Skip to main content

Cyber Essentials

Cyber Essentials is a UK Government-backed information assurance scheme operated by the National Cyber Security Centre that encourages businesses to adopt good practice in information security. The scheme was launched in 2014 as a joint venture between the National Cyber Security Centre (NCSC) and the UK Government.

Cyber Essentials identifies the security controls that an organization must have in place within their IT systems in order to have confidence that they are addressing cyber security effectively and mitigating the risk from internet-based threats.

Obtaining Cyber Essentials certification demonstrates an organisation’s commitment to security and protecting their data. Evidence has shown that businesses that achieve Cyber Essentials can protect against 80% of cyber attacks.

 Cyber Essentials is a self-assessment scheme in which businesses self-complete a questionnaire to verify that their IT is suitably secure and meets the standards set by Cyber Essentials. This is then reviewed and accessed by a Certification Body. Once a business has passed, they are awarded a Cyber Essentials certificate.

Cyber Essentials Plus is the highest level of certification offered under the Cyber Essentials scheme. Cyber Essentials Plus ensures you have the five technical controls needed in place, with cyber security verification completed by a CyberSmart qualified auditor.All businesses will hold and access some form of data. These can include confidential client information, employee data, suppliers’ information, customer marketing records, etc. 

Here are 4 reasons why you need to have Cyber Essentials:

  1. Protection – Cyber-attacks are on the rise and your staff may not be as aware of cybersecurity as they should be, and with things changing all the time, it’s hard to keep them up to date. Without a robust security solution in place, your data is vulnerable to criminals.The Cyber Essentials prevents over 80% of the most common computer security breaches. It aims to provide businesses with a strong base from which to reduce the risk from these prevalent, but unskilled, cyber-attacks.
  2. Assurance – Achieving Cyber Essentials certification demonstrates to your customers, suppliers and other partners that you take data security seriously. It is a quick way to show that you have done your due diligence and are putting controls in place to protect information. This gives them more confidence that they can trust you and encourage them to work with you. 
  3. Compliance – You are legally required to protect the data you hold within your business, particularly if it belongs to clients/customers, whether these are existing or previous. The introduction of The General Data Protection Regulation (GDPR) in May 2018 means that you must have solutions in place to protect that data, and be able to demonstrate these.
  4. Opportunity – Achieving Cyber Essentials can allow you to bid for contracts which involve the handling of sensitive information and the provision of certain technical services. The UK Government has set a good example to UK businesses, highlighting the importance of a secure supply chain for ongoing business. Not only does this defend the integrity of government information, it could even give your company a competitive advantage when bidding for public sector tenders. Cyber Essentials is fast becoming a prerequisite for doing business because the certification provides third-party assurance of the company’s cyber security.
The Cyber Essentials scheme provides businesses with clarity on what essential security controls they need to have in place to reduce the risk posed by threats on the Internet with low levels of technical capability. 

Organisations that are good at cyber security can make this a selling point – demonstrating to their customers through the Cyber Essentials certification that they take cyber security seriously.

Here are 4 benefits of achieving Cyber Essentials:

  1. Protects your organisation from 80% of common cyber threats– The 5 technical controls within the scheme when implemented, helps your organisation protect from 80% of common cyber-attacks and tighten security. The 5 controls are firewalls, secure configuration, control user access, anti-malware and phishing.
  2. Increased credibility and reputation– Achieving Cyber Essentials certification shows your commitment to protecting your own data and that of your customers and clients. The certification increases the reputation of your business and shows your organisation is taking preventative actions to reduce the threat from cyber-attacks.
  3. Win government contracts and open business opportunities– If your organisation is looking to bid for government contracts you will need to be Cyber Essentials certified. New business opportunities are opened as it demonstrates to business partners and new clients that you are working in a safe and secure digital environment.
  4. Eligible for free cyber insurance cover– Showing that your organisation is compliant with the scheme means that you could be eligible for free cyber insurance cover, with a coverage limit of £25,000.
Cyber Essentials is a government-backed certification scheme that enables you to demonstrate that your business has taken the necessary steps to protect against cyber attacks. This scheme tests your information system against five technical security controls

Firewalls

This control will apply to every business where employees have access to the internet. Internet gateways and firewalls will identify and prevent unwanted traffic gaining access to your network, computers, and systems. The controls you need to apply will include changing any default/admin passwords, ensuring firewalls are properly set up, etc.

