands of the role. If there are user accounts that are no longer in use, such as test accounts or former employees, they should be promptly removed.
Step 5. Review your controls and configurations
Firewalls and anti-virus software are covered by the Cyber Essentials questionnaire and must be in place to achieve your certification. Your firewall monitors and controls the incoming and outgoing network traffic based on predetermined security rules, while anti-virus software protects your systems from malware that could be used to steal or corrupt your data.
Step 6. Regularly review your security arrangements
A cyber security policy isn’t set and forget – it must be regularly monitored and reviewed to meet the demands of a growing company and a changing digital landscape. Conduct regular reviews of your devices and systems to evaluate the effectiveness of your policies
Need help with gaining your Cyber Essentials qualification?
If the whole process sounds a bit daunting, rest assured that you don’t have to do it alone. Forensic Control provides a hands-on comprehensive service for anyone wanting to upgrade their digital security by obtaining Cyber Essentials certification For a set price, we offer unlimited assistance and guarantee that you’ll pass the first time. We’ve been around since 2008, and have certified dozens of organisations from the smallest to some of the best-known organisations in the UK.