October 2024 marks the 21st Cybersecurity Awareness Month, launched by the President of the United States and Congress to encourage public and private sectors to work together to raise awareness about the importance of cybersecurity.
With over half our users in the US, I’m happily embracing Cybersecurity Awareness Month to tell our story of Cyber Essentials Plus accreditation which we received in July 2024.
And, as one who regularly forgets his passwords, it also gives me a chance to share my favourite password joke - “Passwords are like underwear: don’t let people see it, change it very often, and you shouldn’t share it with strangers.” – Chris Pirillo 🤣
Why cyber-certification?
As Orca Scan has grown, the team have always worked hard to ensure that our barcode platform remains secure and resilient to cyber threats.
Last Autumn, we decided to invest some time in meticulously documenting our cybersecurity practices and systems so that our business could be independently audited to give ourselves, and our customers peace of mind.
This blog details the steps taken by all members of the Orca Scan team to achieve Cyber Essentials Plus certification, the challenges encountered, and the benefits reaped from this critical achievement.
What is Cyber Essentials Plus?
Cyber Essentials Plus is a UK government-backed scheme that helps organisations guard against the most common cyber threats and provides reassurance to customers that security measures are in place.
The scheme introduced by the National Cyber Security Centre (NCSC) is aimed at helping organisations protect themselves from a range of cyberattacks. The scheme has two levels of certification:
Given our commitment to data security and the fact that the Orca platform is used by businesses handling sensitive inventory and asset data, achieving the Cyber Essentials Plus certification was critical. Certification would not only confirm that our systems are secure but also enhance our credibility with existing and potential customers.
How did we do it?
The journey towards achieving Cyber Essentials Plus for Orca Scan was a huge team effort and required close collaboration between everyone in the Orca Team and external auditors.
As project manager, I was overseen by Owen, our COO, and supported enormously by Alban Milroy, Lead Cyber Security Engineer at the University of Cambridge. Alban, who had previously worked with with our CEO and Founder John, was the perfect person for me to work with as he can explain complex technical issues to a less technical person like me.
This is the process 👇
1. Initial Assessment and Gap Analysis
Before starting the Cyber Essentials Plus certification process, Alban undertook a forensic review of our existing cybersecurity. This involved conducting a gap analysis against the Cyber Essentials framework, identifying areas where our existing measures were sufficient and where additional work was needed.
Key areas he assessed included:
- Access control and user privileges
- Security of mobile devices
- Patch management and software updates
- Firewalls and network configuration
- Malware protection
2. Improving Access Control and User Privileges
The Orca Scan platform relies on cloud-based infrastructure to ensure scalability and accessibility. As part of the Cyber Essentials Plus requirements, it was critical to ensure that only authorised personnel had access to sensitive data and system configurations.
Multi-Factor Authentication (MFA): We implemented MFA for both internal staff and customers using Orca Scan. This additional layer of security significantly reduces the risk of unauthorised access even if login credentials are compromised.
Role-Based Access Control (RBAC): The implementation of RBAC ensured that employees and customers could only access the areas of the application and infrastructure relevant to their roles.
3. Mobile Device Security
With 18 team members, we have a variety of mobile devices to secure.
To meet Cyber Essentials Plus standards:
- All devices were required to have up-to-date operating systems and apps, reducing vulnerabilities caused by outdated software.
- Encryption was enforced for all mobile devices accessing sensitive data through Orca Scan, ensuring that data remained protected even if devices were lost or stolen.
- Remote wipe capabilities were added, allowing the team to remove sensitive information from devices no longer in use or reported missing.
4. Patch Management and Software Updates
Keeping systems up to date is a core tenet of any cybersecurity framework, and for us, this was no different. We needed to demonstrate that critical software updates and patches were applied promptly, particularly to mitigate known vulnerabilities that could be exploited by attackers. To do this, we…
- Implemented an automated patch management system across both internal IT infrastructure and customer-facing applications.
- Introduced monthly security audits to identify and apply any out-of-band patches for newly discovered vulnerabilities.
5. Network and Firewall Configurations
We drew on Alban’s experience and know-how to ensure that our firewalls were configured correctly and that our internal network was segmented to limit lateral movement in the event of a breach. As a result,
- Our firewalls were tested to ensure they could block unauthorised access attempts and filter out suspicious traffic.
- Intrusion detection systems (IDS) were introduced to provide real-time monitoring and alerts in the event of anomalous behaviour within the network.
6. Independent Security Audit
A core component of Cyber Essentials Plus is the independent audit and penetration testing. We engaged a certified assessor from MASS to conduct a comprehensive audit of our systems and perform real-world penetration testing.
The audit included:
- Vulnerability scanning to detect potential weaknesses in the system.
- Penetration testing on public-facing services and the mobile application to identify exploitable vulnerabilities.
- A review of access controls, patch management policies, and other critical security measures.
Challenges Faced
Throughout the certification process, several challenges emerged:
1. Mobile Device Variability: Given the variety of mobile devices used by Orca Scan’s 360k users worldwide, ensuring uniform security across different operating systems and versions proved to be a challenge. However, the team worked diligently to enforce security protocols regardless of device type.
2. Time and Resource Management: Achieving Cyber Essentials Plus was a satisfying recognition of the professionalism of my colleagues, it was fairly resource-intensive, requiring dedicated time from all members of the team. We managed this by breaking down the project into chunks and completing tasks across several months of fortnightly Sprints. This made sure that we balanced the certification process alongside our ongoing product development and customer care.
3. Evolving Threat Landscape: During the certification process, Alban shared a lot of his experience with me, and the team. I feel that this has given us the skills to stay agile and update our security measures as new cyber threats inevitably emerge. An example of this was reacting swiftly to new vulnerabilities such as zero-day exploits.
Results and Benefits
We were accredited in July 2024, and I believe it’s brought us significant benefits:
1. Increased Customer Confidence: The certification gives our customers the confidence that their data is being handled securely. I have had positive feedback from healthcare and public sector customers where stringent cybersecurity standards are essential.
2. Improved Internal Security: Through the certification process, we significantly strengthened our internal security practices, making us more resilient to cyberattacks. This also gives the team peace of mind and recognises their work. By adopting proactive security measures such as automated patching, MFA, and robust access controls, we have minimised the risk of data breaches and downtime.
3. Competitive Advantage: Achieving Cyber Essentials Plus gave us all a positive buzz and it’s a bit of a cliche but from a marketing perspective it gives us a competitive advantage. In a world where organisations scrutinise their vendors’ security practices, being able to demonstrate compliance with a government-backed scheme gives us, and our users with confidence.
Next steps…
Achieving Cyber Essentials Plus certification has been a vital step in Orca Scan’s ongoing commitment to maintaining a secure and resilient barcode tracking platform. By taking a proactive approach to cybersecurity, we have strengthened Orca’s infrastructure and reinforced trust with our 350,000 + users.
While the certification process was a huge team effort and highlighted the importance of continual vigilance and improvement in the face of an ever-evolving cyber threat landscape - this is only the beginning! We’ll use this as a foundation to take on the challenges of ISO27001 and SOC2.
I hope this blog might useful if you are considering Cyber Essentials Plus certification, I would highly recommend doing it for your own peace of mind, for your customers, your colleagues and your business. As we’ve seen in the news too many times recently, it can take years to build a reputation and just a few clicks to ruin it.