What is Cyber Essentials?
It is a UK Government-backed scheme aimed at increasing the cyber security level of UK businesses. It was launched in 2014 and is operated by the National Cyber Security Centre (NCSC) in combination with its Cyber Essentials partner IASME. Cyber Essentials is important as the NCSC sees it as representing a minimum baseline for cyber security in the UK, so a good start for organisations trying to protect themselves. It aims to help you to protect your organisation, whatever its size, against a whole range of the most common cyber-attacks. At its basic level, Cyber Essentials certification is a self-assessment questionnaire which is reviewed by trained assessors. Cyber Essentials Plus includes the self-assessment questionnaire as well as gaining additional expert oversight of your cyber security controls.
The Cyber Essentials scheme covers five technical areas, these are:
A firewall protects the boundary of a network or a computer system. Connections to a device are checked and can either be blocked or allowed through depending on the firewall rules. Firewalls can be a physical device connected to a network, part of an existing hardware device e.g., a router provided by your internet service provider, or software based on the computer system itself either as part of the operating system or a standalone application.
External services which are required by a business to operate may need to allow connections through a firewall, such as a virtual private network (VPN). Cyber Essentials wants to make sure the applicant considers which services are required and to make sure any which are no longer needed are disabled.
When initially setting up computer devices their default setting should be considered. Often devices are built to make them as open and multifunctional as possible to make them more user friendly to less technical users. This can lead to weaker security. When setting up devices and services methods should be considered to make them more secure, such as, longer passwords – a password length of 12 characters or more should be adopted and one which is strong and complex and multi-factor authentication (2FA) – this requires the user to provide two or more verification factors to gain access.
This is the management of access to data and accounts. Administration accounts should be limited to those users who need them, this should be tracked and approved by a suitable senior manager or board member. Admin accounts should also not be used for day-to-day use such as to browse the internet or receive email. Additionally, users should have access limited to the business data that they need to carry out their work, so for example a salesperson would not need access to data associated with human resources (HR). This would limit the damage which could be done if an account were accessed by an unauthorised person.
Anti-malware is software tools and programs designed to identify and prevent malicious software (known as malware) from infecting computer systems or electronic devices. These tools should be installed on computer systems with the engine and definitions updated regularly. These tools should scan files upon download; external storage when inserted; and web pages to ensure they are not viruses.
Patching is a process by which to repair a vulnerability or a flaw that is identified after the release of an application or software. Operating systems and applications regularly have updates with new features and vulnerability fixes present. These should be installed in a timely manner, which is determined in Cyber Essentials to be no more than 14 days to prevent attackers from being able to exploit these vulnerabilities to gain access to system or data.
Where possible software should be set to update automatically.
When manufacturers deem a software or hardware device to become ‘end of life’ by no longer producing updates then these products should be removed from service. Since they are no longer supported, any vulnerabilities which are subsequently found will not be fixed and therefore put data at risk.
How to help protect yourself/your company
Here are some ways to help protect yourself and your company’s data:
- Use longer less easily guessable passwords, implementing guidance such as NCSC’s three random word guidance or using a password manager can help
- Enable multi-factor authentication on all user and administration accounts
- Make sure administration accounts are not used for day-to-day activities (such as email and web browsing)
- Keep operating systems, applications and firmware patched and up to date
- Stop using devices and software which is no longer supported by the manufacturer
Arcanum is one of the Trusted Partners at The Cyber Resilience Centre for Wales (WCRC). WCRC work with a host of Trusted Partners such as Arcanum and other established, local cyber security consultancies where their expertise plays a part in informing the centre of the latest cyber threats, how to reduce risks and to assist WCRC members with Cyber Essentials (Plus) certification and technical service investigations.
If you would like to speak to someone about Cyber Essentials and how you and your business can become certified, then contact Arcanum or a member of the team at the WCRC who will happily talk you through the process.