Cyber Essentials is a UK Government-backed information assurance scheme operated by the National Cyber Security Centre that encourages businesses to adopt good practice in information security. The scheme was launched in 2014 as a joint venture between the National Cyber Security Centre (NCSC) and the UK Government.
Cyber Essentials identifies the security controls that an organization must have in place within their IT systems in order to have confidence that they are addressing cyber security effectively and mitigating the risk from internet-based threats.
Obtaining Cyber Essentials certification demonstrates an organisation’s commitment to security and protecting their data. Evidence has shown that businesses that achieve Cyber Essentials can protect against 80% of cyber attacks.
Cyber Essentials is a self-assessment scheme in which businesses self-complete a questionnaire to verify that their IT is suitably secure and meets the standards set by Cyber Essentials. This is then reviewed and accessed by a Certification Body. Once a business has passed, they are awarded a Cyber Essentials certificate.
Cyber Essentials Plus is the highest level of certification offered under the Cyber Essentials scheme. Cyber Essentials Plus ensures you have the five technical controls needed in place, with cyber security verification completed by a CyberSmart qualified auditor.All businesses will hold and access some form of data. These can include confidential client information, employee data, suppliers’ information, customer marketing records, etc.
Here are 4 reasons why you need to have Cyber Essentials:
- Protection – Cyber-attacks are on the rise and your staff may not be as aware of cybersecurity as they should be, and with things changing all the time, it’s hard to keep them up to date. Without a robust security solution in place, your data is vulnerable to criminals.The Cyber Essentials prevents over 80% of the most common computer security breaches. It aims to provide businesses with a strong base from which to reduce the risk from these prevalent, but unskilled, cyber-attacks.
- Assurance – Achieving Cyber Essentials certification demonstrates to your customers, suppliers and other partners that you take data security seriously. It is a quick way to show that you have done your due diligence and are putting controls in place to protect information. This gives them more confidence that they can trust you and encourage them to work with you.
- Compliance – You are legally required to protect the data you hold within your business, particularly if it belongs to clients/customers, whether these are existing or previous. The introduction of The General Data Protection Regulation (GDPR) in May 2018 means that you must have solutions in place to protect that data, and be able to demonstrate these.
- Opportunity – Achieving Cyber Essentials can allow you to bid for contracts which involve the handling of sensitive information and the provision of certain technical services. The UK Government has set a good example to UK businesses, highlighting the importance of a secure supply chain for ongoing business. Not only does this defend the integrity of government information, it could even give your company a competitive advantage when bidding for public sector tenders. Cyber Essentials is fast becoming a prerequisite for doing business because the certification provides third-party assurance of the company’s cyber security.
The Cyber Essentials scheme provides businesses with clarity on what essential security controls they need to have in place to reduce the risk posed by threats on the Internet with low levels of technical capability.
Organisations that are good at cyber security can make this a selling point – demonstrating to their customers through the Cyber Essentials certification that they take cyber security seriously.
Here are 4 benefits of achieving Cyber Essentials:
- Protects your organisation from 80% of common cyber threats– The 5 technical controls within the scheme when implemented, helps your organisation protect from 80% of common cyber-attacks and tighten security. The 5 controls are firewalls, secure configuration, control user access, anti-malware and phishing.
- Increased credibility and reputation– Achieving Cyber Essentials certification shows your commitment to protecting your own data and that of your customers and clients. The certification increases the reputation of your business and shows your organisation is taking preventative actions to reduce the threat from cyber-attacks.
- Win government contracts and open business opportunities– If your organisation is looking to bid for government contracts you will need to be Cyber Essentials certified. New business opportunities are opened as it demonstrates to business partners and new clients that you are working in a safe and secure digital environment.
- Eligible for free cyber insurance cover– Showing that your organisation is compliant with the scheme means that you could be eligible for free cyber insurance cover, with a coverage limit of £25,000.
Cyber Essentials is a government-backed certification scheme that enables you to demonstrate that your business has taken the necessary steps to protect against cyber attacks. This scheme tests your information system against five technical security controls
Firewalls
This control will apply to every business where employees have access to the internet. Internet gateways and firewalls will identify and prevent unwanted traffic gaining access to your network, computers, and systems. The controls you need to apply will include changing any default/admin passwords, ensuring firewalls are properly set up, etc.
