In this Cyber Essentials guide we provide a jargon-free guide to Cyber Essentials certification; it’s background, benefits and key requirements.
What is Cyber Essentials?
Cyber Essentials is a government-backed cyber accreditation scheme that sets out a standard baseline for cyber security.
Launched in response to a growing cyber threat, it protects all organisations that use internet connected end-user devices or systems. It’s specifically designed to provide a straightforward and affordable approach to cyber security.
Much like an MOT, Cyber Essentials certification needs to be renewed annually. This is because the Cyber Essentials requirements changes at least once a year to respond to the latest cyber security threats.
Two levels of certification
There are two levels of Cyber Essentials certification that form a two stage process:
Cyber Essentials is awarded when organisations meet the requirements of a self-assessment questionnaire.
Cyber Essentials Plus is awarded when organisations then go on to undergo an external audit to prove that their cyber controls are working effectively to protect them from attack. Cyber Essentials Plus must be achieved within 3 months of the assessment.
What are the Key Benefits of Cyber Essentials?
- Protection from cyber attack- meaning that you can protect your organisation from up to 80% of IT security breaches
- Meet Tender requirements – gain access to UK government contracts and a growing number of commercial contracts that enforce Cyber Essentials supply chain requirements
- Reassure your key stakeholders – demonstrate that you have robust information security measures in place and comply with a government recognised standard
- GDPR readiness – help your business address compliance requirements such as the EU General Data Protection GDPR regulation
- Cyber Liability Insurance – automatically receive £25,000 indemnity cover for organisations if turnover is less than £20m (terms apply)
What are the Key Requirements of Cyber Essentials?
Cyber Essential certification is awarded to organisations who can demonstrate, through the completion of a self assessment questionnaire, that they have implemented five basic cyber security controls.
1. Use a firewall to secure your internet connection
You should protect your Internet connection with a firewall. This effectively creates a ‘buffer zone’ between your IT network and other, external networks and the internet. Within this buffer zone, incoming traffic can be analysed to find out whether or not it should be allowed onto your network. The first type of firewall is a personal firewall. It is possible to use this type of firewall on your internet connected computer (normally included within your Operating System as standard).
If you have a more complicated set up with a number of different devices, you might require a dedicated boundary firewall. This is a second type of firewall, which places a protective buffer around your network as a whole. Some routers will contain a firewall, which could be used in this boundary protection role. But, this can’t be guaranteed – ask your internet service provider about your specific model.
2. Choose the most secure setting for you devices and software
Choose the most secure settings for your devices and software – Manufacturers often set the default configurations of new software and devices to be as open and multi-functional as possible. They come with ‘everything on’ to make them easily connectable and usable. Unfortunately, these settings can also provide cyber attackers with opportunities to gain unauthorised access to your data, often with ease.
Check the settings – You should always check the settings of new software and devices and where possible, make changes, which raise your level of security. For example, by disabling or removing any functions, accounts or services that you do not require.
Use passwords – Your laptops, desktop computers, tablets and smartphones contain your data. They also store the details of the online accounts that you access, so both your devices and your accounts should always be password-protected.
Passwords – when implemented correctly they are an easy and effective way to prevent unauthorised users accessing your devices. Passwords should be easy to remember and hard for somebody else to guess. The default passwords on new devices such as ‘admin’ and ‘password’ are the easiest of all for attackers to guess. Therefore, you must change all default passwords before devices are distributed and used. The use of PINs or touch-ID can also aid device security.
Extra Security – For ‘important’ accounts, such as banking and IT administration, you should use two-factor authentication, also known as 2FA. A common and effective example of this involves a code being sent to your smartphone which is entered in addition to your password.
3. Control who has access to your data and services
Control who has access to your data and services – To minimise the potential damage that could be done if an account is misused or stolen, then staff accounts should only have enough access to software, settings, online services and device connectivity functions for them to perform their role. Extra permissions should only be given to those who need them.
Administrative accounts – Check what privileges your accounts have accounts with administrative privileges should only be used to perform administrative tasks. Standard accounts should be used for general work. By ensuring that your staff don’t browse the web or check emails from an account with administrative privileges you cut down on the chance that an admin account will be compromised. This is important because an attacker with unauthorised access to an administrative account can be far more damaging than one accessing a standard user account.
4. Protect yourself from viruses and other malware
Malware is software or web content that has been designed to cause harm. For example, the WannaCry attack used a form of malware which makes data or systems unusable until the victim makes a payment. Viruses are the most common form of malware. These programs infect legitimate software, make copies of themselves and send these duplicates to any computers that connect to their victim.
How malware works – There are various ways in which malware can find its way onto a computer. A user may open an infected email, browse a compromised website or open an unknown file from removable storage media, such as a USB memory stick.
Three ways to defend against malware:
- Antivirus software is often included for free within popular operating systems. It should be used on all computers and laptops. Enabling this on your office equipment will make you instantly safer from attack.
- You should only download apps for mobile phones and tablets from manufacturer-approved stores (like Google Play or Apple App Store). These apps are checked to provide a certain level of protection from malware. You should prevent staff from downloading apps from unknown vendors/sources, as these will not have been checked.
- For those unable to install antivirus or limit users to approved stores, there is another, more technical, solution. Apps and programs can be run in a ‘sandbox’. This prevents them from interacting with, and harming, other parts of your devices or network.
5. Keep your devices and software up to date
Keep your devices and software up to date – No matter which phones, tablets, laptops or computers your organisation is using, it’s important they are kept up to date at all times. This is true for both Operating Systems and installed apps or software. Doing so is quick, easy, and free. Manufacturers and developers release regular updates, which not only add new features, but also fix any security vulnerabilities that have been discovered.
Applying these updates (a process known as patching) is one of the most important things you can do to improve security. Operating systems, software, devices and apps should all be set to ‘automatically update’ wherever this is an option. This way, you will be protected as soon as the update is released. However, all IT has a limited lifespan. When new updates cease to appear for your hardware or software, you should consider a modern replacement.
Pain-free Cyber Essentials certification
Assure Technical has been an IASME Certification Body since 2016. Since then, we’ve certified hundreds of organisations with Cyber Essentials & and Cyber Essentials Plus certification.
Our competitively priced packages all come with unlimited non-judgemental support and pre-assessment reviews, so you pass first time and don’t have to worry about being charged for re-tests.
We also provide year round cyber advice as standard, so you can rest assured that your organisation is protected throughout the year.
Cyber Essentials doesn’t have to be a painful process. We make the process simple with our pragmatic, people-first approach.
You can watch Assure Technical’s managing director Pete Rucinski, explain the Cyber Essentials scheme in plain English here.
We understand that cyber security may be an intimidating topic, however we are here to make security simple. If you would like to speak to one of our expert about cyber secuirty please get in touch.