Cyber Essentials is a government-backed scheme that helps businesses and organisations protect themselves from threats that surface online. The scheme can grant organisations one of two ‘badges’, and is suitable for businesses of any size, and in any sector.
In this guide we’ll cover the following:
- What is Cyber Essentials?
- Cyber Essentials Plus
- 5 Controls of Cyber Essentials
- 5 Reasons to have Cyber Essentials
- Cyber Essentials with OmniCyber Security
- How to get Cyber Essentials
What is the Cyber Essentials certification?
Cyber Essentials is a simple government-backed scheme designed to help you protect your organisation, whatever its size, against the most common cyber-exploits.
Cyber-attacks come in a variety of formats, ranging from basic to very complex. Roughly 80% of cyber-attacks are very basic and are carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. The Cyber Essentials certification is designed to protect your organisation from these simple exploits.
Clients in every industry can benefit from obtaining this certification. Most organisations will collect confidential client data; however, many organisations do not have adequate security measures in place to protect it.
Implementing a nationally recognised information security standard such as the Cyber Essentials certification provides you with the necessary precautionary measures to protect your network and the information stored within it while minimising both internal and external threats. By following the guidelines set out by the NCSC, the Cyber Essentials certification helps to educate its subjects about where their security posture is weak and how they can protect their business from cyber threats.
Additionally, this certification will provide your business with the credibility that it takes information security seriously. To obtain the Cyber Essentials certificate, you must complete a Self-Assessment on a portal provided to you by OmniCyber Security in association with IASME. Upon completion of the Self-Assessment, an OmniCyber Security assessor will review your answers and declare a pass or fail. In the event of a pass, OmniCyber Security will issue you with your Cyber Essentials certification. In the event of a fail, the assessor will provide a feedback report. From receipt of the report, you will be expected to implement any changes advised to meet the Cyber Essentials Standard before resubmission. Achieving certification is valuable and visible proof that your organisation has acknowledged the threat posed to it and has willingly set out to improve its commitment to protecting its information.
Should an organisation with an annual turnover of less than £20,000,000 achieve self-assessed certification covering their whole organisation to either the basic level of Cyber Essentials or the IASME Standard, they are automatically awarded Cyber Liability Insurance, covering up to £25,000 of damages.
Cyber Essentials PLUS
Cyber Essentials Plus is a more advanced certification that builds on the technical controls outlined in the initial Cyber Essentials certification. This certification is only awarded if the organisation passes an audit conducted by OmniCyber Security which evaluates the technical controls outlined as part of the basic Cyber Essentials engagement. The technical controls OmniCyber Security will audit are:
- Secure Configuration
- User Access Control
- Malware Protection
- Security Update Management
The key difference between CE and CE Plus is the technical audit in addition to the self-assessment. The technical audit will provide objective analysis of your current security controls, and upon passing the Cyber Essentials Plus, you will know that your cyber defences are secure with your certification.
During the Cyber Essentials Plus Audit, the auditor will conduct both an external and internal vulnerability scan that will highlight the weaknesses of your cyber environment. To pass this exam, a clean scan that consists of no ‘critical’ or ‘high’ vulnerabilities will be required. It’s quite common for organisations to fail at this stage of the assessment as the vulnerability scanner will highlight flaws that may leave your organisation exposed.
With a Cyber Essentials Plus Gap Analysis through OmniCyber Security, we can highlight areas of weakness before the audit giving you time to remediate the weaknesses found before certification. Because of the technical audit required for Cyber Essential Plus, this certification is regarded as highly suitable for all businesses looking for a genuine improvement in their current cybersecurity posture.
Cyber Essentials 5 Controls
For a complete understanding of what is required to meet the Cyber Essentials standard, please read the Cyber Essentials Requirements for Infrastructure authored by the NCSC. By implementing the guidance set out within the document, you’ll be guaranteed to sail through both Cyber Essentials and Cyber Essentials Plus certification.
1. Secure Configuration
Devices and software are typically released with default security settings. These settings often err on the side of providing connectivity and functionality, over vault-like security. If settings remain at their default, then this provides opportunities for cybercriminals to get unauthorised access to your data.
Hence, you should configure the settings on all new devices and all new software yourself. Your organisation and its staff should use passwords on any device that can access or hold your data. This applies to smartphones, tablets, desktops, and laptops. In all cases, passwords should be changed from their default. You should also set up multi-factor authentication (MFA) for all accounts where possible. These accounts include those used for IT administration and online banking. You can find out more information in the NCSC’s guide to password administration for system owners. Secure configuration can be further improved by removing services, functions, and accounts that are unnecessary.
