Cyber Security and protecting a business from cyber criminals are, and will always be, something that should be a priority both as an employee and as a business owner.

You may have received emails that have some sort of malicious intent. Sometimes your email provider does most of the work to block them, but occasionally they slip through the net, and you have to be extra vigilant.

For a business with a lot of employees, being extra vigilant can be time consuming, but it’s a necessity, especially when the frequency of cyber breaches experienced by businesses is increasing.

Since 2016, the government backed Cyber Security Breaches Survey has measured how organisations approach cyber security and the impact of any breaches.

In the 2022 survey, published July 2022, the number one key finding was how often an attack or breach is experienced. Out of 39% of businesses that identified breaches, 31% of them were experiencing a breach or attack at least once a week, 83% being phishing attacks, followed by 27% as impersonations of business leaders and 21% malware.

With cyber crime not going away any time soon and legislation like GDPR and Data Protection biting at business heals, having to deal with cyber crime takes time and costs money. All of which could be better placed investing in the right technology and putting the right measures in place to prevent a cyber breach from happening in the first place.

 

How can I stop a cyber attack?

You can’t stop a cyber criminal from trying to attack your business, but you can mitigate the damage the attack may cause, or make the effort less worthwhile.

Having and maintaining a number of network controls can help build a barrier against cyber attacks. We recommend deploying simple controls to increase the time and effort required for an attacker to breach a network. This is where Cyber Essentials comes in.

 

What is Cyber Essentials?

Cyber Essentials is a simple, yet effective, government backed scheme to enable any type and size of business become cyber secure from a web attack.

The Government worked with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) to assess Cyber Attacks against businesses. They found that 70% of Cyber Attacks could be stopped or “significantly mitigated against” by implementing some basic technical controls. This set of technical controls are what make up the Cyber Essentials scheme.

The scheme is designed to reduce the effectiveness of web based cyber-attacks against a business. In April 2023, the NCSC and its Cyber Essentials delivery partner IASME will update the technical requirements for Cyber Essentials. The updates will help ensure the scheme continues to help UK organisations protect themselves against cyber threats.

 

Why go for Cyber Essentials Certification?

There are a number of reasons why becoming a Cyber Essentials certified business is for you, there is a list below, but most importantly it provides credence that your business is taking cyber security and data protection seriously. This can be a huge benefit for winning contracts or assuring your customers that you are keeping their data safe.

  • It is a simple but effective government backed scheme
  • The scheme is backed by industry including the Federation of Small Business, the CBI and several insurance organisations
  • It is suitable for all sizes of organisation in any sector
  • It is a recognised cyber security level
  • It will help with the GDPR legal requirement for securing customer data
  • From October 2014 Government Contracts have required Cyber Essentials certification

 

A cyber essentials logo

 

Is it a requirement to have Cyber Essentials for the General Data Protection Regulation?

It is not a requirement, but it goes a long way to meeting the criteria set out by the GDPR.

The Data Protection Act 2018 (DPA) and Article 32 of the GDPR, which came into effect May 2018, states “the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” – thus making it a legal responsibility of a business to ensure that customer data is secure.

The five essential controls implemented under Cyber Essentials go a long way to meeting the criteria set out in GDPR. GDPR also states that any third-party organisations, or suppliers, that access or share a business’s data should also implement appropriate controls. The National Cyber Security Centre (NCSC) hold a database of all companies that hold the Cyber Essentials certification available online, so it is now very easy to identify which suppliers take their data security seriously.

 

Demonstrating commitment to Cyber Security

With GDPR requiring a certain set of criteria for data protection, the increase in breaches felt by businesses and the NCSC listing businesses who have the certification, there has been a large uptake of companies wanting to achieve the Cyber Essentials certification within the last 12 months.

As the cycle continues, having Cyber Essentials will become a standard tender requirement as a minimum. Since October 2014 the UK Government are already requiring that suppliers bidding for contracts, involving the handling of certain sensitive and personal information, need to be certified against the Cyber Essentials scheme.

 

How does it work and what happens?

Cyber threats are just like any business risk. They need to be assessed then actions need to be taken to remove, mitigate or accept the risk. So, by implementing the five key controls under Cyber Essentials certification you will significantly reduce some of the risks.

 

What are the five key Cyber Essential controls?