Secure Configuration
A new computer or piece of software is rarely properly configured with its factory settings. This means if you carried on using a device on its default settings, it is open to cyber risks. All computers and network devices should be configured securely to reduce risk. This will include reducing or removing unnecessary software and changing default settings and passwords.
Access Control
A significant number of data and cyber breaches occur from abuse of administrative user accounts in a business. Organisations and businesses should aim to only let certain individuals have special access privileges according to their role and responsibilities. Companies can look to manage this by performing a number of controls, such as having unique usernames and passwords, and keeping all account information in a secure, protected location.
Malware
Where computers and systems are exposed to the internet, they will need to be protected from malware. Malware is a programme, or virus, that has been coded with the intent to perform unauthorised actions on one or more computers. Organisations should at a minimum look to protect all computers that are connected to the internet via cable or wireless. Other actions include having up-to-date malware software as well as setting regular (daily) full scans to ensure early detection of malware.
Patch Management
As with any software, there are often regular updates released to address security issues, add more features and improve performance. If there are any vulnerabilities in software that hasn’t been updated, this can become a weak spot that can be used to gain access to networks and computer systems. Organisations and businesses should ensure the following: remove out-of-date software, and ensure all security patches are updated as soon as they are available,and no later than 14 days after release.Cyber Essentials scheme is not covered by binding regulation, however, for certain businesses Cyber Essentials is a mandatory requirement in order to secure contracts and in this blog post we describe the conditions under which certification can be necessary.
Government Contracts
Cyber Essentials is mandatory for businesses looking for specific government contracts.
Unless your business achieves Cyber Essentials, you will not be able to bid or maintain such contracts at all. In general, these contracts will involve the handling of personal information or delivering certain IT products and services.
Essentially all government contracts where your business will be required to:
- Handle the personal information of any UK citizens; i.e. bank details or home addresses.
- Handle the personal information of any government employees, ministers, or advisors; i.e. payroll or expenses information.
- Deliver IT products or services designed to store, process, or transfer data at an official level.
Ministry of Defence Contracts
The UK Ministry of Defence (MOD) places further emphasis on businesses being Cyber Essentials certified and requires all its suppliers to comply with the Cyber Essentials scheme. The MOD stated in its announcement that this requirement must flow down to the supply chain, effectively mandating that both organisations directly conducting business with the MOD, as well as organisations delivering to the MOD supply chain must be Cyber Essentials certified to carry on doing their business or to win contracts for businesses going forward.Businesses sometimes presume that if they have undergone ISO 27001 certification they will not need the seemingly less complex Cyber Essentials controls. The reality is, Cyber Essentials can still be very beneficial for companies who hold ISO 27001.
At its heart, ISO27001 is a risk management certification. This means that an organisation decides, after examining its information security risks, which security controls they are going to implement. The organisation may choose to put in place a different set of controls to those in Cyber Essentials and may decide to accept the risk of not implementing certain Cyber Essentials controls.
Cyber Essentials focuses on protection of data and programs on networks, computers, servers, and other elements of an IT infrastructure.
This becomes particularly important when looking at risk management within a supply chain. Cyber Essentials is a prescriptive standard, and so it gives more confidence to the person responsible for procurement that a business has implemented the five specific controls that are part of the standard.
This is why Cyber Essentials certification is often mandated throughout a supply chain regardless of ISO27001 certification.Cyber Essentials certification is valid for one year. It is recommended by the UK government that you renew your certification at least annually. From 1 April 2020, certificates will be issued with a 12-month expiry date.
The NCSC will remove businesses from the online ‘certified organisations’ list if they have not been certified in the past year.
The assessment process is a ‘snapshot’ in time and it can only be sure to be effective on the day of assessment, similar to a MoT on a car. As with the MoT, the car will not remain roadworthy without regular maintenance. We, therefore, recommend that businesses maintain the principles of the Cyber Essentials scheme on an on-going basis (for example, ensuring that patching always occurs in a timely fashion and that malware protection is kept up to date) and not just prepare for assessment.
