No matter the size of your organisation, cybersecurity is ever more crucial. The digital transformation advances sweeping the country are fuelling more efficient, better-managed working environments, bringing a whole host of benefits. However, it’s also vital to upgrade protection systems simultaneously, or businesses risk being hacked or overrun.
Cyber Essentials was introduced in 2014 and is a Government-led framework to give all organisations the knowledge and verification that they have implemented the best practices needed to help protect their data, networks and digital assets from cyberattack. It’s simple but highly effective and has been hugely beneficial for many people across the UK. Most businesses working on Government-issued contracts must have a Cyber Essentials certification.
Recently, Cyber Essentials has been updated after a significant technical review, combined with end-user feedback. Although the principles and themes remain the same, the focus has shifted to include cloud-based networks and newer technologies we’ve been using more since the COVID-19 pandemic.
The changes reflect the ever-changing world of ICT and cloud systems. This article will explain what the updates are and how they’ll affect small businesses.
Changes to cloud services policies
The main new security point of consideration regarding cloud systems is accountability. Who is responsible for the cyber security of a business? The cloud service provider or the user?
The updates reflect the need for the two parties to discuss this and come to an explicit agreement. While this should be done individually, it’s the user who applies to Cyber Essentials, not the provider. As such, the ultimate responsibility lies with them. It might be good to seek professional advice from ICT specialists when agreeing to contracts with cloud service providers to ensure you meet this requirement. It’s worth noting that unless you’re a massive organisation, you’ll unlikely to be able to negotiate the terms of your contract with a cloud provider. You’ll just be placed onto their generic terms. As such, you’ll need to read these terms and understand what responsibility the provider takes and what responsibility you take. This will also probably mean you’ll have to take responsibility to change some settings manually, to improve security. Vendors do not always enable security features by default, so you need to understand the solution to configure it securely. For example, in Microsoft’s Azure AD, security defaults aren’t enabled by default for all tenancies. And hackers have recently used the fact that Cisco’s Duo MFA solution by default installs ‘fail open’ to bypass it.
Working from home
It seems alien to us now, but it’s not too long ago that working from home (or hybrid solutions) was seen as the strange alternative method of employment. In 2019, according to the Office of National Statistics, only 27% of workers ever did any work from home. By May 2021, 85% of working adults reported wanting at minimum a hybrid solution – working from home some of the time but also heading into the office every now and then.
Cyber Essentials was created for the environment in 2014, when working from home was the exception, not the rule. Now, though, home wifi connections could represent easier targets for hackers. Cyber Essentials recognises it’s impractical to ask all workers to configure their own routers – even with guidance. However, there’s a stricter focus on firewalls and other protective measures.
Multi-factor authentication
Multi-factor authentication adds another layer of security to your system’s access requirements. There are many different ways it can be done, primarily through notifications sent to phones, one-time password tokens sent to user email accounts, or external authentication apps.
It’s usually available for free, making life much simpler for businesses. They should always ensure they select a method that their employees can easily understand and use, and will allow access which balances ease of use with security. For example, a worker without a smartphone probably wouldn’t be able to access their account through an iOS or Android app.
Passwords
There has been a general update on how workers should choose their passwords. There’s a slight change to the ‘Three Word Passwords’ guidance, offering simple ways to create passwords that are easy to remember but hard for criminals to crack.
The basics remain the same. Your users shouldn’t use common passwords like ‘password’ or ‘123456’ – hackers know all about these. Also, changing passwords to replace letters with numbers (for example, ‘password’ might become ‘p455w0rd’) is another no-no. The criminals know about this too. Do continue to use password managers. These create random passwords that are safely stored and almost impossible to randomly guess.
Cyber Essentials and AMDH Services Ltd
Cyber Essentials focuses on at least the main bulk of an organisation’s ICT infrastructure and systems. It covers things like the configuration of office computers, network devices, servers, as well as employees working from home, and all virtual cloud-based systems. However, it doesn’t go too in-depth so small businesses and individuals unfamiliar with modern technology shouldn’t feel overwhelmed.
As a small business, the updates are essential to be aware of. The more cloud-based activity you have going on, the more notice you should take. It’s important to ensure you keep your businesses cyber security up to date and effective and Cyber Essentials is a key part of this.
AMDH is a specialist ICT consultancy based in the East Midlands. We are Cyber Essential Plus accredited and can work as your small business’s ICT partner, ensuring you get the most out of your networks and systems. Through this, you’ll see a significant increase in efficiency and productivity.
We offer ICT strategy services, helping you prepare for the future (including cybersecurity guidance). We could also help identify software that meets your requirements, and install and configure it to your small business and its needs.
Whatever might benefit your organisation, we can help. For an obligation-free chat, why not get in touch with us and tell us about your situation? We’re always happy to chat and give you free professional advice. Get in touch with us through email at info@amdhservicesltd.com or phone us on 01332 322 588. We look forward to hearing from you.
