It’s important to practice what you preach. That’s why we’re proud to announce that Cydea has achieved Cyber Essentials certification. Cyber Essentials is a UK government-backed scheme to protect organisations from the most common cyber-attacks.
Even for a cyber security company, it wasn’t without its challenges though. Nailing the basics, consistently, is really hard. It can be more difficult at scale. Plus we are a modern company who, like many start-ups, don’t have any fixed infrastructure or premises.
Traditionally businesses have adopted a ‘castle wall’ approach to protecting the perimeter. Once you’re inside there is limited segregation between different things and it is usually pretty easy to pivot around the network.
At Cydea we use cloud services extensively and this means we don’t need to operate our own network. Instead, we protect each individual laptop, smartphone or tablet, treating each one as its own bubble. That means each has its own firewall to protect it, no matter what network it is connected to, shared office wifi, client networks, at home or on the road in a coffee shop. (You can apply the same principles in larger organisations too.)
Encryption between these devices and our cloud services prevent anyone from eavesdropping on what we are doing. And because we travel a lot to our clients’ offices we assessed that the risk of physical data loss (for example a device being lost or stolen on a train) warrants us to encrypt our devices too, protecting any data that may have been temporarily copied locally.
We use a password manager to generate unique and complex passwords for our devices and cloud services. Wherever possible we use two-factor authentication. (Preferably the secure module on a user’s smartphone or Yubikey, for the techies amongst you.)
We make use of automatic updates and that helps to minimise our IT administration effort, as well as protecting us against newly discovered vulnerabilities. Our DNS service uses threat intelligence feeds to automatically block known malware and phishing domains. That provides an additional layer of protection if our users ever get caught out by a sophisticated social engineering attempt. (Don’t blame the user!)
When it comes to keeping all of that in check, we’ve rolled out CyberSmart to help us manage our compliance and certification in an automated way, too. It lets us see the status of all of our user’s devices (desktops, laptops, or mobile devices like smartphones and iPads) at a glance.
We opted for the ‘pro’ version that also lets us push out and track who has seen and agreed to our policies. A new feature also lets us run software inventories and see vulnerable versions. Neat!
After a quick review, we completed the questionnaire and got confirmation of our certification later the same day.
All of this gives us confidence in our cyber security posture. And if you’re a (potential!) client, now you know that at Cydea we practice what we preach, have good cyber hygiene, and and can provide it on an on-going basis.