  • Boundary Firewalls– that’s your outer most barrier to the web
  • Secure Configuration– how difficult it is to get into your systems
  • User Access Control– who has permission to data and installation of software, for example
  • Malware Protection– continuous detection of malicious software in place
  • Patch Management– ensuring there are no flaws in software which can be a way in for the cyber criminal

 

For certification, a business needs to demonstrate that they have these five technical controls implemented and that they are working sufficiently to stop any risk of a breach.

 

What is the difference between Cyber Essentials Basic and Cyber Essentials Plus?

There are two levels of certification Cyber Essentials Basic and Cyber Essentials Plus.

Cyber Essentials is a self-assessment where you, the applicant, needs to be able to answer questions that provide evidence you have the five technical controls implemented.

Cyber Essentials Plus is a verified version of the self-assessment; an external assessor tests and therefore proves that the technical controls are in place.

Cyber Essentials Basic Cyber Essentials Plus
Questions
Evaluation
Verification
Certification
(A pass is required for all Key Controls)

 

What kind of questions are asked?

For the Cyber Essentials self-assessed questionnaire, the questions are based around the five key controls.

Key Control #1 – Boundary firewalls

  • Have you implemented a business grade firewall?
  • Have the passwords changed from the one it was supplied with?
  • Are all unnecessary ports closed down?

Key Control #2 – Secure configuration and network management

  • Are your software packages kept up to date with security fixes?
  • Do you have an account lockout policy, to mitigate against brute force attacks?
  • Is auto-run disabled for USBs/CD/DVDs?

Key Control #3 – User access control

  • Are all users forced to use secure passwords?
  • Are administrative accounts used for day to day internet browsing and email?
  • Do staff have the correct permissions to do the tasks they need?

Key Control #4 – Malware protection

  • How do you protect against malware on your network?
  • Do you use Anti-virus?
  • Is it kept up to date?
  • How often does it scan?
  • Does it scan web pages you visit?

Key Control #5 – Patch management

  • Are all systems still in support by a manufacturer who provides security updates?
  • Do all systems have security patches applied in a timely manner?

 

What is Cyber Essentials Plus?

Cyber Essentials Plus is an audited version of the basic assessment. Part of the process before the audit takes place is to understand what parts of the network are in and out of scope for the purposes of Cyber Security. The technical audit then verifies the Cyber Essential controls are in place and ensures all business locations meet the minimum criteria for each control section and has adequate defences against the threats in scope.

Auditing for Cyber Essentials Plus can be done by undertaking several tests on a customer’s site (the applicant).

The first test audits the first key control Boundary Firewalls.

Remote vulnerability assessment

The purpose is to test whether an Internet-based opportunist attacker can hack into the Applicant’s system with typical low-skill methods. We look for open ports on the firewall and assess the security of services using those ports.

The second, tests the requirement for Patch Management (Key control # 5).

Check patching via an authenticated vulnerability scan

This identifies missing patches and security updates that leave vulnerabilities and threats within the scope of the scheme and potentially be easily exploited. Both operating system updates and software updates are tested.

The last three tests focus on Malware Protection (Key control #4) in particular for End User devices (EUDs).

Check malware protection on End User Devices

This checks that all of the EUDs in scope benefit from at least a basic level of malware protection.

Check effectiveness of EUD defences against malware delivered by email

A test to decide whether EUDs are protected against malware that is delivered via email attachments. To facilitate this a selection of safe files that should be detected as malware are sent to the applicants email system.

Check EUD defences against malware delivered through a website

This tests whether EUDs have protection from malware delivered through a website. Similar to the test above, a selection of relevant files for your particular operating system are attempted to be downloaded from the internet.

Testing Criteria

Each test has its own criteria for passing, however, if the Cyber Essentials controls have been implemented successfully then there should be no trouble passing the audit tests for Cyber Essentials Plus.

 

To recap

  • Having Cyber Essentials certification demonstrates your commitment to cyber security and protecting data.
  • Cyber Essentials is a simple but effective set of five controls for managing cyber threats and is government and industry backed
  • The difference between the two levels of Cyber Essentials is that Cyber Essentials Plus goes one-step further and verifies that the five key controls are in place and working.
  • Time and money put into preventing a cyber breach will out way the cost of the damage caused by a cyber attack.

 

As a fully trained and licensed Certification Body, we’ll help you implement and achieve the Cyber Essentials and Cyber Essentials PLUS certifications.

 

 

Ready to get started?

Speak to a specialist