Secure Configuration

A new computer or piece of software is rarely properly configured with its factory settings. This means if you carried on using a device on its default settings, it is open to cyber risks. All computers and network devices should be configured securely to reduce risk. This will include reducing or removing unnecessary software and changing default settings and passwords.

Access Control

A significant number of data and cyber breaches occur from abuse of administrative user accounts in a business. Organisations and businesses should aim to only let certain individuals have special access privileges according to their role and responsibilities. Companies can look to manage this by performing a number of controls, such as having unique usernames and passwords, and keeping all account information in a secure, protected location.

Malware

Where computers and systems are exposed to the internet, they will need to be protected from malware. Malware is a programme, or virus, that has been coded with the intent to perform unauthorised actions on one or more computers. Organisations should at a minimum look to protect all computers that are connected to the internet via cable or wireless. Other actions include having up-to-date malware software as well as setting regular (daily) full scans to ensure early detection of malware.

Patch Management

As with any software, there are often regular updates released to address security issues, add more features and improve performance. If there are any vulnerabilities in software that hasn’t been updated, this can become a weak spot that can be used to gain access to networks and computer systems. Organisations and businesses should ensure the following: remove out-of-date software, and ensure all security patches are updated as soon as they are available,and no later than 14 days after release.Cyber Essentials scheme is not covered by binding regulation, however, for certain businesses Cyber Essentials is a mandatory requirement in order to secure contracts and in this blog post we describe the conditions under which certification can be necessary.

Government Contracts

Cyber Essentials is mandatory for businesses looking for specific government contracts.

Unless your business achieves Cyber Essentials, you will not be able to bid or maintain such contracts at all. In general, these contracts will involve the handling of personal information or delivering certain IT products and services.

Essentially all government contracts where your business will be required to:

  • Handle the personal information of any UK citizens; i.e. bank details or home addresses.
  • Handle the personal information of any government employees, ministers, or advisors; i.e. payroll or expenses information.
  • Deliver IT products or services designed to store, process, or transfer data at an official level.

Ministry of Defence Contracts

The UK Ministry of Defence (MOD) places further emphasis on businesses being Cyber Essentials certified and requires all its suppliers to comply with the Cyber Essentials scheme. The MOD stated in its announcement that this requirement must flow down to the supply chain, effectively mandating that both organisations directly conducting business with the MOD, as well as organisations delivering to the MOD supply chain must be Cyber Essentials certified to carry on doing their business or to win contracts for businesses going forward.Businesses sometimes presume that if they have undergone ISO 27001 certification they will not need the seemingly less complex Cyber Essentials controls. The reality is, Cyber Essentials can still be very beneficial for companies who hold ISO 27001.

At its heart, ISO27001 is a risk management certification. This means that an organisation decides, after examining its information security risks, which security controls they are going to implement. The organisation may choose to put in place a different set of controls to those in Cyber Essentials and may decide to accept the risk of not implementing certain Cyber Essentials controls. 

Cyber Essentials focuses on protection of data and programs on networks, computers, servers, and other elements of an IT infrastructure. 

This becomes particularly important when looking at risk management within a supply chain. Cyber Essentials is a prescriptive standard, and so it gives more confidence to the person responsible for procurement that a business has implemented the five specific controls that are part of the standard.

This is why Cyber Essentials certification is often mandated throughout a supply chain regardless of ISO27001 certification.Cyber Essentials certification is valid for one year. It is recommended by the UK government that you renew your certification at least annually. From 1 April 2020, certificates will be issued with a 12-month expiry date.

