Tips from our technical team –
The most common reason organisations fail their Cyber Essentials assessment is, somewhere within their business, equipment is being used whose software is no longer supported. This *unsupported equipment could be within your servers, your computers, your laptops or even your mobile phones.
Rapid and continuous innovations in technology means that new computers and software will phase out your current IT infrastructure, generally, within 3-5 years. On the face of it, this can appear annoying and costly, yet when considering the potentially serious consequences of running end of life technology, upgrading your IT equipment and/ or software becomes the sensible option in order to maintain your security and protect your reputation.
Unsupported systems expose critical holes in your security. The vulnerabilities they create will be common knowledge among cyber criminals who will deliberately target them. It is the cyber security equivalent of leaving your doors and windows of your house open. Attacks against such vulnerabilities can lead to cyber criminals encrypting your data and demanding ransom payments to unlock it, using your computer to attack other computers, or stealing your data and that of your customers.
It is not always easy to identify what is and isn’t still supported. If you are unsure, it is worth checking out the relevant manufacturer’s website or, if you are still unable to find the information you require, pose the question to an IASME Certification Body or in IASME’s ‘Cyber Essentials Advice Group’ on LinkedIn.
In May 2017 the global WannaCry ransomware attack targeted computers running the Microsoft Windows operating system (OS). This attack took advantage of a vulnerability named EternalBlue detected in the Microsoft OS. The vulnerability had been identified by Microsoft who had released a patch for the security hole in March 2017. Any organisation that was using the Windows Operating system but had not applied the patch from 2 months before was vulnerable.
The IASME Tech Team stresses the importance of making sure all your software and devices are current and able to receive critical updates from the manufacturer. As Cyber Essentials evaluates what is in place at the point of the assessment, it is can be good practice to review this aspect well ahead of your anticipated certification/ recertification date. This will provide your organisation with the time to budget for, and implement, any necessary changes.
*Unsupported – At some point, manufacturers make a decision that they will no longer provide support for their software. For example, Windows XP reached the end of its mainstream support in 2009. At this point a manufacturer moves away from supporting the ‘out of date’ product and instead, focus on new(er) iterations or variations. This means that, should any vulnerabilities be found in the software code, the manufacturer will no longer issue an update to patch that vulnerability. It is these vulnerabilities that can exploited by cyber criminals and lead to data breaches, ransomware attacks or similar threats.
Please note, this blog may contain guidance and information that is outdated.
On 24th January 2022, the Cyber Essentials technical requirements were updated in line with current cyber security threats. The self-assessment question set changed from version ‘Beacon’ to version ‘Evendine’. Blogs and articles published before that date, may no longer accurately reflect the Cyber Essentials requirements