Latest News

Stay up-to-date with the latest news and developments at Blue Frontier.

Blue Frontier is Awarded Cyber Essentials Plus Accreditation

Date Thursday, 26 September 2019 , By: Marc , In: Company News

Blue Frontier is Awarded Cyber Essentials Plus Accreditation

On Tuesday 24th September, we passed the assessment to gain the Cyber Essentials Plus accreditation. As well as demonstrating that Blue Frontier now meets the security standards suggested by the National Cyber Security Centre, this allows us to act as accreditation partners, assisting other organisations with becoming accredited by developing and implementing policies and procedures within businesses and, more importantly, helping organisations identify vulnerabilities and improve their security controls.

There are currently 2 HMG-approved levels of accreditation available from the NCSC – which is an arm of the government-affiliated with the government’s communications intelligence agency GCHQ.

These are called “Cyber Essentials” and “Cyber Essentials Plus”.

 

Cyber Essentials is an HMG approved standard that provides a framework for businesses around which to design their information security systems.

This standard requires that an organisation completes a questionnaire about the cyber security measures in place within the organisation and that they provide evidence of the policies and procedures that are in place.

The standard addresses:

  • Security of internet connectivity
  • Device and software security
  • Access controls around data and services
  • Protection from viruses and other malware
  • Ensuring that all software and devices are kept up to date

 

Cyber Essentials Plus goes one step further with an independent technical cyber security audit that is conducted by an HMG approved organisation. This verifies that the technical and organisational controls we have established are fully implemented and working.

To achieve this status, Blue Frontier had to address the following:

 

Firewalls

This requires being aware of your vulnerabilities and exposures and addressing this directly by controlling inbound access to your network and adopting a layered approach to network security with both perimeter and software based firewalls deployed and configured correctly.

 

Passwords

Code
Passwords

Passwords are the first line of defence in terms of securing access to devices, services, and applications. Removing default passwords, and replacing them with strong, unique, memorable passwords is the first vital step in improving security. Wherever possible, multi-factor authentication should also be implemented which enhances password protection by making use of time-limited, single use, constantly evolving codes in addition to traditional usernames and passwords.

 

Access Control

All services, applications and systems should be access controlled, thereby appropriately restricting who has access to what across the network, and based on business need. Having the necessary technical controls, policies, procedures and staff training is vital in ensuring that users can access what they need in order to do their job, while ensuring that they do not expose the organisation to unnecessary risk.

 

Patch Management

Euan
Ollie and Rob

All software applications, firmware, websites, operating systems and platforms are potentially vulnerable to attack having a list of known, and a host of potentially unknown, vulnerabilities. These vulnerabilities are published by a variety of sources and addressed by the vendors issuing patches on a routine basis (the second Tuesday of every month for Microsoft, for example). Cyber Essentials mandates, controls, and validates these patches with a 'Critical' or 'High level' of risk are addressed within 14 days of release. 

One of the little known facts about patches is that many of these require secondary and tertiary activities to take place in order to fully implement the patch. Simply downloading and installing these patches does not, in fact, fully implement the fix required by the manufacturer.

 

Protection from Viruses and Malware

One of the biggest threats keeping CTO’s up at night is the threat of malware. In October 2016, a series of denial of services (DDoS) attacks, utilising IoT devices, disabled popular sites like Spotify, PayPal and Twitter for almost a day. It was determined that the vector for this attack was malware on computers, in association with unpatched vulnerabilities on the IoT devices, enabling malicious perpetrators to gain control of the IoT devices and launch the denial of service attack.

In addition to antivirus/anti-malware software, Cyber Essentials also allows organisations to use two other anti-malware policies:

  • Whitelisting creates a list of administrator approved software. Any application not on this list will be blocked from running. 
  • Sandboxing. A sandboxed application is run in an isolated environment with very restricted access to the rest of your device and network, preventing any malicious software from further damaging or affecting your business systems.

Having a robust company-wide approach that analyses risk, identifies vulnerabilities, and imposes technical and organisational controls to mitigate these vulnerabilities is a vital foundation to your organisation’s cyber security.

Banking
NHS

With our new Cyber Essentials Plus Accreditation, our current and future clients can rest assured that cyber security continues to be a primary focus for Blue Frontier, and that should you wish to improve your own organisation’s cyber security, Blue Frontier have the credentials, expertise, and experience to assist you with doing so.

Marc

By: Marc

Marc joined Blue Frontier in 2007 and was welcomed to the board of directors in 2016. With industry experience dating back to 2003, he heads up the technical support team with a strong focus on service. As our lead networking and virtualisation engineer, Marc provides the invaluable link between clients and technicians. His incredible versatility is evidenced by his further roles as: Information Security Manager, Data Protection Officer and Quality Assurance Manager.