According to the GOV.UK website, Cyber Essentials was established back in 2014 as the result of collaboration between the UK Government, the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF). Its aim is to help organisations regardless of size or industry, ‘protect themselves against common online threats’ and gain accreditation for implementing a number of technical controls.
What are the 5 Cyber Essentials technical controls?
In order to gain Cyber Essentials accreditation, there are 5 technical controls that must be implemented to protect your organisation against the most common forms of cyber attack. Covering firewall and routers, secure configuration, access control, protection against malware and the updating of software, you will be assessed on:
Without these technical controls in place, your organisation is vulnerable to even the most basic cyber attack, there is the risk that it could also become a target to a more sophisticated one. It stands to reason that cyber criminals will specifically target those who aren’t Cyber Essentials accredited.
There are 2 levels of certification:
What is the ‘basic’ Cyber Essentials?
This is a self-assessment option and comes in the form of a questionnaire composed of 8 sections containing a total of 70 questions. Having prepared your answers (and note that a board level representative, business owner or equivalent must sign off these answers) it is commonly reported that this process alone results in a company-wide change in cyber security policy.
What is Cyber Essentials Plus?
Cyber Essentials Plus is the same as the Cyber Essentials certification but also involves an independent technical audit of your systems. In order to qualify for this, your Cyber Essentials verified self-assessed audit must be no older than 3 months.
What is involved in a Cyber Essentials Plus audit?
Up to 5 of each type of device used in your organisation will be selected for testing. Every one must be configured in accordance with the certification.
According to the information detailed on the Cyber Essentials’ website, the audit also includes:
A vulnerability scan. Is patching and basic configuration at an acceptable level?
An external port scan of internet facing IP addresses. Are there any identifiable misconfigurations or vulnerabilities?
Default email/internet browser testing. Is there sufficient configuration to prevent execution of fake malicious files?
Why opt for Cyber Essentials Plus?
The main benefit is that your organisation has been independently assessed and deemed compliant. In terms of the cost of an assessment by an approved certification body - you can request a quote from the IASME website or contact them direct.
What are the 5 technical controls?
In order to comply with Cyber Essentials, all of the devices used within your organisation must be protected by a firewall and thus prevent unauthorised access to your internal network. Within set parameters known as ‘firewall rules’, a boundary firewall will allow or block traffic depending on where that traffic has come from, where it’s going and the communication protocol.
All of the computers and network devices used within your organisation must be securely configured. Some examples include: ensuring there are no superfluous user accounts; that passwords aren’t too obvious or can be guessed; you have no unnecessary software installed and/or making sure anyone with access to sensitive data undergoes authentication prior to access.
User access control
The degree of access you give to the people in your organisation should be based solely on the role you want them to perform. This applies to the functionality of software, settings, online services and device connectivity. If anyone is given extra permissions e.g. admin status then you have to be extra vigilant. There could be more serious consequences for your organisation if security is compromised via a higher account level of access.
Malware in the form of viruses, worms and spyware is designed to cause considerable harm in the form of email attachments, downloads and unauthorised software. You must protect your organisation by either:
All of the devices in your organisation must have installed software that is up to date. To be compliant, your software should be licensed and supported (and removed when no longer supported) plus patched within 14 days of an update that is fixing an issue that is either ‘critical’ or ‘high risk’.
How we can help
At Impreza IT, we have a dedicated cybersecurity team to help keep you and your data safe and protected. We can help you with the following:
Mobile device management
As part of Microsoft EM+S, Intune is a mobile device management solution which prevents unauthorised access and allows for the remote wiping of devices.
Cloud managed identity-driven security
Be confident that users are secure regardless of location. We recommend Multi-Factor Authentication (MFA) is implemented as an added layer of security to reduce the risk of unauthorised logins. It’s a secondary means of confirming the identity of the people in your organisation.
Controlling how your data is processed
Azure Information Protection is included as part of Microsoft EM+S and allows you to set specific policies to prevent the misuse of company data.
Microsoft Advanced Threat Protection (ATP) for Office 365 ensures protection from potential threats which can be delivered by email and includes scanning emails for malicious attachments and blocking or quarantining them.
Secure messaging as part of Microsoft EM+S allows users to encrypt emails so only the intended recipient can access them.
By implementing a dedicated next generation firewall, you can consolidate your security solutions and be assured of enterprise-class security. Microsoft’s WatchGuard enables network administrators to extend their security perimeter to the cloud and protect servers running within a public cloud environment.
We recommend business-class Webroot software to deliver comprehensive antivirus protection which covers mobile devices, users, e-mails and data. We conduct full network audits to identify gaps in security and apply remediation measures.
Want to know more?
If you would like to know more Cyber Essentials and how we can help your organisation install the controls needed to aid the accreditation process, please contact our cyber security team. We’re here to safeguard both you and your data.
We'd love to hear from you. Call 01634 299800 or send an email using the form below.