Ultimate Guide to Cyber Essentials
Cyber attacks are becoming more, and more of a threat to individuals and businesses as criminals take their efforts online in their attempts to make money illegally.
Whether it’s protecting the data of your employees, securing payment information or ensuring your customers’ details aren’t compromised. Protection from online attacks is now a necessity when running a business.
Cyber Essentials is a government-backed scheme that helps businesses and organisations protect themselves from threats that surface online.
The scheme can grant organisations one of two ‘badges’, and is suitable for businesses of any size, and in any sector.
In this guide we’ll cover the following:
- What is Cyber Essentials?
- Cyber Essentials Plus
- 5 Controls of Cyber Essentials
- 5 Reasons to have Cyber Essentials
- Cyber Essentials with OmniCyber Security
- How to get Cyber Essentials
What is the Cyber Essentials certification?
Cyber Essentials is a simple, yet effective government-backed scheme which is designed to help you to protect your organisation, whatever the size, against the most common cyber-exploits.
Cyber-attacks come in a variety of formats, ranging from basic to very complex. Roughly 80% of cyber-attacks are very basic in nature and are carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. The Cyber Essentials certification is designed to protect your organisation from the simple exploits which comprise over 80% of cyber-attacks.
Client’s in every industry can benefit from obtaining the Cyber Essentials certification. Most organisations will collect confidential client data; however, many organisations do not have adequate security measures in place to protect it.
Implementing a nationally recognised information security standard, such as the Cyber Essentials certification provides you with the necessary precautionary measures to protect your network and the information stored within it while minimising both internal and external threats.
By following the guidelines set out by the NCSC, the Cyber Essentials certification helps to educate its subjects about where their security posture is weak and how they can protect their business from cyber threats.
Additionally, this certification will provide your business with the credibility that it takes information security seriously.
To obtain the Cyber Essentials certificate, you must complete a Self-Assessment on a portal provided to you by OmniCyber Security in association with IASME. Upon completion of the Self-Assessment, an OmniCyber Security assessor will review your answers and declare a pass or fail. In the event of a pass, OmniCyber Security will issue you with your Cyber Essentials certification. In the event of a fail, the assessor will provide a feedback report. From receipt of the report, you will have two working days to make the necessary changes and then resubmit your answers for assessment.
Achieving certification is a valuable and visible proof of your organisation has acknowledged the threat posed to it and has willingly set out to improve its commitment to protecting its information.
Should an organisation with an annual turnover of less than £20,000,000 achieves self-assessed certification covering their whole organisation to either the basic level of Cyber Essentials or the IASME Standard, they are automatically awarded Cyber Liability Insurance, covering up to £25,000 of damages.
Cyber Essentials PLUS
Cyber Essentials PLUS is a more advanced certification that picks up on the technical controls outlined in the initial Cyber Essentials certification. This certification is only awarded if the organisation passes an audit conducted by OmniCyber Security which evaluates the technical controls outlined as part of the basic Cyber Essentials engagement. The technical controls OmniCyber Security will audit are:
- Boundary firewalls and internet gateways
- Secure Configuration
- Access Control
- Malware Protection
- Patch Management
The key difference between the Cyber Essentials and Cyber Essentials Plus is the technical audit in addition to the self-assessment. The technical audit will provide objective analysis to your current security controls, upon passing the Cyber Essentials PLUS, you will know that your cyber defences are real with your certification.
During the Cyber Essentials PLUS Audit, the auditor will conduct both an external and internal vulnerability scan that will highlight the weaknesses of your cyber environment. To pass this exam, a clean scan that consists of no ‘critical’ or ‘high’ vulnerabilities will be required.
It’s quite common for organisations to fail at this element of the engagement as the vulnerability scanner will highlight flaws that may leave your organisation exposed. With a Cyber Essentials PLUS Gap Analysis through OmniCyber Security, we can highlight areas of weakness before the audit giving you time to remediate the weaknesses found before certification.
Because of the technical audit required for Cyber Essential PLUS, this certification is regarded as highly suitable for all businesses looking for a genuine improvement in their current cybersecurity posture.
Cyber Essentials 5 Controls
1. Update security settings
Devices and software are typically released with default security settings. These settings often air on the side of providing connectivity and functionality, over vault-like security. If settings remain at their default, then this provides opportunities for cybercriminals to get unauthorised access to your data.
Hence, you should configure the settings on all new devices and all new software.
Your organisation and its staff should use passwords on any device that can access or holds your data. This applies to smartphones, tablets, desktops, and laptops. In all cases, passwords should be changed from their default.
You should also set-up two-factor authentication (2FA) for critical accounts. These accounts include those used for IT administration and online banking. You can find out more information in the NCSC’s guide to password administration for system owners.
Devices security can be further improved by removing services, functions, and accounts that are unneeded.
2. Configure your firewall
A firewall is a gateway between your devices or network, and the internet or other IT networks. Personal firewalls are found on devices such as laptops or desktops. They are typically free and included as part of the device’s operating system.
