In the latest instalment of our Spotlight series, we talk to Kit 365 director Rob Kneller about the Government-backed Cyber Essentials scheme.
Q: Hi Rob. Before we chat about cyber security, tell us a little bit about your company, KIT365 Ltd.
We’re based in Leicester and we’ve been a limited company since 2016. We initially started off with me as a contractor for Managed Service Providers, focusing on hardware. I was a WatchGuard firewall engineer and that steered me into the contractor role. This time last year, I started pushing it more myself. There’s four of us now – myself, a sales person, someone who does the compliance and then a penetration tester.
Over the past 12 months, a lot of our business has been delivering Cyber Essentials and Cyber Essentials Plus. This year, the plan is to do more penetration testing, more ISO 27000 work and obtain more SOC (Security Operations Centre) clients, where we’ll actually be managing people’s IT environments.
A lot of our existing clients are SMEs. Having said that, we have got two or three considerable global clients. One is based in America and another is based in India but has quite a large UK presence. The sectors we cover are similar to everyone else – Defence, Law, Education etc.
Q: The name KIT365 is short and catchy – is there a story behind it?
Yes. The ‘K’ is for my surname, Kneller. Then you’ve got IT because that’s what we do. And the 365 is because that’s what a lot of successful brands were using – like Microsoft and Office. Having said that, we’re going through a rebranding exercise at the moment and will be dropping the 365.
Q: Let’s talk about Cyber Essentials, which you’ve delivered to many clients over the past 12 months. What can you tell us about the scheme?
Cyber Essentials is a Government-backed scheme that helps protect businesses against cyber attacks. A lot of companies still see it as a tick-box exercise that helps them land contracts, but it’s so much more than that. If you implement this correctly, it really will help you prevent up to 80 per cent of the most common cyber attacks.
It gives companies the assurance that they are doing things right and that they’re as protected as they can be. It also gives your customers assurance you’re doing things right. If you’re looking to land a contract and you’ve got Cyber Essentials and your competition hasn’t, that’s what will swing it for you.
Q: How long does the Cyber Essentials process take to complete?
It’s not a long process provided you’ve got certain things already in place. A lot of companies already have what they need at their disposal – it’s just not been configured correctly or there’s a lack of understanding about how to do these things. Essentially, Cyber Essentials isn’t that hard to achieve if you are doing things right. If you’re not doing things right, it’s still not hard to implement these things.
We’re talking about changing default passwords, making sure you’ve got a firewall protecting your environment, making sure you’ve got antivirus software, ensuring you’re updating your devices and that only people you want to have access to those devices have access. It’s all relatively easy stuff to implement.
Q: How much does Cyber Essentials certification cost and when does it expire?
It’s £300+VAT for the self-assessment. If you need help or guidance with that, it costs a bit more. Certainly, as a scheme, it’s very low cost and it’s easy to implement it. Once you’ve got the certification, it lasts for one year.
Q: Take up of Cyber Essentials increased sharply last year. Do you think the coronavirus pandemic was a factor in that?
It’s certainly true that UK businesses are more at risk from cyber attacks because of challenges posed by remote working. A lot of people get tripped up by mobile phone devices or home broadband routers at the moment. Businesses are having to understand that if you’re not using a VPN, the home broadband router is in scope for cyber criminals.
Previously I think it was an oversight, but now – because of how businesses are working – questions get asked. If a company says we’ve got 250 employees and none of them are homeworkers, in this day and age that’s probably not factual.
Enquire about Cyber Essentials via our Trusted Partners
Q: In addition to Cyber Essentials, there’s Cyber Essentials Plus. What can you tell us about that scheme?
The Cyber Essentials Plus standard is a higher level of assurance. Cyber Essentials is a ‘tell me’ approach, whereas Cyber Essentials Plus is a ‘show me’ approach which involves an auditor coming in and testing your systems to make sure that the answers you gave in the Cyber Essentials self-assessment were factual.
It involves a vulnerability scan to make sure your devices are patched; an external scan to make sure that anything that is open on your firewalls is as secure as it can be; and manual tests which involves testing for spam and also drive-by downloads.
Q: Many small and midsize businesses feel daunted by cyber security. How do you get them to engage with schemes such as Cyber Essentials and Cyber Essentials Plus?
IT can be daunting. We’re experts on cyber security but even for us, we don’t understand everything that a hardcore software developer might say to us. The challenge for businesses such as ours is to articulate it in a way that people can understand, without coming across as condescending.
We always say you wouldn’t leave your front door open, which is essentially what you’re doing if you use default passwords. You wouldn’t not have a front door, which is what you’re doing if you don’t have a firewall. You wouldn’t give anyone keys, which is what you’re doing if you’ve not got control over your users.
When you explain it like that, businesses tend to understand the value of IT and cyber security.
KIT365 are part of the East Midlands Cyber Resilience Centre’s network of Trusted Partners. To enquire about Cyber Essentials, visit their website here.