Reach Aware recently gained Cyber Essentials certification. So, what is this? Why did we do it? And would I recommend it?
Cyber Essentials is a government-owned scheme that aims to help organisations of all sizes defend themselves against the most common cyber threats and reduce their online vulnerability. It has two levels:
- Cyber Essentials. A straightforward, self-verified assessment.
- Cyber Essentials Plus. The same assessment but with independent verification.
I decided to go for Cyber Essentials certification for two main reasons:
- To provide our customers with the confidence that Reach Aware takes cyber security seriously.
- To reassure myself that we’re doing everything necessary to protect our own business and those of our customers.
I decided to go through the process myself so I could gain a more detailed understanding of its requirements and benefits. I also thought this would put me in a better position to advise other businesses who may be considering it.
What did it involve?
The assessment is an online questionnaire broken down into five sections. There are nearly 50 questions which include asking about how your organisation manages passwords and how devices such as computers and phones are kept up to date with the latest security fixes.
Although the nature of our business means we have a lot of internal knowledge around IT, we made the decision a couple of years ago to outsource some of the security and software support because we didn’t have the time internally to deal with it all. In completing Cyber Essentials, I found that this resulted in us already being compliant in a number of areas.
A couple of phone calls with our IT support supplier confirmed we had full audits of equipment and helped me to better understand their policies for updates. I found that, for the most part, we were good to go!
How did I get on?
As the CEO of a software development company and personally having a background as a developer and software architect, I was fairly confident about my ability to complete Cyber Essentials. However, there were a couple of areas that tripped me up.
The first area was ensuring that all our devices are running supported operating systems and supported software. Part of our business is developing mobile applications and we have a number of phones and tablets that are used for testing. It turns out that several of them had versions of iOS and Android that are no longer supported by Apple or Google and do not receive security updates.
To gain Cyber Essentials we can no longer use these without setting up an entirely separate network or infrastructure that is not connected to the Internet. Unfortunately, this simply isn’t time or cost effective.
Certification therefore means retiring perfectly good hardware which isn’t that old and I found myself faced with a choice that damages our efforts for sustainability in return for maintaining security. This is a tricky balance and, in the end, I concluded that maintaining a secure business environment is essential to the future of my business and this means that, sadly, old kit had to go.
The second area concerned ease of use versus security and it raised an issue that gave me some insight into my own habits and preferences.
Since the 1990s, I’ve always had local admin rights on my computer. In fact, having these used to be essential to get any software development done. This has gradually changed and is now no longer necessary. Whilst I recognise that my normal account absolutely should not be running with admin rights in today’s security environment, they still had to prise the permissions out my grasp, simply because it is so comfortable and familiar to me to work in this way.
The reality is that taking local admin rights away means a few extra steps and a couple of extra dialog boxes in a few places, but I can still do everything I need to, just in a slightly different way.
Overall, I found the process reasonably straightforward but even I required a little support here and there!
What did I think?
I can’t deny that the requirements to lose older but well-functioning equipment grated a little and I do think the challenges in this balance do perhaps need consideration. Built-in obsolescence is an issue that is much more widely known about now due to its environmental impact and we cannot deny the difficulties this brings if we insist on the disposal of perfectly well-functioning equipment. For Reach Aware, this does not constitute a large number of devices but, for other companies it would, and it is increasingly difficult to justify such waste.
For the purposes of certification, I understood these aspects were required so, in the end, I did as I was told. There is uniformity in the certification for good reason and I understand that part of its value comes from the reassurance of knowing that every company that has certification has had to comply to the same rules and standards. Having said this, I would like to think there will soon be a solution that will mean a better balance can be struck between security and sustainability that doesn’t unfairly compromise the importance of either.
I also found the issue around ease of use and familiarity eye-opening. Challenging this can be a sizeable barrier to change and it’s certainly something I recognise in myself, especially as I get older. We need to ensure we manage this properly as business owners. After all, to ensure good cyber security practices are followed in any organisation, it is essential that we bring all our employees along with us. We have to therefore make sure we are leading by example.
Is Cyber Essentials worth it?
In a word, yes.
In terms of my goal of reassuring myself that we’re doing everything we can to protect our business and our customers’ businesses, taking the assessment has been a valuable exercise. It took a little longer than I expected but it has questioned some of my long-held assumptions about what we do and how we do it and it’s provided the impetus to fix the gaps we knew about but hadn’t prioritised resolving. Forcing me to concede my own admin rights, for example, means my own working environment is less vulnerable.
Cyber Essentials isn’t the end of the journey for our cyber security but it has proved to be an important milestone along the way. As with most things, you’ll get more value out of Cyber Essentials the more you engage with its purpose and process and, if you do it properly and invest the time and effort into ensuring full compliance with its requirements, it can make a noticeable difference. At the very least you will become more aware of the basic security measures that we all should be following to help keep our businesses safe.
Overall, completing Cyber Essentials has been a positive experience and I am confident that we have the right steps in place to protect ourselves and our customers. To be confident in all my aims for Cyber Essentials, however, I do feel I need to go further and complete Cyber Essentials Plus with an external assessor. This is our next target and I’m looking forward to seeing what it will bring.