Why Cyber Essentials?

Cyber Essentials the simple, and very effective cyber security scheme. The UK Government backs it. They helped direct its focus to protect companies against a huge range of cyber attacks. It works for any size company.

Benefits of Cyber Essentials:

• Not only does it show a business’ ability to keep data protected but also there are other benefits.
• It grants big advantages when bidding for Government work.
• Some of the better insurers charge lower cyber security insurance premiums.
• Show your clients and prospective clients that you care about cyber security. You are a safe pair of hands.
• The Government keeps an updated public list of certified companies. Some companies will only trade with companies on this list.
• It shows areas where your business can quickly improve.
• Compared to most matters cyber security, it is probably one of the cheapest most cost effective undertakings a company can do. This is in terms of pounds spent versus improvement in the business’ cyber security posture.

Many believe that criminals only target big companies, but this is not the case. Smaller businesses have less resources to manage cyber security. These resources may be in house knowledge, time or money. Due to existing long standing trade relationships, bigger companies may trust smaller companies.

The bay guys know these things. That is why they target smaller companies. By becoming Cyber Essentials certified, you are giving your trading partners reassurance. You are demonstrating you are serious about cyber security. It may even help you win more custom.

Remember Cyber Essentials is designed to

• not be expensive,
• rely on easy to implement controls,
• be educational

So take heart, consider Cyber Essentials and your business will be the stronger for it.

Cyber Essentials protects against basic cyber attacks.

Cyber attacks come in various shapes and sizes. But looking at past compromises, most are basic in nature. History has shown these attacks are by unskilled individuals. Think of a passer-by trying their luck to see if you pulled your front door shut behind you. Cyber Essentials offers a good level of protection against these unsophisticated attacks, by covering five areas:

• Using office firewalls and Internet gateways
• Maintaining secure configuration of your computer equipment
• Controlling user accounts and restricting use of administrative accounts
• Protecting against malware
• Keeping software and devices up to date

The key to achieving Cyber Essentials is getting the scope correct. Organisations that choose a scope which includes their whole IT infrastructure achieve the best protection and maximise their customers’ confidence. If you decide to limit the scope then you will need to demonstrate technical controls that enforce the separation of the scoped sub-set from the entire business. Scopes must include end user devices. 90% of all successful attacks came through this avenue. Once the scope has been decided on and agreed with your assessing body (of which we are one) you can look at the five different areas of security controls you have in place.

Remember Cyber Essential requirements apply to all corporate devices that can connect to the Internet, receive connections from the Internet or control the communications path to the Internet.

Cyber Essentials sets requirements for firewalls and internet gateways.

• Change default administrative passwords to a more complex password.
• Even better, disable remote administrative access completely.
• Block undocumented internet access to the administration of firewalls.
• Ensure the use of multi factor authentication or an IP address whitelist for remote management.
• By default, block unauthenticated inbound connections.
• Document all firewalls. Ensure the documentation includes the business reason and authorisation for the firewall.
• Remove and disable rules as soon as they are no longer required.
• Ensure devices that connect to non- corporate networks have a host based firewall. Think laptops connecting to public WIFI etc.

Cyber Essentials sets configuration requirements for systems.  Default configurations are very rarely strong enough to protect against cyber-attacks. Hackers will often know ways around default configurations, putting your networks at risk.

• Remove or disable user accounts when they are no longer needed.
• Change default or weak passwords to something more secure.
• Disable or remove unused software applications.
• Block automatic Internet downloads user authorised by a user.
• Make sure users get authenticated before having network-connected access to business data.
• Ensure there is a robust password policy set for all systems.
• Configure computers and network devices to reduce the level of inherent vulnerabilities.
• Ensure systems provide only the services required to fulfil their role.

There are three main Cyber Essential requirements when it comes to malware protection:

Anti-malware software

• Keep software up to date.
• Scan files upon access, including when they’re opened and downloaded.
• Scan websites when accessed to make sure they’re safe for browsing. Software must block access to unsafe disallowed websites.

Application whitelisting

• Only allow approved applications to execute on devices.
• Compile a list of these applications allowed for devices.
• Block the download of unapproved software.

Application sandboxing

• Restrict execution of known malware and untrusted software by using sandbox technology. Sandboxes prevent harmful code from causing damage or accessing sensitive data.
• Sandbox applications until a user approves access. This includes:
  • Other sandboxed applications
  • Data stores, such as those holding documents and photos
  • Sensitive peripherals, such as the camera, microphone and GPS
  • Local network access

Patches remove potential vulnerabilities on your network. This makes your business more cyber secure. Cyber Essentials requires three rules for acceptable software patch management:

• License all used software
• Ensure there is vendor support for all software.
• Remove all unsupported software as soon as support runs out.
• Install all ‘high risk’ or ‘critical’ updates within two weeks.

There are two certification options to choose from:

• Self certify (Cyber Essentials) – answer a self assessment questionnaire. This is something we can mark, submit and offer advice if you need it. It’s a great starting point for addressing your business’ security. It is the UK’s entry cybersecurity certification.
• We can also audit your business against Cyber Essentials Plus. We will interview some of your staff, review some of your systems and scan what you expose to the Internet. Cyber Essentials Plus shows that your business takes security seriously.

Both certifications have exactly the same scope. It is the method of validation that differs.

Remember, the certifications only lasts 12 months. The assurance they give is only if you keep up with the updates. If you need any assistance with Cyber Essentials, please do not hesitate to reach out to our highly experienced team. We can talk you through and offer advice to ensure your business improves its cyber security posture and is less likely to be compromised.

Certification can take days, if you have all the controls already in place.  If you have to make changes to your systems to become compliant, certification could take several months. Either way we can work with you and ensure your business gets the best possible outcome.

 Interested? Find out more.