2. Configure your firewall
A firewall is a gateway between your devices or network, and the internet or other IT networks. Personal firewalls are found on devices such as laptops or desktops. They are typically free and included as part of the device’s operating system. Network dedicated boundary firewalls protect your network as a whole. Some routers fit into this space. However, Cyber Essentials Certification requires you to configure your firewall, and this is especially important for devices that connect to untrusted or public Wi-Fi networks.
3. Access control to your data
Staff should only have access to software, services, and settings that are essential for their role. Extra permissions or privileges should only be given to those who carry out admin tasks. Furthermore, staff must not check emails or browse the web from accounts with extra privileges. If these accounts become compromised, then the potential damage can be severe. Your organisation should only use official and trustworthy software. We recommend only installing apps or software from official stores such as the Apple App Store or Google Play, which screen applications for malware.
Under Cyber Essentials Certification, you must control data access through accounts, and admin permissions must only be given to those who need them.
Access control also includes the authentication mechanism used to securely access your data. Currently, it is recommended that multi-factor authentication be used wherever possible to mitigate the risk of malicious hackers brute forcing their way into what should be secured data.
4. Protect against viruses and malware
Malware is malicious software, and two common types of malware include viruses and ransomware. Ransomware is becoming more prevalent and intends to extort money from a business by locking them out of their IT systems and devices. Viruses work by infecting genuine software, and they then pass unnoticed from one device to the next. Viruses often enter a system through email attachments, removable storage devices, or through devices that browse malicious websites. Anti-malware software is often included with new devices, but it is vital to install updates as they are released. Your organisation can help protect its devices through whitelisting. A whitelist is a list of apps or software that are permitted for your staff to use. All other apps or software are then blocked.
5. Ensure all devices install updates
Installing updates for operating systems, apps, and software on laptops, desktops, tablets, and smartphones is vital. Developers and manufacturers release updates in a process called patching. These patches are fixes to potential vulnerabilities that have been discovered. It helps to set up auto-update on all devices to ensure this process is automatic.
When manufacturers no longer support software or hardware, it is time to consider a replacement.
Five reasons why your business needs Cyber Essentials certification
1. Cyber Essentials protects your business
Protection is vital in a world in which online attacks are becoming more and more prevalent. Having a Cyber Essentials certification protects your business from up to 80% of cyber-attacks. The certification provides a layer of coverage that grants your organisation protection by helping secure things like your internet connection, devices, and software.
2. Cyber Essentials saves you money
The average cost of a data breach is estimated at $4.45m – that’s far from cheap. By verifying and understanding your security posture against the Cyber Essentials standard, businesses can save massive amounts by working to protect from attacks online. Companies and organisations can also apply for a Cyber Essentials Plus certification, which provides expert verification for an added cost – offering further protection.
3. It gives peace of mind
If you’re a business owner or in charge of running an organisation, the last thing you need to add to your plate is a cyber-attack causing mayhem in the office. By opting for Cyber Essentials certification, you’re protecting your business from the most common attacks. Not only will you be protecting yourself, but you’ll be ensuring that every employee, customer or client can rest safely in the knowledge that their data is safe when working with you.
4. Cyber Essentials will bring you more business
Cyber Essentials certification is already a requirement for some government contracts, and it will likely become a mandatory requirement for organisations and companies in the future. By becoming part of the scheme now, you will be proactively ensuring that future customers and clients are fully aware of your commitment to protecting their information.
5. It will save you time
You might not see Cyber Essentials certification as a necessity you have time for right now, but it will certainly seem that way if you leave it too late and become a victim of a cyber attack. The truth is that the average time it takes to resolve an attack sits at 50 full working days. This is time no company can afford to waste, especially with the inherent risk of damage to the business’s reputation, which also comes with attacks of this nature. By investing time now, you’ll be saving countless working hours in the future.
Cyber Essentials with OmniCyber Security
- Technical Expertise – OmniCyber Security will provide you with industry-leading experts to audit your organisation and help provide you with the necessary information required to pass the Cyber Essentials scheme and obtain the Cyber Essentials certificate that best suits the needs of your organisation.
- Expert Advice – Our industry experts can provide the highest quality technical advice to help your organisation meet the guidelines set by the NCSC.
- Affordable Quality – Due to the size and structure of OmniCyber Security, we can offer our clients the best quality service at very competitive market rates.
How to get Cyber Essentials certified
It’s a straightforward process to get certified by the Cyber Essentials scheme with OmniCyber Security.
For a standard certification, you only need to complete a three-step process, involving self-certification through an accredited body and completing a questionnaire. Upon completion with a pass, you are awarded your certification.
Meanwhile, should you wish to provide further enhanced protection from online attacks you can opt for Cyber Essentials Plus, which involves verification of your security being carried out by independent experts.