The NCSC will remove businesses from the online ‘certified organisations’ list if they have not been certified in the past year. 

The assessment process is a ‘snapshot’ in time and it can only be sure to be effective on the day of assessment, similar to a MoT on a car. As with the MoT, the car will not remain roadworthy without regular maintenance. We, therefore, recommend that businesses maintain the principles of the Cyber Essentials scheme on an on-going basis (for example, ensuring that patching always occurs in a timely fashion and that malware protection is kept up to date) and not just prepare for assessment. 

You can use CyberSmart to maintain your Cyber Essentials on an ongoing basis.To achieve Cyber Essentials you will need to complete a self-assessment questionnaire which will be reviewed and verified by a Certification Body Assessor 

Before filling out the questionnaire, you should ensure all devices within the scope of the assessment (any PC, laptops, mobile phones, tablets or servers that handle company data) are compliant with the Cyber Essentials standard:

Choose the most secure settings for your devices and software

☐ Know what ‘configuration’ means

☐ Find the Settings of your device and try to turn off a function that you don’t need

☐ Find the Settings of a piece of software you regularly use and try to turn off a function that you don’t need

☐ Read the NCSC guidance on passwords

☐ Make sure you’re still happy with your passwords

☐ Read up about two-factor authentication

Control who has access to your data and services

☐ Read up on accounts and permissions

☐ Understand the concept of ‘least privilege’

☐ Know who has administrative privileges on your machine

☐ Know what counts as an administrative task

☐ Set up a minimal user account on one of your devices

Protect yourself from viruses and other malware

☐ Know what malware is and how it can get onto your devices

☐ Identify three ways to protect against malware

☐ Read up about anti-virus applications

☐ Install an antivirus application on one of your devices and test for viruses

☐ Research secure places to buy apps, such as Google Play and Apple App Store

☐ Understand what a ‘sandbox’ is

Keep your devices and software up to date

☐ Know what ‘patching’ is

☐ Verify that the operating systems on all of your devices are set to ‘Automatic Update’

☐ Try to set a piece of software that you regularly use to ‘Automatic update’

☐ List all the software you have which is no longer supported

Alternatively, use CyberSmart which guides you step by step, in a non-technical way to implementing and achieving Cyber Essentials. The time taken to achieve Cyber Essentials will largely depend on how complaint your IT systems are against the control areas of the standard. 

If your business has adequate practices in place for IT, the process should be quick and efficient, when using a fully digital process. Simply complete the self-assessment questionnaire, sign the declaration and submit this to CyberSmart, 

From the time we receive your self-assessment questionnaire, CyberSmart will review and verify your submission the same working day. We aim to have you certified within 24 hours. 

Some of our customers have completed certification within a few short hours and others who needed to make changes to their systems have taken a few weeks. CyberSmart has accelerated the process of achieving Cyber Essentials for your business. 

Simply go to  https://app.cybersmart.co.uk/signup and create an account. Select the desired plan and complete the onboarding process to gain access to your CyberSmart dashboard. 

Complete your Cyber Essentials self-assessment questionnaire and submit for review by our Assessors. 

Once your self-assessment questionnaire submission is approved, CyberSmart will award your certificate. You will receive both a digitally and physical copy of your certificate along with official branding collateral including the Cyber Essentials badges. CyberSmart will support you throughout the process to achieve your Cyber Essentials. We have a team of cyber security experts who are available to provide expert advice and guidance. 

Our Cyber Essentials questionnaire includes guidance and example answers for every question. 

Live chat is available though the dashboard during business hours for any queries you may have. 

CyberSmart also has a dedicated helpline [020 7993 6990] available to answer all queries you may have about the Cyber Essentials process. CyberSmart offers two options to pay for Cyber Essentials.

We have a monthly option which is £49 + VAT each month for 12 months.

