In the latest instalment of our Spotlight series, we talk to Redpalm Technology Services Co-CEO Simon Bridge about the Government-backed Cyber Essentials scheme.
Q: Hi Simon. Tell us about Redpalm Technology Services.
Redpalm was founded in 2010 as a value added reseller, to provide companies with all their IT supplies. It was identified that our clients required more in the way of IT support services and technical expertise, and that’s when I joined the Redpalm team 7 years ago to help create and develop the managed services side of the business with a strong emphasis on cyber security.
We provide a wide range of IT support and cyber security services, having helped hundreds of public, private and third sector organisations. We continue to offer unbiased advice and cost-effective IT services and solutions that puts our clients’ needs first.
Q: As a Trusted Partner of the East Midlands Cyber Resilience Centre, one of the services you offer businesses is Cyber Essentials. What can you tell our readers about this Government-backed scheme?
When we talk about cyber security, one common problem is the belief that a hacker is not interested in targeting small to medium businesses as they don’t believe they have anything of interest or value a hacker would be after.
The bad news is, on average one small business in the UK is successfully hacked every 19 seconds. The good news, there are some key cyber security controls that everyone should be doing to ensure they remain secure online and significantly reduce the risk of being hacked – and that’s where Cyber Essentials plays a vital role.
Cyber Essentials is a simple but effective UK Government backed scheme that will help protect your organisation, whatever the size, against 80% of the most common cyber attacks.
The 5 key controls it covers are:
Firewalls – Protecting your organisation from the internet.
Secure configuration – Ensuring all devices are securely configured.
User access control – Provisioning users with the minimum permissions required to do their role and managing administrative accounts properly.
Malware protection – Monitoring of endpoints, to detect and stop malicious programs and behavior.
Patch management – Regularly applying critical and security updates to operating systems, firmware and applications.
Q: From a client’s perspective, how long does it take to become Cyber Essentials accredited and how much work is involved?
Every organisation is different and at varying stages of cyber maturity. We have experience of some customers completing the whole process within a few days whilst others have taken several weeks.
A good starting point is to contact a Cyber Essentials Certification Body such as Redpalm for an informal chat or go to the IASME website and download the Cyber Essentials self-assessment questions for free, this will give people a good idea of what is required and how much work is likely to be involved.
We offer a managed service around this, working closely with customers to help them understand the questions, and in some cases understand their IT environment, and what options they have to put the necessary measures in place so they can achieve the Cyber Essentials certification.
Q: Is it a costly process?
No, and certainly not compared to the cost of being hacked or a suffering a data breach! You can get Cyber Essentials from as little as £300. Most organisations should already have anti-malware software in place, so other than some time and reviewing processes and procedures, it’s not considered a costly exercise. This is why we really recommend the scheme, because it’s about getting the basics right and not about spending hundreds or even thousands of pounds on complex cyber security solutions.
Q: Let’s talk about Cyber Essentials Plus, which is a higher level of certification?
Cyber Essentials Plus is the highest level of certification offered under the scheme and must be completed within three months of passing Cyber Essentials. It is a technical audit of your organisation’s systems and configuration, where certified cyber security experts carry out external and internal vulnerability tests, amongst other tests to verify the Cyber Essentials controls are in place.
It’s amazing how many organisation’s suddenly realise their patching isn’t quite as robust and up to date as they thought. I know I would rather have Cyber Essentials Plus highlight this, instead of a hacker.
This is more expensive than Cyber Essentials but still excellent value for money.
Q: You mentioned earlier that Cyber Essentials can help prevent up 80% of cyber attacks. Can you give us an example?
A charity contacted us as they had been hit by ransomware, sadly not just once, but twice within a few months and requested a second opinion to compare against what their current IT Support company had advised. It transpired the (now previous) IT support company had opened some ports on their firewall which exposed some of their internal Servers to the whole of the internet.
A full analysis was not completed and no report issued on how the hackers gained access in the first instance and hence left them still exposed to ransomware attacks again. With Cyber Essentials, firewall rules are documented with reasons as to why they are needed. Had this been properly performed, it would have highlighted open ports not required or locked down which needed to be removed and this would have prevented both the ransomware attacks, saving quite a lot of money, disruption and reputational damage.
The Cyber Essentials Plus external vulnerability scan would also have highlighted this.
Q: Besides Cyber Essentials and Cyber Essentials Plus, what should businesses be doing to mitigate cyber threats?
No organisation is ever 100% safe from a cyber attack.
However what you can do, is be prepared by implementing and performing regular testing of your backup and DR (disaster recovery) solutions.
In the event you do experience a hack or data breach, it is essential you can recover all your data and systems.