Since the dawn of the internet cyber-attacks have been a real intangible threat. Fortunately, we recognised this prior to launching HubSolv, and also understood that most data breaches are caused by companies failing to implement basic security measures. So, from the beginning we took cyber security seriously, taking steps to protect our client’s data such as;
- Carrying out a Penetration test whereby, a third party tried to breach our systems- which in turn highlighted any bugs to us which we then rectified.
- Implementing a firewall to make sure our clients data was protected
However, this was us using our own initiative, wanting to ensure the safety of our client’s data-we were not compelled to do any of the above. It was not until the UK Government’s National Cyber Security Strategy were instructed to carry out a report into cyber security that the industry could sigh a breath of relief- that the government realised the current legislation surrounding cyber security was outdated and lacklustre.
The recommendations lead to the introduction of the cyber essential scheme (CES), which recognises the gravity of cyber-attack, and put simply the CES set out guidelines in relation to;
- Boundary firewalls and internet gateways – these are devices designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software form is important for them to be fully effective.
- Secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation.
- Access control – Ensuring only those who should have access to systems to have access and at the appropriate level.
- Malware protection – ensuring that virus and malware protection is installed and is it up to date.
- Patch management – ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor been applied.
This is a set of measures which strengthens the Data Protection Act, but the benefits to all businesses with an internet presence is huge. As, when the CES guidelines are fully implemented it puts all companies on a level playing field, allowing them to be compared in terms of their cyber security. Furthermore, the CES guidelines gives companies like ours a baseline, which we can then surpass.
Moreover, a benefit of the CES, is that it saves money for SMEs; as these safe guards demonstrate to insurance companies that you have taken the necessary precautions to mitigate cyber risks, which in turn lowers your insurance premiums.
There are those who argue that the guidelines should be the icing on the cake, as alone they are not sufficient- even acting as a smoke screen giving a false pretence of cyber security. But, in our opinion the CES highlights the risks of cyber security to novice companies, and starts the conversation on ways to combat the risk, which is a positive.
We have also found that implementing these guidelines forced us to re-examine our processes and to effectively implement the recommendations we have had to do a lot of ground work to successfully achieve them. So in reality we have used the CES as a stepping stone to tighten up our cyber security.
There is only so much the government can do, as realistically if the guidelines were greater the price of implementing them would be unobtainable for a lot of SMEs which would then defeat the purpose of providing a level playing field.
We feel that any certification that assures clients that their data is safe should be seen as a positive, and are happy to announce that we have jumped on the CES bandwagon early, working hard to implement the guidelines. We hope that all SME’s like us, are currently working hard to do the same- this is just the beginning.