If you pay annually, the cost is £499 + VAT. You will save 20% with the annual payment option. Businesses that have successfully been assessed against the scheme will receive both a digital copy of their official website and a physical copy to display at their premises. You will also be able to use the appropriate Cyber Essentials badge to publicise this fact. You will also be listed on the NCSC Cyber Essentials website as a certified organisation. Being able to advertise that you have met a Government approved cyber security scheme will give you an edge over competitors in the same market.The Cyber Essentials scheme is open and available to all businesses. 

 

If your business is interested you can simply go to  app.cybersmart.co.uk/signup and create an account. Select the desired plan and complete the onboarding process to gain access to your CyberSmart dashboard. 

Complete your Cyber Essentials self-assessment questionnaire and submit for review by our Assessors. 

Once your self-assessment questionnaire submission is approved, CyberSmart will award your certificate. You will receive both a digitally and physical copy of your certificate along with official branding collateral including the Cyber Essentials badges.It’s common for businesses to operate out of a serviced office or shared office, such as a co-working space. If this is the case, there are some simple steps to take in order to meet the firewall controls for internet boundaries for Cyber Essentials.

The organisation does not need to manage their own network, it’s acceptable to confirm with the provider that the controls are in place, we’ve provided a guide on how to do so below.

From the official specifications: for all firewalls (or equivalent network devices), the organisation must routinely:

  • Change any default administrative password to an alternative that is difficult to guess — or disable remote administrative access entirely
  • Prevent access to the administrative interface (used to manage firewall configuration) from the Internet, unless there is a clear and documented business need and the interface is protected by one of the following controls: (A) a second authentication factor, such as a one-time token (B) an IP whitelist that limits access to a small range of trusted addresses
  • Block unauthenticated inbound connections by default
  • Ensure inbound firewall rules are approved and documented by an authorised individual; the business need must be included in the documentation
  • Remove or disable permissive firewall rules quickly, when they are no longer needed. Use a host-based firewall on devices which are used on untrusted networks, such as public Wi-Fi hotspots.

This can be confirmed using the following template:

 

To service provider,

We are applying for Cyber Essentials certification and need to check on the controls in place within our network.

Can you please confirm the following:

  1. There is a firewall in place between the boundary of our network and the internet
  2. The default password has been changed on this device
  3. The new password is at least 8 characters and difficult to guess
  4. If believed to be compromised, the password would be changed
  5. Only approved whitelisted services are allowed to broadcast to the internet, and these are removed when no longer required
  6. If remote access to the network device configuration is enabled, this is protected by either 2-factor authentication or limited to specific IP addresses
Cyber Essentials can seem like a daunting process and in some cases customers have given up because they did not fully understand the process. 

CyberSmart has created a simple checklist you can run through to help prepare your business for Cyber Essentials. You should ensure all devices within the scope of the assessment (any PC, laptops, mobile phones, tablets or servers) are compliant with the Cyber Essentials standard:

Choose the most secure settings for your devices and software

☐ Know what ‘configuration’ means

☐ Find the Settings of your device and try to turn off a function that you don’t need

☐ Find the Settings of a piece of software you regularly use and try to turn off a function that you don’t need

☐ Read the NCSC guidance on passwords

☐ Make sure you’re still happy with your passwords

☐ Read up about two-factor authentication

 

Control who has access to your data and services

☐ Read up on accounts and permissions

☐ Understand the concept of ‘least privilege’

☐ Know who has administrative privileges on your machine

☐ Know what counts as an administrative task

☐ Set up a minimal user account on one of your devices

 

Protect yourself from viruses and other malware

☐ Know what malware is and how it can get onto your devices

☐ Identify three ways to protect against malware

☐ Read up about anti-virus applications

☐ Install an antivirus application on one of your devices and test for viruses

☐ Research secure places to buy apps, such as Google Play and Apple App Store

☐ Understand what a ‘sandbox’ is

 

Keep your devices and software up to date

☐ Know what ‘patching’ is

☐ Verify that the operating systems on all of your devices are set to ‘Automatic Update’

