Cyber Essentials is a scheme designed by the Government to make it easier for businesses of all sizes to protect themselves against cyber attacks. It is mandatory for organisations in the UK Government supply chain, but highly beneficial for any other business as it demonstrates a commitment to Cyber Security.
The scheme sets out five security controls to protect organisations against the most common cyber threats. You can complete a self-assessment questionnaire to see how your business measures up against the five security controls listed. This will help you decide whether you’re in a position to apply for a Cyber Essentials accreditation badge. We’ll talk more about how to apply later, but first, we’ll take a look at what the five security controls are and how you can ensure your business has them in place.
This refers to security measures that are implemented when building and installing computers and network devices. When configuring computers and network devices, you need to ensure this is implemented in a way that limits vulnerabilities.
Vulnerabilities may include using default passwords across systems and devices, user accounts with unnecessary access privileges, a poor software installation process, amongst many more. Put a formal configuration management process or system in place to ensure consistency across all devices your business uses, including devices which your employees may bring in and use for work.
Boundary firewalls and Internet gateways
Firewalls and gateways provide a basic level of protection for Internet users. If working correctly, firewalls monitor all network traffic and can identify and block unwanted traffic that could be harmful.
Your business could be vulnerable if your firewalls are weak and are failing to block unauthorised and known risky websites. Encourage employees to only visit trusted, secure websites, which can be identified by https:// and/or a padlock before the site’s URL. To prepare for the case that a risky site may be visited, set your firewall to a default deny-all policy. This blocks all traffic by default and explicitly allows only specific traffic to known services.
Access control and administrative privilege management
One of the biggest threats to any business’s Cyber Security is mismanaged user accounts. You should put a user account management system or privilege management process in place to help prevent ‘privilege creep’ – a term that refers to the gradual increase in access privileges that accrue when users get promoted or change roles without the old ones being reviewed and removed.
Ensure all user accounts are authorised and enforce a strong username and password policy, which is regularly reviewed.
Patch management is all about software updates. Keeping software up-to-date helps combat low-level cyber attacks, which come from cyber criminals’ knowledge of vulnerabilities in certain versions of software. Using an old operating system such as Windows XP, for example, could expose your business to these types of attacks.
You can protect your business by only using licensed and supported software, and installing software updates and security patches in a timely manner. Put in place a policy that ensures this is implemented across all devices used by employees.
This one is pretty obvious – your business should have anti-malware software installed on all devices and networks connected to the Internet to protect against malware. However, it’s not good enough to just have this software installed, it needs to be maintained.
Ensure your malware protection software updates automatically, performs regular automatic scans, and scans files (particularly those downloaded from a web page) automatically for any viruses.
How can my business become Cyber Essentials accredited?
Once you have completed the self-assessment questionnaire, your business will achieve a pass or a fail. If you pass, you will still need to provide independent assurance that you have the protections correctly in place. A certifying body, such as Falanx Cyber Defence, can execute an external perimeter scan of your estate to provide the assurance needed to receive the Cyber Essentials accreditation badge.
If you fail the initial self-assessment questionnaire or the independent assurance check, it doesn’t mean you can’t achieve Cyber Essentials accreditation. Follow the above advice to ensure you have the correct measures in place. Falanx can also provide you with a table of issues that caused the assessment failure and provide you with the right guidance, support and advice to remediate these issues.
As well as the basic Cyber Essentials accreditation, there is also a Cyber Essentials Plus option. This covers the same requirements as Cyber Essentials but doesn’t involve a self-assessment questionnaire. Tests of the systems are carried out by an external certifying body, using a range of tools and techniques. Both Cyber Essentials and Cyber Essentials Plus must be renewed annually.