Cyber Essentials is a UK Government-backed scheme that aims to reduce the threat of common cyber attacks across the UK for micro businesses through to established enterprises.
As organisations rely ever more heavily on their IT infrastructures for day-to-day operations, the cyber threats posed towards these organisations have increased also. By meeting the Cyber Essentials standard, you’ll not only reduce the likelihood of a successful cyberattack, but also provide assurance to your clients or customers that you take data security seriously.
There are two levels of certification towards the Cyber Essentials standard, as below:
Cyber Essentials – Self Assessment
The standalone Cyber Essentials certification will require a self-assessment to be completed, that will then be marked by a qualified Cyber Essentials Assessor. The question set will ask for details around the following five technical controls:
- Firewalls
- Secure Configuration
- Security Update Management
- User Access Control
- Malware Protection
By answering the questions in full, the assessor will gain a better understanding of the organisation and will issue a certificate should the assessment meet compliance to the standard. By having a good grasp and understanding of the five technical controls, the likelihood of a successful cyber attack on your organisation would be greatly reduced.
Cyber Essentials Plus – Audited
Cyber Essentials Plus is the next step to validating the controls you have in place are effective. To achieve Cyber Essentials Plus, the applying organisation will have already achieved Cyber Essentials (Self Assessment) as a pre-requisite. Furthermore, the organisation will also have to pass 5 technical tests carried out by a qualified assessor. The 5 tests can be seen as below:
Test 1 – External Vulnerability Scan
A vulnerability scan of all ports on external facing assets of your organisation will be carried out. External addresses are generally open for the world to see, ensuring your perimeter is secure will help to mitigate threats from automated scans that are running across the internet. It’s the digital equivalent of thieves knocking on a door to understand if it’s unlocked for further exploitation.
A clean scan with no High or Critical vulnerabilities with qualification from an assessor would be required to issue a pass for this test.
Test 2 – Internal Vulnerability Scan
A sample set of End User Devices and Servers will be agreed by the assessor based on the submission provided from the Cyber Essentials certification. Of the sample set agreed, an internal vulnerability scan will be run on the devices in scope to understand any vulnerabilities present from either security misconfiguration or lack of appropriate patching. Attackers may try to find vulnerabilities caused by misconfiguration or lack of updates and exploit them to gain a foothold within the digital estate. Ensuring patching is commensurate with the Cyber Essentials standard will certainly reduce the likelihood of exploitation.
A clean scan with no High or Critical vulnerabilities with qualification from an assessor would be required to issue a pass for this test.
Test 3 – Malware Protection
Malware protection measures will be checked against the sample set of End User Devices. This test includes checking: that the malware protection is up to date; malware protection works via email and browser testing. An assessor will review your antivirus and attempt to launch fake malware through their testing site and email platform. Protection against all payloads would be expected to ensure nothing malicious can be executed. The assessor will also check Mobile devices to ensure that they have not been jailbroken/rooted and are currently up to date.
Test 4 – Multi-factor Authentication (MFA)
Multi-factor authentication is a silver bullet against password spraying attacks and will certainly help to protect your organisation if implemented appropriately. To pass this element, MFA against all cloud services used will be tested to ensure it’s operational.
Test 5 – Account Separation
An assessor will verify that account separation is apparent between User and Administrator accounts. Account separation is necessary in preventing attackers both externally and from internal threats. It’s important to understand that if everybody had keys to the castle, you may as well leave the front door open.
Upon completion a certificate will be issued valid for 1 year.
Is Cyber Essentials mandatory?
It depends. Although Cyber Essentials isn’t blankly mandatory for every organisation in the UK, it certainly helps. As businesses begin to shine a light on their supply chains, having Cyber Essentials will certainly be a benefit to the supplier diligence process, helping to attract business.
Some government contracts already require Cyber Essentials certification, with other industries quickly catching up.
OmniCyber Security are experts in Cyber Essentials and Cyber Essentials PLUS, and we offer support at every stage of the assessment. Contact our team today to talk about how Cyber Essentials can benefit your business.
Author: Amait Boora, Information Security Consultant
Amait is a Cyber Security Consultant with expertise in Cyber Essentials, Cyber Essentials Plus, and ISO 27001 auditing. With a focus on enhancing organisational security, Amait shares valuable insights to empower businesses in safeguarding their digital assets.