☐ Try to set a piece of software that you regularly use to ‘Automatic update’

☐ List all the software you have which is no longer supported

CyberSmart guides them through all of this, with examples and support, even for the non-technical.Your business will be eligible for £25,000 of free cyber insurance if you successfully achieve Cyber Essentials. The insurance is dependent on your overall business turnover and headquarters location.If your business has employees who are working remotely or working from home, they will need to make sure their devices are secure and meet the requirements of Cyber Essentials. Ensure your employees are protecting themselves by following the steps:

  • Anti-virus installed and up to date – antivirus is a necessity for all your devices- desktop and mobile. Without an antivirus, you are putting your business at risk of not only viruses but also malware.
  • Firewall active – Ensure all your devices have a firewall in place. It creates a buffer zone between your network and the internet, a highly valuable preventive measure for cyber attacks.
  • Operating systems are up to date – Make sure your operating system (on all your devices) and all applications are updated, at all times. Updates for both are free. 
  • Two-factor authentication – Add an extra layer of security to your accounts beyond passwords. Most platforms have 2FA available and this is required for all admin accounts.
  • Utilise a VPN (virtual private network) – Ensure everyone uses a VPN (virtual private network) or a secure home network with strong end-to-end encryption

Firewall

A firewall will provide protection between your computer or network from malicious or unnecessary network traffic. Firewalls will keep your devices operating reliably and can protect you from such attacks as DoS (Denial of Service), malicious packets/network activity which can impact your computer’s performance. 

Firewalls are built into all devices including laptops and internet routers. Some businesses may also have set up a separate hardware firewall between your systems and the internet.

Firewalls are one of the key control areas for Cyber Essentials and it is important that you have firewalls turned on and enabled on all your devices. 

VPN (Virtual Private Network)

A VPN is a virtual private network which creates an encrypted network to allow secure connections for remote users. Simply put, a VPN creates a secure connection over public networks (such as the wi-fi in public transport, hotels, or your favorite café) as well as home networks (like the one provided by your internet service provider). A VPN will route your traffic through specialised servers and encrypt your data, VPNs obscure your online activity from your internet provider and protect you from network based cyber threats. 

It is highly recommended that if you have employees working remotely, they should use a VPN to connect to the business network.BYOD stands for Bring Your Own Device. Many businesses will allow employees to use their own devices for work purposes. This is most prominent for mobile devices where employees will access company data when they are on the move. 

Any device that accesses company or customer data will be under the scope of Cyber Essentials. You will need to make sure all BYOD devices are secure and up to date. This can be done through technical measures if you have a MDM (mobile device management) solution, which will allow you to create a secure area on the device. If a device was ever lost or stolen, you can use the MDM solution to delete the secure area. 

Your business should also create a BYOD policy for employees and ensure this covers the requirement of Cyber Essentials. If you are a sole trader, Cyber Essentials can still be relevant and in some cases a requirement for your business. As a sole trader, you will still have devices that access the internet and need to ensure you are taking the right steps to secure your business. 

It is recommended that you create a separate admin and user account for your business. You should use your user account for day to day activities and only use the admin account when you need to conduct admin duties. 

In addition, you should follow the standard guidance on Cyber Essentials – including antivirus, firewalls, and configuring your devices securely.To achieve Cyber Essentials you will need to make sure all devices within the scope of your assessment have operating systems that are supported by the manufacturer. This includes desktops, laptops, mobile devices and servers. 

If you have devices that are using unsupported operating systems, they will need to be updated to meet the requirements of Cyber Essentials. If you are unable to update the operating systems, these devices will need to be removed from the scope of the assessment and not access any company or customer data. 

Some common out of date operating systems are Windows XP, Windows Server 2013 and since January 2020, Windows 7 (Home/Pro). Windows 10 OS also has version numbers allocated which will go out of support so you need to be aware of version numbers used within your company.

