The majority of you reading this article will face increasing pressure to demonstrate robust cybersecurity practices, if not already. One of the most effective ways to do this is by adopting Cyber Essentials, the UK government-backed certification developed by the National Cyber Security Centre (NCSC). We know this might be a strange recommendation, a UK certification? There is some logic to our madness…
I’ve been strongly recommending Cyber Essentials as a starting point for financial firms or any business that is serious about protecting client data and building trust. Whilst we do have some reservations in terms of the breadth of the certification framework (for example, it doesn’t require encryption of data and devices), a point we’ve raised previously, it still offers substantial value and structure to help businesses establish a solid cybersecurity foundation.
What Cyber Essentials does exceptionally well.
We’re happy to recommend the efforts of the NCSC as it’s created a solid framework and guideline that is both accessible and impactful. For example:
1. Boundary Firewalls and internet gateways
Help prevent unauthorised access to your networks and protect team members and company data.
2. Secure configuration
Reduces exposure to common vulnerabilities and risk of exploitation.
3. Access controls
Revise access to data and systems based on user roles, something that isn’t often done for small and medium sized businesses on a routine basis.
4. Asset Pack
Show the flashy Cyber Essentials logo on your marketing and sales materials to bolster client confidence with using your services and products.
This provides a practical, effective, and scalable framework to follow, making it ideal for SMBs that generally do not have a dedicated cybersecurity team or contractor.
Why encryption still matters
While Cyber Essentials covers key critical areas, encryption remains a notable omission. Encryption ensures that intercepted or improperly accessed data remains illegible and unusable for attackers to exploit. For financial services firms handling sensitive customer information, this is not just a technical benefit, it’s a business imperative.
Going beyond the basics
I’m encouraging all firms that your technology systems be designed from the ground up to cater for cybersecurity and to consider Cyber Essentials as a necessary brick in the building block of your infrastructure. Here’s a few actionable steps to inspire your cybersecurity journey:
- Encrypt storage on end-user devices (phones, laptops, workstations).
- Ban flash drives that are not encrypted, and make use of corporate sharing tools (SharePoint, etc).
- Ensure your email server enforces encryption for all messages.
- Use secure messaging platforms for receiving sensitive client information such as passports, financial records.
- Confirm that data-at-rest in your CRM, marketing, and financial tools is encrypted.
- Mandate encryption for all backups, especially those stored offsite.
Real world impact
Unfortunately, I have personally experienced and have worked with a financial services client that faced the harsh reality about the necessity of backup encryption. The firm experienced a ransomware attack that not only compromised their primary systems but also infected their backups. Since the backups weren’t encrypted, the attackers accessed and corrupted that data as well. Without clean backups to restore, the business endured significant downtime, financial losses, and a loss of client trust.
Final thoughts
Protecting your business should never be about meeting just the bare minimum standards. Reach out directly to discuss how encryption can enhance your cybersecurity strategy and keep your data safe from emerging threats. Together, we can build a resilient foundation that safeguards your future.
#CyberSecurity #Encryption #DataProtection #CyberEssentials #BusinessSafety