We all know why businesses need effective cyber security. Not only does it improve your business efficiency, but customers trust you. This combination leads to an increase in revenue and a better reputation.
One of the best ways to improve your IT security is through Cyber Essentials accreditation, a government backed title that proves you can withstand most common cyberattacks. Indeed, the foundation of Cyber Essentials is to get the basics right. You can do just that, with our Cyber Essentials Questionnaire.
However, you might not know where to start. Not to worry, we’re here to help. Here are five tips to kick start your Cyber Essentials application today.
Number 1: Take time to define ‘Scope’
To define your Scope, you must identify the systems that you will assess. If you have a bigger business, some parts may be out of Scope. Anything that you no longer wish to use or keep within your system is out of Scope. We advise removing anything out of Scope from your network.
The first step to defining your Scope is to name it. Make sure your name reflects what is within Scope, ignoring what is not. For example, common practice is to segregate your home or domestic network from your business network. This is because it’s hard to impose Cyber Essentials requirements on home users.
Here’s a few common things that should be within your Scope:
- Everything within your firewall. This means any device that connects to your network must conform to your chosen policy.
- Cloud storage. All your cloud data is within Scope, from simple email data to your most sensitive information. Also, you must discover whether employees use unauthorised third-party cloud data sharing applications (e.g. Dropbox). We suggest an amnesty on employees using such software as it makes them more likely to come clean.
- Mobile devices. All devices are within Scope. This includes devices privately owned by staff, sub-contractors or partners.
A quick test to determine what is within Scope is to ask yourself:
‘Is there anything or anyone that can either gain access to sensitive business data or influence the security of devices within Scope?’
If the answer for any part of your system is ‘yes’ then it is within Scope.
Number 2: Use screenshots
When filling in your free Cyber Essentials Questionnaire, be sure to use screenshots to illustrate your answers. This will save you a lot of time. You can convey more information faster, meaning you give a more complete answer to each question. Plus, it’s quite a simple procedure. On a PC you just use the Snipping Tool. It’s a bit more complex on a Mac, but we think you’ll be able to handle it.
Number 3: Create IT policy documentation
Creation of IT policy documents saves you time answering basic IT security questions. This is because they facilitate increased staff awareness of IT security issues
While completing your questionnaire, it may seem like to answer a question effectively you need to make a complicated change to your system. For example, question 13 asks whether you use a standard build image for new workstations. This is a significant piece of work that is beyond the budget of most small businesses.
That’s why, in this instance, we would recommend creating a Device Setup policy that describes how you make new workstations secure. This means, whenever a new workstation is set up your policy document serves as a guide. So, to answer the questionnaire you would simply refer to the policy document.
IT policy creation is a great opportunity to review and improve your processes. Once complete, you can circulate them amongst your staff. Make sure you do this securely though. The information contained in those documents is like gold dust to a hacker. Store them securely, only allowing access to authorised users. Do not distribute them by email.
Here is a list of the IT policies that you should create:
- System Administration Policy. The rules for staff, third-parties and/or subcontractors that are looking after your system.
- System and Data Access Policy. How to access your system and data.
- Device and User Setup Policy. How to setup devices and users from your system.
- Device and User Decommission Policy. How to remove devices and users from your system.
- Firewall and Wireless Policy. How to configure firewalls and wireless access.
- Mobile Working Policy. When to allow mobile devices access to your system. We also recommend creating documents containing specific technical information and approval processes for infrastructure change.
- System Documentation. Key system configuration information including details of servers, networks, connectivity, IT suppliers contact details, printers, website/domain, backups and third-party applications. Avoid storing passwords here.
- Firewall Approval and Configuration. A table showing a description of each change made, the justification, the approver and the date of the change. You should also include screenshots of the firewall configuration.
If you don’t know where to begin in creating your IT policies, we have included four for you to use with our Cyber Essentials Questionnaire.
Number 4: Promote internally to raise awareness
While working towards your Cyber Essentials accreditation, take the opportunity to raise awareness of cyber security in your business.
Tell them why you are working towards accreditation. It will help staff accept the new IT rules. It also helps you create a culture of cyber security, one which you will need to continuously update. It will take time, but it will empower your team to protect themselves both at home and at work.
Promoting cyber security can also benefit your bottom line. It shows customers that they can trust you with their sensitive data, such as bank details.
Number 5: Maintain your cyber security
Although Cyber Essentials accreditation is just an annual security check, you need to maintain the measures you implement. After all, effective cyber security is not a ‘one-and-done’ deal. You must maintain your firewall, backups, endpoint protection, system updates, user accounts, and passwords. To do this you need to schedule system checks, some frequently others less so.
Download your free Cyber Essentials Questionnaire
We hope that the five tips in this article help you realise that your business can achieve Cyber Essentials accreditation.
All that’s left is to take the first step and download your free Cyber Essentials Questionnaire and IT policies. If you find your head is still spinning and the questionnaire is too much, why not purchase our companion guide? Not only will it give you detailed answers to every question, but it includes two free half-hour sessions with our Cyber Essentials experts.
If you have any questions or would like to discuss cyber security further, don’t hesitate to get in touch today.