On Tuesday 24th September, we passed the assessment to gain the Cyber Essentials Plus accreditation. As well as demonstrating that Blue Frontier now meets the security standards suggested by the National Cyber Security Centre, this allows us to act as accreditation partners, assisting other organisations with becoming accredited by developing and implementing policies and procedures within businesses and, more importantly, helping organisations identify vulnerabilities and improve their security controls.
There are currently 2 HMG-approved levels of accreditation available from the NCSC – which is an arm of the government-affiliated with the government’s communications intelligence agency GCHQ.
These are called “Cyber Essentials” and “Cyber Essentials Plus”.
Cyber Essentials is an HMG approved standard that provides a framework for businesses around which to design their information security systems.
This standard requires that an organisation completes a questionnaire about the cyber security measures in place within the organisation and that they provide evidence of the policies and procedures that are in place.
The standard addresses:
Cyber Essentials Plus goes one step further with an independent technical cyber security audit that is conducted by an HMG approved organisation. This verifies that the technical and organisational controls we have established are fully implemented and working.
To achieve this status, Blue Frontier had to address the following:
This requires being aware of your vulnerabilities and exposures and addressing this directly by controlling inbound access to your network and adopting a layered approach to network security with both perimeter and software based firewalls deployed and configured correctly.
Passwords are the first line of defence in terms of securing access to devices, services, and applications. Removing default passwords, and replacing them with strong, unique, memorable passwords is the first vital step in improving security. Wherever possible, multi-factor authentication should also be implemented which enhances password protection by making use of time-limited, single use, constantly evolving codes in addition to traditional usernames and passwords.
All services, applications and systems should be access controlled, thereby appropriately restricting who has access to what across the network, and based on business need. Having the necessary technical controls, policies, procedures and staff training is vital in ensuring that users can access what they need in order to do their job, while ensuring that they do not expose the organisation to unnecessary risk.
All software applications, firmware, websites, operating systems and platforms are potentially vulnerable to attack having a list of known, and a host of potentially unknown, vulnerabilities. These vulnerabilities are published by a variety of sources and addressed by the vendors issuing patches on a routine basis (the second Tuesday of every month for Microsoft, for example). Cyber Essentials mandates, controls, and validates these patches with a 'Critical' or 'High level' of risk are addressed within 14 days of release.
One of the little known facts about patches is that many of these require secondary and tertiary activities to take place in order to fully implement the patch. Simply downloading and installing these patches does not, in fact, fully implement the fix required by the manufacturer.
One of the biggest threats keeping CTO’s up at night is the threat of malware. In October 2016, a series of denial of services (DDoS) attacks, utilising IoT devices, disabled popular sites like Spotify, PayPal and Twitter for almost a day. It was determined that the vector for this attack was malware on computers, in association with unpatched vulnerabilities on the IoT devices, enabling malicious perpetrators to gain control of the IoT devices and launch the denial of service attack.
In addition to antivirus/anti-malware software, Cyber Essentials also allows organisations to use two other anti-malware policies:
Having a robust company-wide approach that analyses risk, identifies vulnerabilities, and imposes technical and organisational controls to mitigate these vulnerabilities is a vital foundation to your organisation’s cyber security.
With our new Cyber Essentials Plus Accreditation, our current and future clients can rest assured that cyber security continues to be a primary focus for Blue Frontier, and that should you wish to improve your own organisation’s cyber security, Blue Frontier have the credentials, expertise, and experience to assist you with doing so.