The below links are useful resources to help identify supported operating systems. 

https://docs.microsoft.com/en-us/windows/release-information/ 

https://www.end-of-support.com/ Cyber Essentials will require you to list the applications (Microsoft Office, Google Suite, Adobe Suite, etc.) used within your business along with the version. 

Your business will need to ensure that all applications used are up to date with any security updates applied within 14 days of release. 

Updates for supported applications will be free and you should be alerted about the releases. Ideally you set applications to automatically update when updates are available. 

The below link is a useful resource to help identify supported applications. 

https://www.end-of-support.com/ Anti-malware software also known as anti-virus software, is a computer program used to prevent, detect, and remove malware. 

Your business should ensure you have anti-malware software installed, with real-time scanning enabled and kept updated. 

CyberSmart recommend the below three anti-malware products to use: 

Avast – www.avast.com

Avira – https://www.avira.com/en/free-antivirus

Sophos – https://sophos-home.comCyber Essentials certification requires that your business control access to your data through user accounts. Administration privileges (admin accounts) are only given to those that need them, and that what an administrator can do with those accounts is controlled. 

User accounts should be used for general day to day work and admin accounts should only be used to perform administrative tasks. Ideally admin accounts should not be used for email and general web browsing.

Cyber Essentials Plus

Cyber Essentials Plus is the highest level of certification offered under the Cyber Essentials scheme, an official UK wide, government-backed certification that helps companies guard against the most common cyber threats and reduce your risk by at least 80%.

Cyber Essentials Plus ensures you have the five technical controls needed in place, with cyber security verification completed by a CyberSmart qualified auditor. CyberSmart can conduct onsite and remote audits.

For the difference between Cyber Essentials and Cyber Essentials Plus, see belowAll businesses will hold and access some form of data. These can include confidential client information, employee data, suppliers’ information, customer marketing records, etc. 

Here are 5 key reasons why you need to have Cyber Essentials Plus:

  1. External audit – Cyber Essentials Plus is assessed by a qualified auditor, who will review your controls and provide you with an impartial view of your status. Additionally, auditors will provide guidance on how to best protect your devices and company data. 
  2. Protection – Cyber-attacks are on the rise and your staff may not be as aware of cybersecurity as they should be, and with things changing all the time, it’s hard to keep them up to date. Without a robust security solution in place, your data is vulnerable to criminals. Cyber Essentials Plus prevents over 80% of the most common computer security breaches. It aims to provide businesses with a strong base from which to reduce the risk from these prevalent, but unskilled, cyber-attacks.
  3. Assurance – Achieving Cyber Essentials Plus certification demonstrates to your customers, suppliers and other partners that you take data security seriously. It is a quick way to show that you have done your due diligence and are putting controls in place to protect information. This gives them more confidence that they can trust you and encourage them to work with you. 
  4. Compliance – You are legally required to protect the data you hold within your business, particularly if it belongs to clients/customers, whether these are existing or previous. The introduction of The General Data Protection Regulation (GDPR) in May 2018 means that you must have solutions in place to protect that data, and be able to demonstrate these.
  5. Opportunity – Achieving Cyber Essentials Plus can allow you to bid for contracts which involve the handling of sensitive information and the provision of certain technical services. The UK Government has set a good example to UK businesses, highlighting the importance of a secure supply chain for ongoing business. Not only does this defend the integrity of government information, it could even give your company a competitive advantage when bidding for public sector tenders. Cyber Essentials Plus is fast becoming a prerequisite for doing business because the certification provides third-party assurance of the company’s cyber security.
The Cyber Essentials Plus scheme is not covered by binding regulation, however, for certain businesses Cyber Essentials Plus is a mandatory requirement in order to secure contracts and in this blog post we describe the conditions under which certification can be necessary.

Government Contracts

Cyber Essentials Plus is mandatory for businesses looking for specific government contracts.

Unless your business achieves Cyber Essentials Plus, you will not be able to bid or maintain such contracts at all. In general, these contracts will involve the handling of personal information or delivering certain IT products and services.

