“The nice thing about standards is that you have so many to choose from” – Andrew S. Tanenbaum.
Standards, sensibly implemented, can be a boon for your business. They are a great way to set focus and ensure that you target resources where they need to be, boosting efficiency and ensuring that you don’t spend on the wrong things.
For most SMEs there is no option but to invest in information security, but if you don’t operate in the cyber security space, how do you know you’re investing in the right places? Regardless, you must invest. Failure to do so leaves an open goal for criminals. There are plenty of them about, and they will be more than willing to destroy your business if they can gain the price of a Gucci messenger bag out of it.
One way to ensure that you invest wisely is to align to a standard such as ISO 27001. This is an international standard covering the management of information security. Achieving the standard demonstrates that you are correctly managing the information you hold, providing comfort to those who rely on you to do so.
But…the ISO 27001 standard is a behemoth once you start trying to implement it. It’s beyond the reach of most SMEs as it would drain most of their resources quite quickly. It isn’t cheap, in time, effort, or money. There are, of course, other standards such as ITIL and COBIT but the same problem arises.
So, for your SME something a bit more achievable is required.
Cyber Essentials and Cyber Essentials +.
Cyber Essentials is a UK government backed scheme which encourages businesses to adopt good practice in information security. The control areas of Cyber Essentials can be mapped against ISO 27001, which is useful if you grow towards that standard later, but the Essentials scheme limits itself to five main technical controls which are:
• Firewalls and Internet gateways
• Secure configuration
• Access control
• Malware protection
• Patch management
These controls are all things which any business should have in place anyway, and aligning to the standard is not expensive. Cyber Essentials just gets you to do the basics correctly, ensuring that you are set up correctly and are protected from the most common threats.
Most of the controls are at no financial cost to your business, which is always a good price point! You probably already have a firewall, and all the standard requires you to do is ensure that it is set up correctly. The secure configuration and access controls expect you to correctly set up your computers, mobile devices and user accounts – again something that requires little or no spend and which you should be doing anyway. If you’re running Windows 10 on your business PCs you already have an acceptable anti-malware control; Windows Defender, in place, and patch management simply requires that you keep up with security updates for the software and operating systems that you use.
Bang for your buck, this is a very good standard to align with for most SMEs. Once you do align with it you can have your business certified as compliant for less than €400, which entitles you to use the Cyber Essentials branding on your website so that your existing and potential customers can see that you take the security of the information you hold on them seriously.
Colm Gallagher is the head of CommSec’s forensics business practice.