Consult MB Ltd

As a Cyber Essentials, Cyber Essentials Plus, and IASME Governance certification body it is important that our customers know that we practise what we preach and that we meet or exceed the same standards that we expect from them. It’s equally important that we understand the effort and time it takes for small to medium size enterprises to achieve certification.

As such, we re-certify in both Cyber Essentials and IASME Governance every year. It’s not just a copy and paste of last year’s answers either! We strive to evolve and improve our security processes and incorporate the latest technical guidance and advice wherever possible.

Re-certification is a good time to review everything we do, and to remind ourselves that achieving the certification is a non-trivial task for both us and our customers.

The coronavirus lockdown presented many new challenges to small-to-medium sized organisation. Not least in the sudden change in the way we use IT with increased home working. As such, in April, Consult MB Ltd offered free external vulnerability scans to all local charities, and to the first 25 local businesses that requested it.

We’re pleased to announce that we’re extending the scheme for the next month, with free vulnerability scans for local charities and volunteer organisations. If you’re interested, please get in touch via our contact us page.

Effective security against the most common Internet based cyber threats just got clearer!

1 April 2020 marks the launch of The IASME Consortium becoming the National Cyber Security Centre Cyber Essentials Partner.  #CyberEssentials is a Government backed scheme which has proven to be popular and successful with organisations seeking to protect themselves against the most common online cyber threats. 

To deliver regional support to customers throughout the UK, IASME will continue to deliver the scheme via approved regional Certification Bodies (CBs).  Consult MB Ltd can announce that we continue into this new era as an IASME approved CB.

Consult MB Ltd supports clients throughout Somerset, Bristol, Gloucestershire and South Wales. We do venture further afield from time to time as well! For more information about, or to apply for, Cyber Essentials please have a look at our Cyber Essentials webpage.

NCSC have put out an updated blog concerning Cyber Essentials:

https://www.ncsc.gov.uk/blog-post/cyber-essentials-countdown-to-partnership-launch

and also updated their Cyber Essentials FAQ:

https://www.cyberessentials.ncsc.gov.uk/strengthening-developing-the-ce-scheme

Consult MB Ltd is pleased to confirm, in terms of both the new technical Pen Testing requirements, and the new quality requirements, that we are ready for the 1 April Cyber Essentials changes. Our customer base across Somerset, Bristol, and surrounding areas continues to grow as we provide cost effective cyber security solutions and Cyber Essentials/Plus certification to our clients.

We didn’t find the time to go to Davos this year…but the World Economic Forum have included cyber security in their Global Risks Report 2020 https://www.weforum.org/agenda/2020/01/top-global-risks-report-climate-change-cyberattacks-economic-political/

Cyber security risks feature in both their Long-Term and Short-Term Risk Outlooks.

The unfortunate fact is that many cyber-attacks do not discriminate between huge global corporations and the type of small to medium size businesses that Consult MB Ltd supports in places like Bridgwater, Bristol, Cardiff, Clevedon, Dursley, Davos…no, not Davos, but you get the idea.

If you need any help or advice with your cyber security please contact us.

In amongst the Black Friday/Black Monday/every day of the week/year sales…was ‘Small Business Saturday’ on December 7th. The NCSC supported the day by releasing a series of ‘bite sized’ videos that outline their response and recovery guidance for small businesses. You can find the videos here: https://www.ncsc.gov.uk/collection/small-business-guidance–response-and-recovery/video-collection

The NCSC have more essential guidance for small business here: https://www.ncsc.gov.uk/collection/small-business-guide

At Consult MB Ltd we love an informative cyber security video. You probably won’t find the NCSC releasing it, but check out this seasonal clip from Christmas 2014 by the Security Awareness Company https://www.youtube.com/watch?v=4z5TpZvTcg4

If you’re a small to medium sized business in Bristol, Somerset, or nearby, then please contact us if you have any needs for cyber security awareness training, for implementing robust policies and technical controls, or if you want to gain Cyber Essentials / Cyber Essentials Plus certification.  

On October 23^rd the National Cyber Security Centre (NCSC) published their Annual Review for the period 1 September 2018 to 31 August 2019. It’s a good read, if only to understand the breadth of the threats facing organisations in the UK. The Cyber Essentials scheme got a few mentions, with some 14,234 Cyber Essentials Certificates being issued in the last year.

You can download the report from here: https://www.ncsc.gov.uk/annual-review/2019/ncsc/docs/ncsc_2019-annual-review.pdf

Consult MB Ltd is a licensed certification body for the Cyber Essentials and Cyber Essentials Plus schemes. We support clients in Somerset, Bristol, and the surrounding areas in their efforts to establish and verify their cyber-security baseline. Please contact us if you wish to learn more about Cyber Essentials and how your organisation could achieve it.

In June the NCSC announced that they were going to create a new partnership model with just one Accreditation Body, and minimum criteria for the skills, knowledge and experience of Certification Bodies and their assessors.

We’re pleased to announce that from 1-April-2020 the IASME Consortium will be the sole Accreditation Body. Consult MB Ltd based in North Somerset is already licensed by the IASME Consortium to conduct Cyber Essentials and Cyber Essentials Plus audits, and we look forward to continuing to provide that service to small-medium sized organisations who seek to improve their cyber security in a cost effective manner.

Mike Brett of Consult MB Ltd was asked to write an article for the Somerset Chamber of Commerce’s magazine, Somerset Voice. The article is reproduced below. Phishing is a relatively old topic but it remains very relevant, and should feature at, or near, the top of any list of topics for staff awareness training.

The Article

I sometimes come across customers who have a security policy for absolutely everything. They spend significant sums of money on advanced technical controls and are supported by dedicated IT professionals. Yet, somehow, these organisations still get hacked, and invariably it starts with an indiscriminate, untargeted phishing attack.

Phishing used to be defined as an attempt to trick someone into giving information away over the Internet or by email. That still holds true, but these days phishing emails frequently contain attachments or website links that are intended to lure the recipient into inadvertently installing malware onto their computer. Typically, that initial malware is just a foot in the door, and more advanced malware will follow.

The lure of phishing emails deliberately exploits both the best and worst features of human nature. People can be trusting, willing to help others and inquisitive. They can also be greedy, lazy, intimidated or coerced into making rash decisions. Phishing may exploit any of those characteristics to achieve the desired aim, to get your employee to open the attachment or click on the link.

Indiscriminate phishing may, for example, send an email to 100,000 random recipients demanding immediate payment of the invoice attached. If only 1 in 100,000 recipients is pressurised into opening the attachment, the phisher may have succeeded. If that recipient works in your company, let’s hope your technical controls are good enough to counter what happens next.

Often the greatest illegal gains are achieved via targeted phishing, known as ‘spear-phishing’. This is when a mail is cleverly crafted to bamboozle a specific individual. If that person is very senior in the organisation, this is known as ‘whale-phishing’.

You can buy software to analyse incoming email, but it may not provide perfect phishing detection. Instead, I suggest the focus should be on the potential victims, i.e. your staff. As such, I recommend that you conduct frequent and interesting staff awareness training. In April 2019 the National Cyber Security Centre introduced ‘Exercise in a Box’ a free online awareness training tool that includes a phishing attack exercise. Please check it out…but not if it arrives as a link in an email from a stranger.

Mike Brett CISSP, works as a Cyber Security Consultant for Consult MB Ltd.

Consult MB Ltd is pleased to announce that we have secured a new contract to provide enterprise architecture services to our oldest customer. Since our company formation in 2003 we have enjoyed a sixteen year relationship with this government department. Repeat custom gone mad, we love it!