I have promoted the Government’s Cyber Essentials initiative because it is a good first step to cyber security.

However, I do think that two things are missing.

  1. Firstly it under stresses the importance of offline activities.  It is not much use having great IT if you are going to leave documents lying around on the photocopier, or discuss confidential matters in a loud voice where you can be overheard.  That is like having great physical security on your building and then leaving the door open when you go out.  Believe me, all these security lapses do occur quite a lot.
  2. Secondly, it does not say much about the Supply Chain Risk in relation to Cyber Security.  Do you know how secure are the systems of clients and contractors who have access to any part of your IT systems?  Viruses and malware can got onto your system through the back door if they can get onto your suppliers’ systems.
  3. I would include in No.2 above your employees.  Do you allow, or even require, them to use their own computers for work?  How secure are their systems?  Who else is allowed to borrow their computers?

I hope you will follow the guidelines of Cyber Essentials, but I hope you will also avoid leaving these two potential gaps wide open.  Good luck!