Would your organisation pass a cybersecurity assessment? Not one of 200 UK NHS trusts did, after the Department of Health checked them following the WannaCry ransomware outbreak.
The NHS trusts’ complexity meant the assessments set a high bar. But for many SMEs, the assessments identify opportunities to improve, rather than obstacles to overcome. They show an organisation’s current security levels and spot potential gaps.
That’s becoming ever more important as cybercrime continues to rise. One recent survey found that the average SME website is attacked 44 times a day. We also know that many common security attacks exploit well-known vulnerabilities.
The test criteria
To find out what’s involved in a cybersecurity assessment, I asked Stephen Rouine, cyber risk specialist at BH Consulting. Here are some of the common things he looks for when he carries out an assessment:
- Boundary firewalls and internet gateways protecting the outside
- Does the organisation scan for malicious URLs and warn users if they visit an infected site?
- Secure configurations on servers, laptops, or phones. Does each device have antivirus software? Do screens automatically lock themselves if the device is idle?
- What antivirus software is the organisation using, how is it configured and is it the latest version?
- Do all users have administrator accounts or privileges on their systems?
- How does the organisation manage patches for keeping software or operating systems up to date? Is this manual, in-house or does it use a third-party company?
Following the questionnaire and visit, the client receives a report with findings and recommendations of any changes needed. These will address some of the basic security gaps that might emerge during the assessment. For example, they might need to disable the autorun feature that opens a USB key once it’s plugged into a Windows machine. Ideally, users should manually navigate to the USB key before opening any files, and the antivirus package should scan the key’s contents first.
The time commitment
For most SMEs, the on-site visit and questionnaire process takes around half a day. Any follow-up actions usually take a similar amount of time. So, the company can improve its security for a minimal commitment of time and resources. Stephen emphasised that it’s important for senior management to commit to the assessment and certification process.
Once it has met and passed all of the assessment criteria, the company can apply for Cyber Essentials certification. This is an independent, international standard that growing numbers of organisations are adopting.
The business benefits outweigh the time and cost involved, Stephen added. Reaching the standard will protect the business from many common attacks and compromises. It shows customers and suppliers that the business takes security seriously. “Most of our clients see it as a necessary first stage of getting more secure. In the case of one client, Cyber Essentials allows them to go to tender with UK government agencies, so it opened up their client base,” Stephen said.
It’s also worth pointing out that maintaining security is an ongoing process, not a once-yearly exercise. Threats and risks are changing all the time. Completing an assessment and applying for Cyber Essentials certification puts businesses at the security starting blocks, not the finish line. As Stephen pointed out: “It’s important to state that this check will only prevent basic attacks and security incidents, but it may not be enough to protect from sophisticated intrusions.”
For more details on BH Consulting’s cybersecurity assessment service, visit this page.