8 min read
Cyber Essentials Checklist: Is your IT company competent to help you pass?
Many businesses turn to their IT company to help them pass Cyber Essentials accreditation. The National Cyber Security Centre (NCSC) recently...
Cyber Essentials is a simple, yet very effective scheme backed by the UK Government. It is designed to help protect companies, regardless of their size, against a huge range of cyber attacks.
Cyber attacks come in various shapes and sizes but most are incredibly basic in nature. They are typically carried out by individuals who are not skilled – this can be compared to a thief trying the front door to see if you have left it open. Cyber Essentials offers a good level of protection against these unsophisticated attacks.
In this guide we will cover:
What is Cyber Essentials?
Why Cyber Essentials?
Scope of Cyber Essentials
Cyber Essentials or Cyber Essentials Plus?
Why do I need Cyber Essentials?
What happens if you’re not covered?
Requirements for boundary firewalls and internet gateways
Requirements for secure configuration
Requirements for malware protection
Requirements for patch management
How long does it take to become Cyber Essentials certified?
Launched in 2014 by the Department for Business, Innovation and Skills, this Government scheme encourages businesses to protect their data from the most common threats online. The scheme was developed in conjunction with the Information Security Forum, the Information Assurance for Small and Medium Enterprises (IASME) Consortium, the British Standards Institution and various industry partners.
Watch the video about to understand why businesses get Cyber Essentials certified.
Not only does it show a business’ ability to keep data protected but also there are other benefits. Being Cyber Essentials certified gives a big advantage when it comes to bidding for Government contracts. It has also been suggested by insurers that being certified could lead to lower insurance premiums. By carrying out the measures, you show that you’re protected against common cyber attacks. It’s also a great accreditation to display on your site, showing your clients, you’re protecting their data.
The National Cyber Security Centre have created a really good leaflet that summarises Cyber Essentials. Download it here.
If you are looking to secure your supply chain, NCSC provide a very useful tool to search for companies that are currently certified. Remember, the certification only lasts 12 months and cybersecurity is only reliable if you keep up with the updates.
Cyber Essentials covers five core areas to provide a basic level of protection against cyber-attacks:
There are two certification options to choose from:
There are many reasons why you might want to gain Cyber Essentials accreditation for your business:
Your business may be left vulnerable and open to attack without the basic protection included in Cyber Essentials.
Many believe that criminals only target big companies, but this is not the case. Smaller businesses may be consciously targeted because of their limited budget and not having the tech required to put up adequate defences.
Ultimately, it is important because it can provide customers peace of mind and confidence to work with your company safely. Cyber Essentials is the best and easiest way to show that you meet an industry standard and it may even help you to win more customers.
Objective — Ensure that only safe and necessary network services can be accessed from the Internet. Default configurations are very rarely strong enough to protect against cyber-attacks. Hackers will often know ways around default configurations, putting your networks at risk.
Another requirement for secure configuration is a well-implemented password policy.
Objective — Ensure that computers and network devices are properly configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfil their role. Default configurations are very rarely strong enough to protect against cyber-attacks. Hackers will often know ways around default configurations, putting your networks at risk.
There are three main sections of requirements when it comes to malware protection:
Sandboxing is a holding system that prevents access from applications etc. until that access has been approved by a user. This includes:
Objective — Restrict execution of known malware and untrusted software, to prevent harmful code from causing damage or accessing sensitive data. Software updates are now more important than ever. They remove potential vulnerabilities on your network, in turn making you more cyber secure.
There are three rules for software and applications for patch management when it comes to Cyber Essentials:
Objective — Ensure that devices and software are not vulnerable to known security issues for which fixes are available.
There’s no definitive answer to this question. If you have all the controls already in place and pass the assessment first time, you could be certified in a week. On the other hand, if you have to make several changes to your systems to become compliant, it could take several months.
The Cyber Essentials assessment is ran by IASME Consortium, having won a five year contract with Cyber Essentials in April 2020. You can find out more about the certification on the NCSC website.
If you are interested in becoming Cyber Essentials certified, but don't have security expertise inhouse, we can help. Visit our Cyber Essentials Consultancy webpage for details. Our security expert, Mark Poulding has also created a number of videos running through IASME Cyber Essentials frequently asked question.
8 min read
Many businesses turn to their IT company to help them pass Cyber Essentials accreditation. The National Cyber Security Centre (NCSC) recently...
5 min read
IASME Cyber Essentials was introduced by the UK Government to help small businesses tackle cyber threats and prove to their customers and clients...
6 min read
Understanding the risks of cyber threats to your business, enables you to it place the right level of cybersecurity controls to your business. Even...