The Human Side of Cyber Essentials Plus Accreditation

In current times the importance of robust cybersecurity measures cannot be overstated. As businesses and organisations increasingly rely on digital infrastructure, the risk of cyber threats continues to grow. To address these challenges, many organisations pursue certifications and accreditations to demonstrate their commitment to cybersecurity.

One common accreditation is the Cyber Essentials certification, a comprehensive set of basic security standards designed to enhance cybersecurity resilience for firms and organisations. Whilst Cyber Essentials started as an easy “self-certification” form it has grown into a much more challenging and comprehensive programme, especially when undertaking Cyber Essentials Plus, which includes an external audit.

Although Baskerville Drummond has helped other organisations through the process of Cyber Essentials and Cyber Essentials Plus certification, and has held the Cyber Essentials Plus accreditation itself for a number of years, this renewal was the first time that I had been involved.

Initial part of the process

The first part of the accreditation process is to achieve Cyber Essentials (not Plus).  Firms can opt to go through this process themselves or engage a Cyber Essentials auditor, but you will need your IT Team or provider to assist. 

If you decide (as we recommend) to go to the Plus level accreditation, this is achieved by having an authorised provider audit your Cyber Essentials answers.

The Cyber Essentials questions are broken down into a number of sections, including: –

1. Business information e.g. name, type and number
2. User access control (how you manage user accounts and security)
3. On site servers or cloud services you use
4. Updates and patching for both hardware and software
5. Firewall configurations
6. Malware and virus protection in place
7. Types of end use devices you have

This went on for over 100 questions! However, one of our consultants does this sort of work regularly so took the hit and worked their way through the document giving the detailed answers needed.   Note that some of these questions will need to be answered by people that have technical knowledge of your IT estate and may give rise to a firm needing to remediate any issues that would be a non-compliance with the Cyber Essentials standard.

We achieved Cyber Essentials and then moved immediately to the Cyber Essentials Plus audit.  I was given the easy bit of getting information about our devices and preparing them for the audit.

Mobile Phones

My first bits of kit to check were the mobile phones that we use within Baskerville Drummond. Of course, we have the Samsung and the iPhone users, but I am a little bit different with a little known android phone.

We were given a set of easy-to-follow instructions to confirm the following bits of data: –

• IOS version
• Android Version
• Trust Certificates

For the majority of our members these details were easy to get hold of. However, my phone does not use the normal Android operating system and so I could not follow the instructions on how to present details of certificates on the device. So, Google was hit hard, and I mean hard. Forums were read, articles were scoured for a mere tip on how to get hold of the required information. Ultimately, I had to trawl through YouTube videos.

Even though the videos were useful, I was presented with a major dilemma. This dilemma is that my phone brand is from a particular region and not very well known outside of this part of the world, and so all the helpful videos were in a foreign language. I, who struggle at the best of times with the English language, found this a bit of a barrier.

So, Google translate was used to turn these into a format I could read and follow. Through this, I got my instructions and the screenshots were taken. These were then collated with the other team members to get our phones passed on the first try.

Laptops

Now onto the Laptops we use, this had to be easier than the mobiles I thought.  I thought wrong.

Our auditor randomly selected two of our laptops to scan (we are a small business, in a larger business they will ask for a greater number of devices to review) and the appointments were booked in, all seemed destined to run smoothly.

The first appointment began, and the first laptop had a couple of points that needed to be dealt with before a second scan. Then came the second laptop that had a longer list of points to be dealt with prior to the second run. The audit software will pick up any software that isn’t fully up to date, any issues with the use of administrator accounts versus standard accounts, missing or outdated anti-virus/malware software, compliance of passwords, etc.  

Not difficult to fix, however at Baskerville Drummond we all work remotely and so providing support for fixes over the phone and using screen sharing software creates its own issues.

I waded through the list and got all the points dealt with. Now onto the second and hopefully the final scan. Laptop one sailed through with no problems, however laptop two had a new issue that needed to be dealt with (often the time taken to do the first scan and fix issues, means that the second scan will pick up other items of software where a new update has become available, etc).

You might think that it would be easy to simply connect to the laptop and work through the list, but you would be wrong! The user of this laptop had a long-awaited trip to Spain booked in and was off on a plane, looking forward to the warm sunshine, cold drinks by the pool and long walks along the shore. That’s ok I thought, modern technology means that you can be anywhere in the world and as long as you have an internet connection you can operate as normal.

An appointment was made to connect remotely to the laptop, and I planned how to work through the list and get it scanned again.

When the time came, I connected and had control from the UK to the laptop in Spain, the team member then left the laptop on and when out to enjoy their time away. I started to run through the list of four items that I had to change, then it happened… the laptop signalled that it needed to reboot, and I was unceremoniously kicked out of my screen share as the laptop did its thing and restarted. What to do?  I needed the user to log back into the laptop to be able to continue. I messaged the user and was met with the response that they were already on the beach and would be back later that afternoon. So, it was a waiting game.

On their return I received a message that the laptop had been logged back in and I could continue. This continued several times whilst working through the list as either the laptop needed to reboot for the changes to take place or the software timed out and terminated the screen share session.

All the time I was very conscious that I did not want to disrupt the user’s holiday and that I had a deadline by which to get all the kit tested and signed off. During this process I received messages ranging from ‘on a lovely walk’ to ‘sipping cocktails by the pool’, but we eventually worked through all the points, but it took days to get it all fixed rather than hours.

The time had now come to run the scan to see if all the changes made would mean that the laptop would pass.

The Final Accreditation

On a very dreary Saturday evening I received an email entitled Baskerville Drummond Cyber Essentials. I thought do I open it now or do I wait until after pizza and see what is next on the list. I could not wait and opened it to see the first line which said,

Congratulations on renewing CE+!

I breathed a sigh of relief that it was all over. Until next time!