You can use CyberSmart to maintain your Cyber Essentials on an ongoing basis.To achieve Cyber Essentials you will need to complete a self-assessment questionnaire which will be reviewed and verified by a Certification Body Assessor
Before filling out the questionnaire, you should ensure all devices within the scope of the assessment (any PC, laptops, mobile phones, tablets or servers that handle company data) are compliant with the Cyber Essentials standard:
Choose the most secure settings for your devices and software
☐ Know what ‘configuration’ means
☐ Find the Settings of your device and try to turn off a function that you don’t need
☐ Find the Settings of a piece of software you regularly use and try to turn off a function that you don’t need
☐ Read the NCSC guidance on passwords
☐ Make sure you’re still happy with your passwords
☐ Read up about two-factor authentication
Control who has access to your data and services
☐ Read up on accounts and permissions
☐ Understand the concept of ‘least privilege’
☐ Know who has administrative privileges on your machine
☐ Know what counts as an administrative task
☐ Set up a minimal user account on one of your devices
Protect yourself from viruses and other malware
☐ Know what malware is and how it can get onto your devices
☐ Identify three ways to protect against malware
☐ Read up about anti-virus applications
☐ Install an antivirus application on one of your devices and test for viruses
☐ Research secure places to buy apps, such as Google Play and Apple App Store
☐ Understand what a ‘sandbox’ is
Keep your devices and software up to date
☐ Know what ‘patching’ is
☐ Verify that the operating systems on all of your devices are set to ‘Automatic Update’
☐ Try to set a piece of software that you regularly use to ‘Automatic update’
☐ List all the software you have which is no longer supported
Alternatively, use CyberSmart which guides you step by step, in a non-technical way to implementing and achieving Cyber Essentials. The time taken to achieve Cyber Essentials will largely depend on how complaint your IT systems are against the control areas of the standard.
If your business has adequate practices in place for IT, the process should be quick and efficient, when using a fully digital process. Simply complete the self-assessment questionnaire, sign the declaration and submit this to CyberSmart,
From the time we receive your self-assessment questionnaire, CyberSmart will review and verify your submission the same working day. We aim to have you certified within 24 hours.
Some of our customers have completed certification within a few short hours and others who needed to make changes to their systems have taken a few weeks. CyberSmart has accelerated the process of achieving Cyber Essentials for your business.
Simply go to https://app.cybersmart.co.uk/signup and create an account. Select the desired plan and complete the onboarding process to gain access to your CyberSmart dashboard.
Complete your Cyber Essentials self-assessment questionnaire and submit for review by our Assessors.
Once your self-assessment questionnaire submission is approved, CyberSmart will award your certificate. You will receive both a digitally and physical copy of your certificate along with official branding collateral including the Cyber Essentials badges. CyberSmart will support you throughout the process to achieve your Cyber Essentials. We have a team of cyber security experts who are available to provide expert advice and guidance.
Our Cyber Essentials questionnaire includes guidance and example answers for every question.
Live chat is available though the dashboard during business hours for any queries you may have.
CyberSmart also has a dedicated helpline [020 7993 6990] available to answer all queries you may have about the Cyber Essentials process. CyberSmart offers two options to pay for Cyber Essentials.
We have a monthly option which is £49 + VAT each month for 12 months.
If you pay annually, the cost is £499 + VAT. You will save 20% with the annual payment option. Businesses that have successfully been assessed against the scheme will receive both a digital copy of their official website and a physical copy to display at their premises. You will also be able to use the appropriate Cyber Essentials badge to publicise this fact. You will also be listed on the NCSC Cyber Essentials website as a certified organisation. Being able to advertise that you have met a Government approved cyber security scheme will give you an edge over competitors in the same market.The Cyber Essentials scheme is open and available to all businesses.
If your business is interested you can simply go to app.cybersmart.co.uk/signup and create an account. Select the desired plan and complete the onboarding process to gain access to your CyberSmart dashboard.
Complete your Cyber Essentials self-assessment questionnaire and submit for review by our Assessors.
