The Cyber Essentials scheme has been developed by the Government and industry to fulfil two functions:
It provides clear guidance regarding the basic controls all organisations should implement to mitigate the risks from common internet-based threats.
Through the Assurance Framework it also offers a mechanism for organisations to demonstrate to customers, investors, insurers and others that the company has taken essential precautions.
Cyber Essentials offers a sound foundation of basic IT hygiene measures that all types of organisations can implement and potentially build upon. The government believes that implementing these measures can significantly reduce an organisation’s cyber vulnerability. Please bear in mind, it does not offer a silver shield to remove all cyber security risk; for example, it is not designed to address more advanced, targeted attacks and hence organisations facing these threats will need to implement additional measures as part of their security strategy. What Cyber Essentials does do is define a focused set of controls which will provide cost-effective, basic cyber security for organisations of all sizes.
Why is this relevant and when did it all start?
Back in 2012, the UK Government launched its ‘10 Steps to Cyber Security’ and subsequently the ‘Small Businesses: What you need to know about Cyber Security’ guidance manual to encourage organisations to consider how well they were managing their cyber risks. The Government emphasised the need for company Boards and senior executives to take ownership of these risks and ensure that they have considered them adequately in their risk management regime. The initiatives gained traction and industry was very receptive to the government’s cyber security advice and guidance.
After the success of these initiatives, industry wanted evidence for their dedication to cyber security and thus the Cyber Essentials accreditation was born.
The government has since worked with industry to develop new requirements. This is the Cyber Essentials scheme, which focuses on basic cyber hygiene.
The scope of the Cyber Essentials scheme covers the basics of cyber security in a small business or corporate IT system. Implementation of these controls can significantly reduce the risk of prevalent but unskilled cyber-attacks. For many organisations, especially those with significant information assets or those that are exposed to a wider range of threats, Cyber Essentials will be a practical component of wider ranging cyber security procedures.
Cyber Essentials concentrates on five key controls. These are:
Boundary firewalls and internet gateways – these are devices designed to prevent unauthorised access to or from private networks. Good setup of these devices either in software/hardware form is important for them to be fully effective.
Secure Configuration – ensuring that systems are configured in the most secure way for the needs of the organisation.
Access Control – ensuring only those who should have access to systems do have access and at the appropriate level.
Malware protection – ensuring that virus and malware protection is installed and is up to date
Patch Management – ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor have been applied
What’s the difference between Cyber Essentials and Cyber Essentials Plus?
The basic Cyber Essentials is a self-certified process. You can go through the tick list and work on your systems yourself or alternatively we are available at Apex Computing Services Ltd to carry out the work on your behalf. We are based in Salford Quays, Manchester but can travel anywhere in the U.K.
Xyone then passes the paperwork on to APMG, who are one of the five Accreditation Bodies specially selected by the National Cyber Security Centre (NCSC) to oversee Cyber Essentials. They are like an examination body who will give you the certificate to say you have been awarded the Cyber Essentials accreditation. You will then be allowed to put the Cyber Essentials Logo on your website & in email signatures. This is a badge that demonstrates that you take cyber security seriously and are dedicated to a safer cyber environment.
To find out more about the process and the accreditation bodies, check out the link: https://www.cyberessentials.ncsc.gov.uk/getting-certified/
As stories of organisations exposing customers’ information to cyber threats continue to create headlines in the media, it is becoming increasingly important for organisations to not only maintain a robust cyber security stance but also to demonstrate this to clients.
The next level:
Cyber Essentials Plus
Cyber Essentials Plus is independently tested. The Plus test doesn’t just take your word for it, an independent adjudicator is sent out to assess if what you say has been carried out. The Cyber Essentials Plus holds a higher level of assurance through the external testing of the organisation’s security approach.
For more information on Cyber Essentials or Cyber Essentials Plus, or for advice on basic Cyber Security give our Manchester based office a call on 0161 233 0099.