NoBlue is now Cyber Essentials certified, and as a leading provider of NetSuite’s cloud services, we are proud to demonstrate to our customers that cyber security is something that we take extremely seriously. Is your business safe from cyber attacks? Find out what you need to do to become certified.
Cyber Essentials is a new government-backed scheme designed to aid businesses of all sizes in protecting themselves against common cyber threats. The scheme has been developed as part of the UK’s National Cyber Security Programme and in close consultation with industry in a bid to help make the UK a safer place to conduct business online.
The idea behind the Cyber Essentials scheme is to provide businesses with clarification on the subject of cyber security and give them the opportunity to have their organisation’s security measures assessed by an independent certifying body.
How do you become certified?
In order to achieve the Cyber Essentials certification, an organisation must check and confirm that it is compliant with the requirements for basic technical protection from cyber attacks. A Cyber Essentials questionnaire is completed, and then the Chief Executive Officer (CEO) signs it, attesting its accuracy. This is then sent to a recognised body for review and, if appropriate, certification.
The organisation also undergoes an external vulnerability scan from the certifying body. This directly tests that the individual controls have been implemented correctly or recreates various attack scenarios to determine whether a compromise with commodity capabilities can be achieved.
Find out more about becoming certified here.
What are the requirements for basic technical protection from cyber attacks?
Cyber Essentials requires implementation of the following controls:
1. Boundary firewalls and internet gateways
In order to prevent cyber attackers from gaining access to an organisation’s network of computers over the internet, a correctly configured boundary firewall or internet gateway must be in place.
Basic technical protection includes the use of a strong password rather than using the default password. It’s also important to ensure that all firewall rules are subject to approval by an authorised individual and rules that are no longer required are deleted or disabled quickly. Unapproved services, or services that are typically vulnerable to attack should be disabled at the boundary firewall. Finally, the admin interface for any boundary firewall should not be accessible via the internet.
2. Secure configuration
Computers and network devices cannot be considered secure upon default installation. By applying some simple security controls when installing computers and network devices, the risk of cyber attack can be minimised.
Deleting unnecessary user accounts, using strong passwords and removing unnecessary software are all basic steps for securing computers and network devices. Auto-run features should also be disabled and any PCs or laptops should have firewalls configured in order to block any unapproved connections.
3. User access control
User accounts with special access privileges (e.g. administrative accounts) typically have the greatest level of access to information, applications and computers. Therefore preventing these accounts from being compromised is vital.
User account creation should be subject to an approval process and only authorised individuals should have access to special privileges. In addition to this, admin accounts should only be used for admin-related activities and the password should be changed regularly. Every user should be required to log in to systems using a unique username and strong password. Finally, any accounts that are not being used should be disabled and removed immediately.
4. Malware protection
Computers are often vulnerable to malicious software, so dedicated software is required to monitor, detect and disable this.
All company computers that are capable of connecting to the internet should have malware software installed that’s up to date and configured to scan files automatically upon access as well as scanning web pages when they are accessed via a browser. The software should also be configured to perform scans of all files regularly and prevent access to malicious websites.
5. Patch management
Any computer and network device that runs software can contain weaknesses or flaws. These vulnerabilities are common and frequently discovered so organisations need to manage patches and update their software effectively.
Any software being used on company computers capable of connecting to the internet should be licensed and supported to ensure security patches are made available. Any software updates and security patches should be installed in a timely manner and out-of-date software should be removed immediately.
Of the basic but successful cyber attacks against UK businesses of which the government has detailed knowledge, the large majority would have been mitigated by full implementation of the controls under the above five categories. More information about Cyber Essentials, and how your organisation can become certified, visit: https://www.cyberstreetwise.com/cyberessentials/
We will be looking to progress our security certification and upgrade to Cyber Essentials PLUS next year. This is a higher level of assurance and involves a qualified and independent assessor examining the same five controls, testing that they work in practice by simulating basic hacking and phishing attacks.
NoBlue is one of the UK’s leading suppliers of NetSuite – a comprehensive, cloud-based business management solution. Get in touch if you’d like to find out how using NetSuite can benefit your business.