Network dedicated boundary firewalls protect your network as a whole. Some routers fit into this space. However, Cyber Essentials Certification requires you to configure your firewall, and this is especially important for devices that connect to untrusted or public Wi-Fi networks.
3. Control access to your data
Staff should only have access to software, services, and settings that are essential for their role. Extra permissions or privileges should only be given to those who carry out admin tasks. Furthermore, staff must not check emails or browse the web from accounts with extra privileges. If these accounts become compromised, then the potential damage can be severe.
Your organisation should only use official and trustworthy software. We recommend only installing apps or software from official stores such as the Apple App Store or Google Play, who screen applications for malware.
Under Cyber Essentials Certification, you must control data access through accounts, and admin permissions must only be given to those who need them.
4. Protect against viruses and malware
Malware is malicious software, and two common types of malware include viruses and ransomware. Ransomware is becoming more prevalent and intends to extort money from a business by locking them out of their own IT systems and devices.
Viruses work by infecting genuine software, and they then pass unnoticed from one device to the next. Viruses often enter a system through email attachments, removable storage devices, or through devices that browse malicious websites.
Anti-malware software is often included with new devices, but it is vital to install updates as they are released. Your organisation can help protect its devices through whitelisting. A whitelist is a list of apps or software that are permitted for your staff to use. All other apps or software are then blocked.
5. Ensure all devices install updates
Installing updates for operating systems, apps, and software on laptops, desktops, tablets, and smartphones is vital. Developers and manufacturers release updates in a process called patching. These patches are fixes to potential vulnerabilities that have been discovered. It helps to set-up auto-update on all devices to ensure this process is automatic.
When manufacturers no longer support software or hardware, it is time to consider a replacement.
Five reasons why your business needs Cyber Essentials certification
1. Cyber Essentials protects your business
Protection is vital in a world in which online attacks are becoming more and more prevalent. Having a Cyber Essentials certification protects your business from up to 80% of cyber attacks, according to Executive Compass.
The certification provides a layer of coverage that grants your organisation protection by helping secure things like your internet connection, devices, and software.
2. Cyber Essentials saves you money
Accenture reported the average cost of a severe Malware attack on a company at approximately £1.9m – that’s far from cheap.
By gaining some simple protection for as little as just £300 through the Cyber Essentials scheme, businesses can save massive amounts by working to protect from attacks online. Companies and organisations can also apply for a Cyber Essentials Plus certification, which provides expert verification for an added cost – offering further protection.
3. It gives peace of mind
If you’re a business owner or in charge of running an organisation, the last thing you need to add to your plate is a cyber-attack causing mayhem in the office. By opting for Cyber Essentials certification, you’re protecting your business from the most common attacks.
Not only will you be protecting yourself, but you’ll be ensuring that every employee, customer or client can sit safely in the knowledge that their data is safe when working with you.
4. Cyber Essentials will bring you more business
Cyber Essentials certification is already a requirement for some government contracts, and, likely, it will eventually become a mandatory requirement of organisations and companies in the future.
By becoming part of the scheme now, you will be proactively ensuring that future customers and clients are fully aware of your commitment to protecting their information.
Think about it this way – would you instead work with a company that’s fully committed to protecting you and themselves from cyber attacks, or one which talks about it?
5. It will save you time
You might not see Cyber Essentials certification as a necessity you have time for right now, but it will certainly seem that way if you leave it too late and become a victim of online attacks.
The truth is that the average time it takes to resolve an attack sits at 50 full working days. This is time no company can afford to waste, especially with the inherent risk of damage to the business’s reputation, which also comes with attacks of this nature.
By investing time now, you’ll be saving countless working hours in the future, should your business become victimised.
Cyber Essentials with OmniCyber Security
• Technical Expertise – OmniCyber Security will provide you with industry-leading experts to audit your organisation and help provide you with the necessary information required to pass the Cyber Essentials scheme and obtain the Cyber Essentials certificate that best suits the needs of your organisation.
• Expert Advice – Our industry experts can provide the highest quality technical advice to help your organisation meet the guidelines set by the NCSC.
• Affordable Quality – Due to the size and structure of OmniCyber Security, we can offer our clients the best quality service at very competitive market rates.
• Always Available – We are on hand to answer your questions. Our clients can contact OmniCyber’s consultants directly, rather than having to go through a wall of account managers. We are known for our rapid turnaround.
How to get Cyber Essentials certified?
If you’re convinced, it’s a straightforward process to get certified by the Cyber Essentials scheme and OmniCyber Security can help you do it!
For a standard certification, you need only complete a three-step process, involving self-certification through an accredited body and completing a questionnaire. Upon completion with a pass, you are awarded your certification.
Meanwhile, should you wish to provide further enhanced protection from online attacks you can opt for Cyber Essentials Plus, which involves verification of your security being carried out by independent experts.