We are Cyber Essentials Plus (CE+) certified
BlakYaks has always championed delivering highly secure cloud environments for our customers, with a focus on building security into every stage of our development and deployment cycles through DevSecOps practices (see Craig’s blog for more on that).
We've made less of a statement about our own internal security up until now. However, we are pleased to announce that we have achieved the Cyber Essentials Plus (CE+) certification on our first attempt, following our earlier Cyber Essentials achievement. It's been an interesting experience, providing a good opportunity to reflect on our progress and how we went about achieving our goal.
What it means for our customers
Cyber Essentials and Cyber Essentials Plus are part of a government-backed scheme designed to help organisations implement policies and practices to protect themselves against the most common cyber-attacks. The certifications require a company to meet five basic cybersecurity measures: firewalls, secure configuration, access control, malware protection, and patch management.
Achieving the Cyber Essentials Plus certification demonstrates our commitment to cybersecurity and our dedication to providing highly secure cloud environments for our customers. Here are the benefits for customers working with us:
Enhanced security assurance: Customers can have increased confidence in BlakYaks' security measures to safeguard sensitive data and applications. The CE+ certification signifies that we have met stringent cybersecurity standards.
Reduced risk of cyber-attacks: By adhering to the Cyber Essentials and CE+ guidelines, BlakYaks has implemented policies and practices that protect against common cyber-attacks providing customers with a more secure environment for their digital assets.
Transparent and rigorous internal processes: Customers can be assured that we apply the same level of rigorous security practices internally as we advocate for in the solutions we provide to clients.
Customised and secure solutions: While Microsoft provides some great Security Defaults, at BlakYaks we decided to heighten our security posture by enabling our own Conditional Access and Multi-factor Authentication policies to demonstrate our tailored approach to security. This customisation allows us to align our security measures with the specific needs of our customers.
Our approach
We embarked on the journey towards CE+ based on discussions with our customers, aiming to reassure them of our strong commitment to the security of our company. Early on, we made some conscious decisions about our approach:
As a small organisation focused on delivering cloud-native solutions with a relatively low infrastructure footprint, we believed that including our entire operation, rather than just a sub-section, was crucial to assure our customers of our commitment.
Being a technology company that advocates security throughout the entire supply chain of solutions we provide to our customers, we felt it was essential to demonstrate the same level of rigour in our internal processes and go beyond the required certifications.
Not having a dedicated Cyber Security function, it was important for us to seek guidance from bodies with considerably more experience in this field. As part of M365 Defender, Microsoft offers access to security simulations, tutorials, and an evaluation lab for conducting them. We are also registered with NCSC Active Cyber Defence (ACD) services, which enables us to take advantage of services such as Exercise in a Box and Early Warning. Our auditor, Forensic Control, was a valuable source of assistance.
As a Microsoft solutions partner, we believed that we should maximise our Microsoft licensing, knowledge, and capabilities to fulfil our obligations in terms of cyber security management and meet the requirements for obtaining the CE+ certification.
Preparation
In terms of preparation for the audit itself, we approached this across several areas.
1. TAKE BACK CONTROL OF OUR SECURITY FROM MICROSOFT:
While Microsoft provides a useful way for companies to achieve a basic minimum level of security protection through Security Defaults, we decided to disable these to enhance our control and apply our own Conditional Access and Multi-factor Authentication policies.
2. ENSURE WE KNOW WHAT OUR ASSETS ARE, AND KEEP THEM UP-TO-DATE AND VULNERABILITY-FREE:
Initially, we had some gaps in this area. However, by enrolling all our devices into Intune and implementing Windows Autopatch, we have streamlined our processes and reduced vulnerabilities and threats to our devices.
While Autopatch is effective for basic Microsoft OS and app updates, we hadn't previously enforced strict policies regarding our app estate, as we were content with staff installing apps to facilitate their work, so for Cyber Essentials Plus, we had to make changes, introducing a new software policy and centralizing app packaging and updates through Intune.
We also implemented BYOD policies and protections to enable our staff to securely use their mobile devices for accessing company data.
We used Defender for Endpoint to assess vulnerabilities on our devices and invested time in extensive remediation efforts. As a positive outcome, our Microsoft Secure Score increased to approximately 90%, which is double the industry average for a business of our size. We also recognized that going much beyond this score might negatively impact staff productivity.
Audit Day
On the day of the audit we were fairly confident, however we did have a few last minute hitches, which thankfully with the tools we use, were able to overcome. Forensic Control displayed exceptional professionalism and assisted us through the issues to achieve a successful outcome.
Conclusion
With all these changes currently taking place, there is a lot to discuss and the changes we have made are far more wide reaching than discussed here. We are considering writing a follow-up to provide more in-depth information for those who are interested in and contemplating undergoing this process themselves.
