For any organisation looking to take cyber security seriously, the Cyber Essentials scheme is a great starting point. Cyber Essentials validates your current cyber security posture against a government-backed baseline, with clarity on the essential security controls required to reduce the risk posed by cyber threats with low levels of technical ability.
As the cyber security model of the UK matures, Cyber Essentials plays a vital role in ensuring diligence throughout supply chains. Cyber Essentials certification can prove to your clients, customers, and suppliers that you are taking cyber security seriously.
Cyber Essentials Controls
Cyber Essentials covers the following 5 technical controls: Firewalls, Secure Configuration, Security Update Management (Patching), User Access Control & Malware Protection.
- Firewalls – Firewalls are critical to organisations as they filter out unnecessary connections that could be malicious. It’s imperative that firewalls are configured appropriately to ensure the virtual front door of your organisation is appropriately secured.
- Secure Configuration – It’s always nice getting new gear in use out of the box, however, it’s vital to configure new technology securely. Often workstations may come with a lot of bloatware that may not be relevant for your business use. Securely configuring these machines to a gold standard for your organisation can greatly reduce the risk that may stem from unused applications.
- Security Update Management (Patching) – New cyber security threats are discovered almost daily, with manufacturers regularly issuing patches for areas that may be at risk. Ensuring that you’re up to date with your patching provided by manufacturers can vastly reduce the danger of an exploit being launched successfully. Understanding how your organisation’s patching operates can greatly help mitigate risks from unpatched devices.
- User Access Control – Secure access control is critical in ensuring your digital infrastructure is secure. If everybody had administrative rights, all sorts of malware may be unknowingly installed even with good intentions, so separating user accounts from administrative accounts is vital towards achieving the Cyber Essentials standard. This can be explored further by having access control policies to certain sensitive resources that could be considered confidential. Often having an RBAC system (Role Based Access Control) will help many organisations so that users have appropriate access for their respective roles only.
- Malware Protection – Malware protection often does what it says on the tin, protection against malware. To meet the Cyber Essentials standard, functioning malware protection would need to be demonstrated that is up to date. Often signature-based detection is used, as such these are updated regularly as new threats are introduced almost daily. If any known malicious signatures are detected, it’s common for malware protection to intervene and quarantine/block the detected threat.
Cyber Essentials Certification
Achieving Cyber Essentials certification will ensure that you’re meeting the basic requirements across the 5 technical control areas via a verified self-assessment. To further demonstrate compliance towards the Cyber Essentials Standard, OmniCyber Security also conduct Cyber Essentials Plus audits, whereby an auditor will conduct tests to technically validate the verified self-assessment. Some organisations have already begun to include achieving Cyber Essentials Plus as a minimum requirement for tenders, as the UK cyber security strategy continues to develop, this could very well become a new normal.
Certifications under the Cyber Essentials Standard (including Cyber Essentials Plus) will remain valid for 1 year, before recertification will be needed. Although not a legal requirement, you may consider Cyber Essentials as an annual MOT of an organisation’s cyber security posture. As changes are likely to occur across organisations annually, keeping an up-to-date certificate will ensure you’re continually on top of your technical controls.
Contact Omni today to find out more about getting Cyber Essentials certified.
Author: Amait Boora, Information Security Consultant
Amait is a Cyber Security Consultant with expertise in Cyber Essentials, Cyber Essentials Plus, and ISO 27001 auditing. With a focus on enhancing organisational security, Amait shares valuable insights to empower businesses in safeguarding their digital assets.