Once your self-assessment questionnaire submission is approved, CyberSmart will award your certificate. You will receive both a digitally and physical copy of your certificate along with official branding collateral including the Cyber Essentials badges.It’s common for businesses to operate out of a serviced office or shared office, such as a co-working space. If this is the case, there are some simple steps to take in order to meet the firewall controls for internet boundaries for Cyber Essentials.
The organisation does not need to manage their own network, it’s acceptable to confirm with the provider that the controls are in place, we’ve provided a guide on how to do so below.
From the official specifications: for all firewalls (or equivalent network devices), the organisation must routinely:
- Change any default administrative password to an alternative that is difficult to guess — or disable remote administrative access entirely
- Prevent access to the administrative interface (used to manage firewall configuration) from the Internet, unless there is a clear and documented business need and the interface is protected by one of the following controls: (A) a second authentication factor, such as a one-time token (B) an IP whitelist that limits access to a small range of trusted addresses
- Block unauthenticated inbound connections by default
- Ensure inbound firewall rules are approved and documented by an authorised individual; the business need must be included in the documentation
- Remove or disable permissive firewall rules quickly, when they are no longer needed. Use a host-based firewall on devices which are used on untrusted networks, such as public Wi-Fi hotspots.
This can be confirmed using the following template:
To service provider,
We are applying for Cyber Essentials certification and need to check on the controls in place within our network.
Can you please confirm the following:
- There is a firewall in place between the boundary of our network and the internet
- The default password has been changed on this device
- The new password is at least 8 characters and difficult to guess
- If believed to be compromised, the password would be changed
- Only approved whitelisted services are allowed to broadcast to the internet, and these are removed when no longer required
- If remote access to the network device configuration is enabled, this is protected by either 2-factor authentication or limited to specific IP addresses
Cyber Essentials can seem like a daunting process and in some cases customers have given up because they did not fully understand the process.
CyberSmart has created a simple checklist you can run through to help prepare your business for Cyber Essentials. You should ensure all devices within the scope of the assessment (any PC, laptops, mobile phones, tablets or servers) are compliant with the Cyber Essentials standard:
Choose the most secure settings for your devices and software
☐ Know what ‘configuration’ means
☐ Find the Settings of your device and try to turn off a function that you don’t need
☐ Find the Settings of a piece of software you regularly use and try to turn off a function that you don’t need
☐ Read the NCSC guidance on passwords
☐ Make sure you’re still happy with your passwords
☐ Read up about two-factor authentication
Control who has access to your data and services
☐ Read up on accounts and permissions
☐ Understand the concept of ‘least privilege’
☐ Know who has administrative privileges on your machine
☐ Know what counts as an administrative task
☐ Set up a minimal user account on one of your devices
Protect yourself from viruses and other malware
☐ Know what malware is and how it can get onto your devices
☐ Identify three ways to protect against malware
☐ Read up about anti-virus applications
☐ Install an antivirus application on one of your devices and test for viruses
☐ Research secure places to buy apps, such as Google Play and Apple App Store
☐ Understand what a ‘sandbox’ is
Keep your devices and software up to date
☐ Know what ‘patching’ is
☐ Verify that the operating systems on all of your devices are set to ‘Automatic Update’
☐ Try to set a piece of software that you regularly use to ‘Automatic update’
☐ List all the software you have which is no longer supported
CyberSmart guides them through all of this, with examples and support, even for the non-technical.Your business will be eligible for £25,000 of free cyber insurance if you successfully achieve Cyber Essentials. The insurance is dependent on your overall business turnover and headquarters location.If your business has employees who are working remotely or working from home, they will need to make sure their devices are secure and meet the requirements of Cyber Essentials. Ensure your employees are protecting themselves by following the steps:
- Anti-virus installed and up to date – antivirus is a necessity for all your devices- desktop and mobile. Without an antivirus, you are putting your business at risk of not only viruses but also malware.
- Firewall active – Ensure all your devices have a firewall in place. It creates a buffer zone between your network and the internet, a highly valuable preventive measure for cyber attacks.
- Operating systems are up to date – Make sure your operating system (on all your devices) and all applications are updated, at all times. Updates for both are free.
