What is Cyber Essentials?

Cyber Essentials is a simple, yet very effective scheme backed by the UK Government. It is designed to help protect companies, regardless of their size, against a huge range of cyber attacks.

Protect against basic cyber attacks

Cyber attacks come in various shapes and sizes but most are incredibly basic in nature. They are typically carried out by individuals who are not skilled – this can be compared to a thief trying the front door to see if you have left it open. Cyber Essentials offers a good level of protection against these unsophisticated attacks.

In this guide we will cover:

What is Cyber Essentials?
Why Cyber Essentials?
Scope of Cyber Essentials
Cyber Essentials or Cyber Essentials Plus?
Why do I need Cyber Essentials?
What happens if you’re not covered?
Requirements for boundary firewalls and internet gateways
Requirements for secure configuration
Requirements for malware protection
Requirements for patch management
How long does it take to become Cyber Essentials certified?

What is Cyber Essentials?

Launched in 2014 by the Department for Business, Innovation and Skills, this Government scheme encourages businesses to protect their data from the most common threats online. The scheme was developed in conjunction with the Information Security Forum, the Information Assurance for Small and Medium Enterprises (IASME) Consortium, the British Standards Institution and various industry partners.

Why Cyber Essentials?

Watch the video about to understand why businesses get Cyber Essentials certified.

Not only does it show a business’ ability to keep data protected but also there are other benefits. Being Cyber Essentials certified gives a big advantage when it comes to bidding for Government contracts. It has also been suggested by insurers that being certified could lead to lower insurance premiums. By carrying out the measures, you show that you’re protected against common cyber attacks. It’s also a great accreditation to display on your website, showing your clients, you’re protecting their data.

Which companies are Cyber Essentials certified?

If you are looking to secure your supply chain, NCSC provide a very useful tool to search for companies that are Cyber Essentials certified. Remember, Cyber Essentials certification only lasts 12 months, so consider reviewing your supplier's security annually. 

On the flip side your company, too, can be easily found by potential clients:

IAMSE company search tool

Scope of Cyber Essentials

Cyber Essentials covers five core areas to provide a basic level of protection against cyber-attacks:

1. Using office firewalls and Internet gateways
2. Maintaining secure configuration of your computer equipment
3. Controlling user accounts and restricting use of administrative accounts
4. Protecting against malware
5. Keeping software and devices up to date

Cyber Essentials or Cyber Essentials Plus?

There are two certification options to choose from:

1. Cyber Essentials, requiring the submission of a self assessment to the certification body, IASME Consortium. It's a great starting point for addressing your business' security and the UK's entry cybersecurity certification.
   
   
2. Cyber Essentials Plus is verified by an external auditor. This is carried out within four months of becoming Cyber Essentials certified and ensures policies (in Cyber Essentials) are being adhered. This is a great accreditation for businesses that want to demonstrate that they go the extra mile to secure their business.
   
   

Why do I need Cyber Essentials?

There are many reasons why you might want to gain Cyber Essentials accreditation for your business:

• Customers feel assured knowing that your IT is protected
• Attract new business
• Determine your organisation’s security level
• Comply with the increasing numbers of contracts stipulating Cyber Essentials as a requirement
  
  

What happens if you’re not covered?

Your business may be left vulnerable and open to attack without the basic protection included in Cyber Essentials.

Many believe that criminals only target big companies, but this is not the case. Smaller businesses may be consciously targeted because of their limited budget and not having the tech required to put up adequate defences.

Ultimately, it is important because it can provide customers peace of mind and confidence to work with your company safely. Cyber Essentials is the best and easiest way to show that you meet an industry standard and it may even help you to win more customers.

Cyber Essentials requirements for boundary firewalls and internet gateways

• Default administrative passwords must be changed to a more complex password. For help on creating a secure password, make sure you check out our guide on how to create the perfect password. Alternatively, you can disable remote administrative access completely.
• Do not allow internet access to the administrative firewalls interface unless there is a documented business reason. Even then you should make sure two-factor authentication or an IP whitelist is implemented for secure access.
• By default, block unauthenticated inbound connections.
• Any firewalls must be documented and authorised by an individual with the business need included too.
• Be able to remove and disable rules quickly when they are no longer required.
• Use a host-based firewall on devices that are used on untrusted networks, such as public Wi-Fi hotspots.

Objective

Ensure that only safe and necessary network services can be accessed from the Internet. Default configurations are very rarely strong enough to protect against cyber-attacks. Hackers will often know ways around default configurations, putting your networks at risk.

Tick off list

Maintaining secure configuration of your computer equipment

Objective

To ensure that employees and suppliers only have access to the administration privileges that they need and control what can be accessed. 

Tick off list

Cyber Essentials requirements for secure configuration

• User accounts that are no longer needed must be removed and disabled.
• Default or weak passwords must be changed to something more secure.
• Unused software applications must be disabled or removed.
• Features such as automatic downloads from the internet should be disabled, with user authorisation being implemented.
• Make sure users get authenticated before having network-connected access to business data.

Another requirement for secure configuration is a well-implemented password policy.

Objective

Ensure that computers and network devices are properly configured to reduce the level of inherent vulnerabilities and provide only the services required to fulfil their role. Default configurations are very rarely strong enough to protect against cyber-attacks. Hackers will often know ways around default configurations, putting your networks at risk.

Tick off list

Cyber Essentials requirements for malware protection

There are three main sections of requirements when it comes to malware protection:

Anti-malware software

• The software must be kept up to date.
• Files must be scanned automatically upon access, including when they’re opened and downloaded.
• Websites must be scanned by the software when accessed to make sure they’re safe for browsing. If the website is not safe, the software must prevent access to the site unless there is a documented business need.

Application whitelisting

• Only applications that have been approved are allowed to execute on devices. A list of these applications must be documented and approved before being deployed to devices.
• Any applications that are not approved or documented should not be able to be downloaded.

Application sandboxing

Sandboxing is a holding system that prevents access from applications etc. until that access has been approved by a user. This includes:

• Other sandboxed applications
• Data stores, such as those holding documents and photos
• Sensitive peripherals, such as the camera, microphone and GPS
• Local network access

Objective — Restrict execution of known malware and untrusted software, to prevent harmful code from causing damage or accessing sensitive data. Software updates are now more important than ever. They remove potential vulnerabilities on your network, in turn making you more cyber secure.

Cyber Essentials requirements for patch management

There are three rules for software and applications for patch management when it comes to Cyber Essentials:

• Make sure software is licensed and supported.
• When support ends for the software, ensure that it is removed from all devices.
• Any ‘high risk’ or ‘critical’ update should be installed within two weeks.

Objective — Ensure that devices and software are not vulnerable to known security issues for which fixes are available.

How long does it take to become Cyber Essentials certified?

There’s no definitive answer to this question. If you have all the controls already in place and pass the assessment first time, you could be certified in a week. On the other hand, if you have to make several changes to your systems to become compliant, it could take several months.

Become Cyber Essentials certified

Ready to be assessed

The Cyber Essentials assessment is ran by IASME Consortium, having won a five year contract with Cyber Essentials in April 2020. You can find out more about the certification on the NCSC website.

Help to be come compliant

If you are interested in becoming Cyber Essentials certified, but don't have security expertise inhouse, we can help. Visit our Cyber Essentials Consultancy webpage for details. Our security expert, Mark Poulding has also created a number of videos running through IASME Cyber Essentials frequently asked question.

Become certified

Cyber Esseentials video FAQ