Call us about IT support in Birmingham 0121 309 0090

    Get in touch today

    Call us about IT support in Birmingham 0121 309 0090

    What is Cyber Essentials?

     

     

    Cyber Essentials is a simple, yet very effective scheme backed by the UK Government. It is designed to help protect companies, regardless of their size, against a huge range of cyber attacks.

    Protection against basic cyber attacks

    Cyber attacks come in various shapes and sizes but most are incredibly basic in nature. They are typically carried out by individuals who are not skilled – this can be compared to a thief trying the front door to see if you have left it open. Cyber Essentials offers a good level of protection against these unsophisticated attacks.

    So what is Cyber Essentials, what measures do you have to put in place and how do you become certified? This guide to Cyber Essentials will answer all these questions and more.

    What is Cyber Essentials?

    Cyber Essentials logo

    Launched in 2014 by the Department for Business, Innovation and Skills, this Government scheme encourages businesses to protect their data from the most common threats online. The scheme was developed in conjunction with the Information Security Forum, the Information Assurance for Small and Medium Enterprises (IASME) Consortium, the British Standards Institution and various industry partners.

    Why should I get Cyber Essentials for my business?

    Not only does it show a business’ ability to keep data protected but also there are other benefits. Being Cyber Essentials certified gives a big advantage when it comes to bidding for Government contracts. It has also been suggested by insurers that being certified could lead to lower insurance premiums. By carrying out the measures, you show that you’re protected against common cyber attacks. It’s also a great accreditation to display on your site, showing your clients, you’re protecting their data.

    Scope of Cyber Essentials

    Cyber Essentials covers six core areas to provide a basic level of protection against cyber-attacks:

    1. Using office firewalls and Internet gateways
    2. Maintaining secure configuration of your computer equipment
    3. Keeping software up-to-date
    4. Controlling user accounts
    5. Restricting use of administrative accounts
    6. Protecting against malware

    Cyber Essentials or Cyber Essentials Plus?

    There are two certification options to choose from:

    1. Cyber Essentials, requiring the submission of a self assessment to the certification body.
    2. Cyber Essentials Plus, which is verified by an external auditor who will also carry out a network scan.

    Why do I need Cyber Essentials?

    There are many reasons why you might want to gain Cyber Essentials accreditation for your business:

    • Customers feel assured knowing that your IT is protected
    • Attract new business
    • Determine your organisation’s security level
    • Comply with the increasing numbers of contracts stipulating Cyber Essentials as a requirement

    What happens if you’re not covered?

    Your business may be left vulnerable and open to attack without the basic protection included in Cyber Essentials.

    Many believe that criminals only target big companies, but this is not the case. Smaller businesses may be consciously targeted because of their limited budget and not having the tech required to put up adequate defences.

    Ultimately, it is important that customers are given the peace of mind and confidence to work with your company safely. Cyber Essentials is the best and easiest way to show that you meet an industry standard and it may even help you to win more customers.

    Cyber Essentials requirements for boundary firewalls and internet gateways

    • Default administrative passwords must be changed to a more complex password. For help on creating a secure password, make sure you check out our guide on how to create the perfect password. Alternatively, you can disable remote administrative access completely.
    • Do not allow internet access to the administrative firewalls interface unless there is a documented business reason. Even then you should make sure two-factor authentication or an IP whitelist is implemented for secure access.
    • By default, block unauthenticated inbound connections.
    • Any firewalls must be documented and authorised by an individual with the business need included too.
    • Be able to remove and disable rules quickly when they are no longer required.
    • Use a host-based firewall on devices that are used on untrusted networks, such as public Wi-Fi hotspots.

    Objective — Ensure that only safe and necessary network services can be accessed from the Internet. Default configurations are very rarely strong enough to protect against cyber-attacks. Hackers will often know ways around default configurations, putting your networks at risk.

    Cyber Essentials requirements for secure configuration

    • User accounts that are no longer needed must be removed and disabled.
    • Default or weak passwords must be changed to something more secure.
    • Unused software applications must be disabled or removed.
    • Features such as automatic downloads from the internet should be disabled, with user authorisation being implemented.
    • Make sure users get authenticated before having network-connected access to business data.

    Another requirement for secure configuration is a well-implemented password policy.

    Objective — Ensure that computers and network devices are properly configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfil their role. Default configurations are very rarely strong enough to protect against cyber-attacks. Hackers will often know ways around default configurations, putting your networks at risk.

    Cyber Essentials requirements for secure configuration

    • User accounts that are no longer needed must be removed and disabled.
    • Default or weak passwords must be changed to something more secure.
    • Unused software applications must be disabled or removed.
    • Features such as automatic downloads from the internet should be disabled, with user authorisation being implemented.
    • Make sure users get authenticated before having network-connected access to business data.

    Another requirement for secure configuration is a well-implemented password policy.

    Objective — Ensure that computers and network devices are properly configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfil their role. Malware is an umbrella term for anything bad when it comes to cyber security (ransomware, viruses etc.).

    Cyber Essentials requirements for malware protection

    There are three main sections of requirements when it comes to malware protection:

    Anti-malware software

    • The software must be kept up to date.
    • Files must be scanned automatically upon access, including when they’re opened and downloaded.
    • Websites must be scanned by the software when accessed to make sure they’re safe for browsing. If the website is not safe, the software must prevent access to the site unless there is a documented business need.

    Application whitelisting

    • Only applications that have been approved are allowed to execute on devices. A list of these applications must be documented and approved before being deployed to devices.
    • Any applications that are not approved or documented should not be able to be downloaded.

    Application sandboxing

    Sandboxing is a holding system that prevents access from applications etc. until that access has been approved by a user. This includes:

    • Other sandboxed applications
    • Data stores, such as those holding documents and photos
    • Sensitive peripherals, such as the camera, microphone and GPS
    • Local network access

    Objective — Restrict execution of known malware and untrusted software, to prevent harmful code from causing damage or accessing sensitive data. Software updates are now more important than ever. They remove potential vulnerabilities on your network, in turn making you more cyber secure.

    Cyber Essentials requirements for patch management

    There are three rules for software and applications for patch management when it comes to Cyber Essentials:

    • Make sure software is licensed and supported.
    • When support ends for the software, ensure that it is removed from all devices.
    • Any ‘high risk’ or ‘critical’ update should be installed within two weeks.

    Objective — Ensure that devices and software are not vulnerable to known security issues for which fixes are available.

    How do I become Cyber Essentials certified?

    To become Cyber Essentials certified you must contact a certification body. There are currently five accreditation bodies that can carry out your assessment for you:

    • APMG
    • CREST
    • Information Assurance for Small and Medium Enterprises Consortium
    • IRM Security
    • QG Management Standards

    What is the process for getting Cyber Essentials certified?

    There are four main stages to becoming Cyber Essentials certified:

    • Review the Cyber Essentials requirements
    • Contact one of the previously mentioned certification bodies
    • Complete the questionnaire and make any required updates to your system
    • Wait for an assessor to verify your answers

    How long does it take to become Cyber Essentials certified?

    There’s no definitive answer to this question. If you have all the controls in place and pass the assessment first time, you could be certified in a week. On the other hand, if you have to make several changes to your systems to become compliant, it could take several months.

    What next?

    Find out how much the costs of good, basic cybersecurity for businesses.