7 min read
Cyber Essentials is a simple, yet very effective scheme backed by the UK Government. It is designed to help protect companies, regardless of their...
Many businesses turn to their IT company to help them pass Cyber Essentials accreditation. The National Cyber Security Centre (NCSC) recently provided guidance and a Cyber Essentials checklist for businesses using their IT support business to implement the security controls needed to pass Cyber Essentials. The guidance helps organisations to check whether their third party IT company is helping them to meet Cyber Essentials criteria. NCSC's message is clear; while IT providers maybe good at traditional IT and have good technical knowledge, it doesn't mean they have good understanding of cybersecurity.
It is important to check that your IT company has put security measures in place correctly before self certifying for Cyber Essentials. In this article we offer a checklist of questions to ask your IT support company or consultant to find out if they are appropriately securing your business to comply with Cyber Essentials.
You should have a Service Level Agreement with your outsourced IT company. It is important to be clear on your IT company is responsibilities. From a security perspective, the service level agreement (SLA) should clarify who is responsible for looking after specific cybersecurity controls. We find many businesses join Superfast IT to realise, for example, that their server hadn't been updated or their data hadn't been backed up for years by their previous IT company. Ensure your IT company's responsibilities are formally logged.
While your IT company may look after your network and manage most aspects of your IT, it is still your responsibility to take care of your network security. You should provide clear and detailed instructions about the security controls you want the IT company to implement, because responsibility ultimately falls upon you.
Cyber Essentials is the minimum level of certification a UK company can gain to prove it is cybersecurity compliant and can prevent the majority of cyber-attacks. IASME and NCSC highly recommend that businesses look for an IT provider that is Cyber Essentials certified. It will demonstrate that your IT provider is serious about cybersecurity. It also demonstrates they are competent in implementing the security controls.
Ask your IT consultant what cybersecurity qualifications they have. Discover thier level of knowledge. If they have the following qualifications, it means they have a good understanding of cybersecurity:
CISMP - Certificate in Information Security Management Principles
IASME Cyber Essentials Assessor
If your IT company is implementing Cyber Essentials controls on your behalf, it is important to check that the requirements have been met. Remember, it is your signature that verifies that the controls are in place. There are a number of questions you should ask your IT company, as recommended by IASME, to confirm that the controls have been put in place to meet the requirements of the standard.
Ask you IT support company the following questions to ensure you are meeting Cyber Essentials standard and understand what they have and haven't implemented:
Take a look at our Cyber Essentials page to understand how Superfast IT provide Cyber Essentials consultation and our IASME Cyber Essentials FAQ to find out more about the certification. We can also help with small business cybersecurity in Birmingham.
3 min read
How much does good cybersecurity defences cost?What should my business budget for cybersecurity?Is it worth the expense? What would be a typical...