In June 2014, the National Cyber Security Centre (NCSC) introduced Cyber Essentials and Cyber Essentials plus, a government-backed cyber security certification scheme. This framework was established to ensure that providers and organisations entrusted with sensitive data adhere to a minimum standard of cyber security. Beyond conformance, it aims to assist businesses in building a resilient infrastructure capable of warding off cyber-attacks from hackers, including malicious techniques like ransomware. Over 30,000 organisations have been awarded Cyber Essentials certification, encompassing five critical cybersecurity measures: safe configurations, firewalls, malware prevention, access control, and patch management.
Exploring Cyber Essentials Certification
Managed by the NCSC in collaboration with the Information Security Forum, the Information Assurance for Small and Medium-sized Businesses Consortium, and other industry partners, Cyber Essentials certification is designed to safeguard the confidentiality and integrity of corporate data against internet-based attacks.
It’s important to understand that Cyber Essentials is not a comprehensive cyber security strategy. It instead serves as a foundational benchmark of cyber security, which organisations can build on once they are able to do so. There are two distinct certificates in the Cyber Essentials program: Cyber Essentials and Cyber Essentials Plus.
Cyber Essentials primarily addresses the most prevalent internet-based security risks, particularly those that exploit easily accessible technologies and require minimal technical expertise. These risks are categorized as phishing, hacking, and password guessing.
The Benefits of Cyber Essentials Certification
Obtaining Cyber Essentials certification not only signifies your organisation’s commitment to cyber security but also enhances the security of data sharing between you, your clients, partners, and suppliers. It is often a prerequisite for bidding on government projects, and many local authorities and most Ministry of Defence (MoD) projects require a minimum of Cyber Essentials Plus certification.
The Five Technical Controls
Cyber Essentials certification evaluates five fundamental components of your IT infrastructure.
#1, Safe Configurations
Instead of relying on default configuration settings, select the safest settings for your hardware and software. Default settings may inadvertently give cyber criminals easy access to your data and create opportunities for unauthorised access.
#2, Firewalls
Employ personal, built-in, or dedicated boundary firewalls to secure internet connections.
#3, Patch Management: Ensure that all devices, including phones, tablets, laptops, and PCs, are kept up to date. This includes updates for installed apps and software, as well as operating systems. It also involves adhering to end-of-life management guidelines when a vendor discontinues support for hardware or software.
#4, User Access Management: Minimize potential harm by providing staff accounts with the minimum level of access and control necessary for them to perform their duties in relation to software, settings, internet services, and equipment connectivity features. Additional permissions should only be granted to those who genuinely need them.
#5, Malware Defence: Implement anti-malware procedures, whitelisting, and sandboxing to protect against malware, safeguarding both your organisation and its data.
Selecting the Appropriate Cyber Essentials Category
The Cyber Essentials certification process is based on a self-evaluation component, which is designed to be straightforward and accessible. After selecting a certification body, you will need to respond to their questionnaire and evaluate your responses. Following this, an external vulnerability scan is conducted on your IP addresses. If successful in both stages of assessment, you will be awarded a certificate.
Cyber Essentials certification is ideal for small organisations looking to validate the presence of essential controls within their cyber security infrastructure. Meanwhile, Cyber Essentials Plus maintains the same standards as Cyber Essentials but necessitates an external assessment of your security measures to confirm the five technical security controls are in place.
The Cyber Essentials Plus assessment consists of two key phases. The first phase includes an external vulnerability scan of your publicly accessible IP addresses will be conducted to identify any vulnerabilities. In the second, a small sample of end-user devices will be tested to assess their conformance to the requirements scheme. This scan will verify adequate patching and configuration, as well as testing email clients and internet browsers.
While achieving Cyber Essentials Plus certification may require additional effort, it yields substantial benefits. By subjecting your cyber security measures to the scrutiny of an experienced third-party assessor, you can identify gaps and failings that may otherwise have been missed and enhance your cyber defences. Assured Service Provider organisations like URM can advise and support you prior to assessment, helping you implement the technical controls and increasing your chances of successfully certifying.
Final Thoughts
Cyber Essentials certification is an important step in enhancing online security and safeguarding sensitive data. It demonstrates your organisation’s commitment to cyber security, instilling trust and confidence among clients, partners, and suppliers. Additionally, it opens doors to potential business opportunities, particularly in the public sector. By adhering to the five technical controls, organisations can significantly reduce the risk of cyber-attacks and protect themselves from threats. Whether opting for Cyber Essentials or Cyber Essentials Plus, the journey towards certification is an investment in strengthening cyber security measures and building trust with stakeholders and partners.
