Practical Security for Cyber Essentials
In anticipation of the launch of our upcoming Community Edition of Caveris ICAS targeted at organisations that plan to adopt or have already entered into the Cyber Essentials program I want to look in detail at each of the 5 Control Themes and explore how in practice they can be managed on an ongoing basis with as little overhead as possible.
Before proceeding I am assuming that you are looking at Cyber Essentials or are already engaged with the program not just to gain accreditation but to better protect your business and reduce the risk of suffering a security breach. I know this is a big assumption, but I think, given the unprecedented levels of cyber-crime we are witnessing that the days of tick box accreditation exercises are behind us. Cyber Security risk or indeed Information Security risk is now starting to garner the prominence that is needed to address the unrelenting challenge of protecting businesses in the 21st century.
The 5 control themes that comprise Cyber Essentials have been intentionally selected by the NCSC to help businesses guard against the most common cyber threats and demonstrate the applicant’s commitment to cyber security. Whilst they are by no means comprehensive they do provide a great security foundation and if companies adopt both the principles and the practice then they will most definitely enhance their security posture and reduce the likelihood of becoming a victim of cyber-crime. Prevention is better than cure.
Having been involved in managing large and complex IT environments for most of my career, I know there are no short cuts when it comes to managing security. In my experience effective security can only ever be achieved when performed in an orderly manner - i.e. ongoing and consistent application of process leading to effective management.
I often use the example of the airline industry that is exceedingly good at ensuring that their products do not fall out of the sky, a totally catastrophic event when it does unfortunately happen, albeit rarely. This is only possible with the wholehearted adoption of disciplined methodologies followed with rigour and diligence to deliver a consistent and repeatable outcome. The airline industry recognised very early that their customers would not tolerate aircrafts falling out the sky, an existential threat to their business model and adapted accordingly. I am a strong advocate that the IT industry needs to adopt this approach in managing the Cyber Security risk that is a significant and potentially existential threat to any business today.
With this in mind we shall, over a series of blogs, be looking in detail at each Cyber Essential Control Theme with particular emphasis on what is required to ensure good security posture and ongoing compliance from a practical perspective while at the same time simplifying the process of collecting and maintaining the records required to satisfy the accreditation requirements.