Cyber Essentials – The Right Thing To Do
One of our Core Value at FibreCRM is to do the right thing. This means that before we take an action, we ask ourselves if it is the right thing to do for the customer, or for the company.
So, when Cyber Essentials was raised as something we should consider we quickly decided we wanted to do it. The three core reasons are:
- a) It provides a high level of assurance for our customers (current and future) that FibreCRM is a trusted partner, in terms of cyber security and personal data
- b) It increases the levels of cyber security throughout our supply chain, as accreditation is reciprocal and expected by Cyber Essentials accredited organisations.
- c) Our target market are ambitious accounting brands and many are large firms who have Cyber Essentials so this means we can be put on their potential supplier list.
What is Cyber Essentials and IASME Governance?
Cyber Essentials is a Government backed scheme designed to help you to protect your organisation, whatever its size, against a whole range of the most common cyber-attacks.
Cyber Essentials gives you peace of mind that your defences will protect against the vast majority of common cyber-attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place.
The certification includes strict criteria in relation to firewalls, device and software settings, access control, virus and malware protection and patching/version control – amongst a wide range of topics that cover all aspects of increasing your levels of cyber security.
Combined with Cyber Essentials, is the IASME Governance standard. The IASME Governance standard was developed over several years during a government funded project to create a cyber security standard which would be an alternative to the international standard, ISO27001.
The IASME Governance standard allows the small companies in a supply chain to demonstrate their level of cyber security and indicates that they are taking good steps to properly protect their customers information.
How Did We Do It?
Another one of our Core Values is to “do as we say” we tracked this project as one of our Key Performance Indicators.
The process was led by our Data Privacy Lead (Richard Jackson), with significant input from our IT Manager (Steve Jenkin) because Steve was at the core of any changes the organisation needed to make in order to reach a state of Cyber Essentials compliance.
As a team we were all aware of progress with Cyber Essentials, and understood the value to both FibreCRM and our customers through becoming Cyber Essentials accredited.
The accreditation journey takes the form of an in-depth self-assessment process, from which a series of actions/changes within your organisation may be necessary – in order to meet the Cyber Essentials criteria.
The self-assessment option provides protection against a wide variety of the most common cyber-attacks. This is important because vulnerability to simple attacks can mark you out as target for more in-depth unwanted attention from cyber criminals and others. Not only did we have an in depth self-assessment to complete, this also came with making tangible changes to how we work as a business – as and when we came across standards within the Cyber Essentials criteria that we needed to improve on.
While FibreCRM already meets high standards of cyber security and is GDPR compliant, Cyber Essentials raises the bar much further and as a result elevates FibreCRM to a higher state of security than the high majority of other CRM providers.
What Did We Learn?
This was not an easy and straightforward process, because FibreCRM is passionate about delivering the highest possible standards in and around data and cyber security.
We were determined to take a 360 degree view on ourselves and how we work. This was a process that required honesty and transparency, and reflected our company ethos “Always do the right thing”.
Richard and Steve worked on Cyber Essentials at the same time as Richard was fully focused on our GDPR compliance journey – and as such the two processes overlapped at times. Although, it needs to be emphasised that there are core differences between the GDPR and Cyber Essentials.
The GDPR is a far reaching set of regulations, intended to guarantee the privacy of individuals and protection of personal data, within the European Union.
Although the regulation demands that we take appropriate measures to protect the integrity and confidentiality of any personal data we hold, it does not provide a check list of measures for us to take. Instead, it specifies that we must determine our own cyber security approach based on the personal information we hold and the risk to individuals were that information be lost or compromised.
Cyber Essentials can help with this, but it’s not a solution for all our GDPR obligations. It’s also important to realise that the information security which GDPR requires extends beyond cyber security to include things like the physical and organisational security measures necessary to protect personal data.
FibreCRM recognises that a strong emphasis on both the GDPR and Cyber Essentials, was critical to all-round data and cyber security.
The Information Commissioner’s Office (ICO), whose job it is to uphold the GDPR in the UK, recommends Cyber Essentials for the cyber security of the IT we rely on to hold and process personal data. The technical controls promoted in Cyber Essentials served to reinforce our already solid base – upon which we can continue to build our cyber security standards and customer trust.
What Was The Investment?
The investment of time averaged out at seven hours per week, over a four month period. In order to complete this process in a fully committed manner, it was essential to not only complete the questionnaire to an exemplary standard – but to also reflect this in our actions and investment in the business and its cyber security related processes.
This was a journey that involved identifying areas where we could improve levels of cyber security, making changes where appropriate, liaising with and educating our own supply chain partners – and investing in further training and qualifications that raised our security standards and increased our education and awareness.
Both Richard and Steve will be attending the BCS Certificate in Information Security Management Principles. This is a five day course in October which is a requirement of Cyber Essentials and represents a significant investment, further reinforcing our commitment to cyber security standards. This course is an intensive and high level programme, with a final day exam.
Cyber Essentials Plus
The next step for FibreCRM is to aim for Cyber Essentials Plus and IASME Gold Standard. This combines a self-assessment security questionnaire, an external vulnerability scan of Internet facing systems as well as authenticated vulnerability scans of our internal workstations and mobile devices.
There will be a review the self-assessment questionnaire and external vulnerability assessment results, then an onsite visit to test our internal workstations and mobile devices. If all elements of testing pass – we will be issued a Cyber Essentials Plus certificate and can use the certified badge.
The following key areas are assessed:
- a) Secure configuration
- b) Access control
- c) Malware protection
- d) Patch management
FibreCRM has targeted the spring of 2019 as our deadline to be Cyber Essentials Plus accredited.
Cyber Essentials CRM for accountants
We believe CRM should be at the heart of every accounting practice helping firm’s build stronger relationships with clients, strategic partners and colleagues.
In today’s World, an important part of a strong relationship is data security; protecting sensitive information. FibreCRM is the only Integrated CRM for accountants with the Cyber Essentials Accreditation – this gives you the peace of mind that you’ve partnered with an organisation you can trust.
FibreCRM not only understands the importance of protecting your clients information it also understands the inner workings of an accounting firm and their challenges. We have a greater understanding of best practice and will guide you through the complexities and help you avoid the pitfalls and the costly failures of doing the wrong thing.
What Is Next?
If you would like to know more about how CRM can help drive better results, request a discovery call and we’d be happy to take time to understand your practice and its goals, share our knowledge and experience and maybe arrange a demonstration to show how other successful practices have adopted CRM.