Since 1 October 2014, Cyber Essentials has been a minimum requirement for bidding for some government contracts. AMDH Services Limited takes it’s cyber security very seriously and first certified with the Cyber Essentials scheme in March 2018 and has just completed its recertification.
We believe that even though we are a small business this qualification is still important, firstly it makes us think about how we are ensuring that our data is protected, and secondly it makes us intentional about security rather than just tinkering around the edges. Cyber Essentials has asked the right questions for us and pushed us to implement policy, procedures and the underlying technology required to ensure we meet the requirements.
Since we went through this process last year the requirements have shifted slightly – some questions now ask not merely “do you do…” but “how do you do…” this has pushed us to change our method of implementation for some elements from a manual process driven solution to a automated solution that alerts us when there is a problem or when a check needs to be made.
For example, one of the questions on password management in March 2018 asked:
Do you change the password when you believe it may have been compromised?
Whilst the same question in March 2019 asked:
Do you change the password when you believe it may have been compromised? How do you achieve this?
This caused us to think about how we would detect password compromises and look at ways of automatically detecting and alerting on unusual behaviour against any particular account.
Being as the threat actors never stand still but are constantly using new methods of attack this is a welcome change as it is driving our response forwards.