- Two-factor authentication – Add an extra layer of security to your accounts beyond passwords. Most platforms have 2FA available and this is required for all admin accounts.
- Utilise a VPN (virtual private network) – Ensure everyone uses a VPN (virtual private network) or a secure home network with strong end-to-end encryption
Firewall
A firewall will provide protection between your computer or network from malicious or unnecessary network traffic. Firewalls will keep your devices operating reliably and can protect you from such attacks as DoS (Denial of Service), malicious packets/network activity which can impact your computer’s performance.
Firewalls are built into all devices including laptops and internet routers. Some businesses may also have set up a separate hardware firewall between your systems and the internet.
Firewalls are one of the key control areas for Cyber Essentials and it is important that you have firewalls turned on and enabled on all your devices.
VPN (Virtual Private Network)
A VPN is a virtual private network which creates an encrypted network to allow secure connections for remote users. Simply put, a VPN creates a secure connection over public networks (such as the wi-fi in public transport, hotels, or your favorite café) as well as home networks (like the one provided by your internet service provider). A VPN will route your traffic through specialised servers and encrypt your data, VPNs obscure your online activity from your internet provider and protect you from network based cyber threats.
It is highly recommended that if you have employees working remotely, they should use a VPN to connect to the business network.BYOD stands for Bring Your Own Device. Many businesses will allow employees to use their own devices for work purposes. This is most prominent for mobile devices where employees will access company data when they are on the move.
Any device that accesses company or customer data will be under the scope of Cyber Essentials. You will need to make sure all BYOD devices are secure and up to date. This can be done through technical measures if you have a MDM (mobile device management) solution, which will allow you to create a secure area on the device. If a device was ever lost or stolen, you can use the MDM solution to delete the secure area.
Your business should also create a BYOD policy for employees and ensure this covers the requirement of Cyber Essentials. If you are a sole trader, Cyber Essentials can still be relevant and in some cases a requirement for your business. As a sole trader, you will still have devices that access the internet and need to ensure you are taking the right steps to secure your business.
It is recommended that you create a separate admin and user account for your business. You should use your user account for day to day activities and only use the admin account when you need to conduct admin duties.
In addition, you should follow the standard guidance on Cyber Essentials – including antivirus, firewalls, and configuring your devices securely.To achieve Cyber Essentials you will need to make sure all devices within the scope of your assessment have operating systems that are supported by the manufacturer. This includes desktops, laptops, mobile devices and servers.
If you have devices that are using unsupported operating systems, they will need to be updated to meet the requirements of Cyber Essentials. If you are unable to update the operating systems, these devices will need to be removed from the scope of the assessment and not access any company or customer data.
Some common out of date operating systems are Windows XP, Windows Server 2013 and since January 2020, Windows 7 (Home/Pro). Windows 10 OS also has version numbers allocated which will go out of support so you need to be aware of version numbers used within your company.
The below links are useful resources to help identify supported operating systems.
https://docs.microsoft.com/en-us/windows/release-information/
https://www.end-of-support.com/ Cyber Essentials will require you to list the applications (Microsoft Office, Google Suite, Adobe Suite, etc.) used within your business along with the version.
Your business will need to ensure that all applications used are up to date with any security updates applied within 14 days of release.
Updates for supported applications will be free and you should be alerted about the releases. Ideally you set applications to automatically update when updates are available.
The below link is a useful resource to help identify supported applications.
https://www.end-of-support.com/ Anti-malware software also known as anti-virus software, is a computer program used to prevent, detect, and remove malware.
Your business should ensure you have anti-malware software installed, with real-time scanning enabled and kept updated.
CyberSmart recommend the below three anti-malware products to use:
Avast – www.avast.com
Avira – https://www.avira.com/en/free-antivirus
Sophos – https://sophos-home.comCyber Essentials certification requires that your business control access to your data through user accounts. Administration privileges (admin accounts) are only given to those that need them, and that what an administrator can do with those accounts is controlled.
User accounts should be used for general day to day work and admin accounts should only be used to perform administrative tasks. Ideally admin accounts should not be used for email and general web browsing.