 

Essentially all government contracts where your business will be required to:

  • Handle the personal information of any UK citizens; i.e. bank details or home addresses.
  • Handle the personal information of any government employees, ministers, or advisors; i.e. payroll or expenses information.
  • Deliver IT products or services designed to store, process, or transfer data at an official level.

Ministry of Defence Contracts

The UK Ministry of Defence (MOD) places further emphasis on businesses with the introduction of the Defence Cyber Protection Partnership (DCPP) to protect the defence supply chain. Under DCPP a risk level of Very Low requires Cyber Essentials and from Low and above  to comply with the Cyber Essentials Plus scheme. The MOD stated in its announcement that this requirement must flow down to the supply chain, effectively mandating that both organisations directly conducting business with the MOD, as well as organisations delivering to the MOD supply chain must be Cyber Essentials Plus certified to carry on doing their business or to win contracts for businesses going forward.

As part of the Cyber Essentials Plus certification process, a CyberSmart qualified auditor will conduct an onsite or remote audit to test the controls put in place. They will validate the answers submitted in the self-assessment questionnaire for Cyber Essentials, and perform an in-depth assessment of the security of the organisation.  

If there are areas that we identify that are in breach of the assessment we will provide remediation actions and timescales that you can apply prior to us issuing the certification. 

Upon successful completion, CyberSmart will award your certificate. You will receive both a digitally and physical copy of your certificate along with official branding collateral including the Cyber Essentials Plus badges The cost of Cyber Essentials Plus starts at £999 and will vary for each business depending on the complexity of their IT. 

Get in touch with our team who will be able to provide you with an accurate quote within minutes. The difference is that the ‘Plus’ certificate requires an independent assessment of your security controls. This is to verify that these five checks are in place. As a result of its external verification measures, the Cyber Essentials Plus certificate is often regarded as the more reliable certification.Businesses sometimes presume that if they have undergone ISO 27001 certification they will not need the seemingly less complex Cyber Essentials Plus controls. The reality is, Cyber Essentials Plus can still be very beneficial for companies who hold ISO 27001.

At its heart, ISO27001 is a risk management certification. This means that an organisation decides, after examining its information security risks, which security controls they are going to implement. The organisation may choose to put in place a different set of controls to those in Cyber Essentials Plus and may decide to accept the risk of not implementing certain Cyber Essentials Plus controls. 

Cyber Essentials Plus focuses on protection of data and programs on networks, computers, servers, and other elements of an IT infrastructure. It’s externally audited so is often requested as it demonstrates a third party has assessed the systems of an organisation.

This becomes particularly important when looking at risk management within a supply chain. Cyber Essentials Plus is a prescriptive standard, and so it gives more confidence to the person responsible for procurement that a business has implemented the five specific controls that are part of the standard.

This is why Cyber Essentials Plus certification is often mandated throughout a supply chain regardless of ISO27001 certification.Cyber Essentials Plus certification is valid for one year. It is recommended by the UK government that you renew your certification at least annually. From 1 April 2020, certificates will be issued with a 12-month expiry date.

The NCSC will remove businesses from the online ‘certified organisations’ list if they have not been certified in the past year. 

The assessment process is a ‘snapshot’ in time and it can only be sure to be effective on the day of assessment, similar to a MoT on a car. As with the MoT, the car will not remain roadworthy without regular maintenance. We, therefore, recommend that businesses maintain the principles of the Cyber Essentials Plus scheme on an on-going basis (for example, ensuring that patching always occurs in a timely fashion and that malware protection is kept up to date) and not just prepare for assessment. 

You can use CyberSmart to maintain your Cyber Essentials Plus on an ongoing basis.The Cyber Essentials Plus scheme provides businesses with clarity on what essential security controls they need to have in place to reduce the risk posed by threats on the Internet with low levels of technical capability. 

Organisations that are good at cyber security can make this a selling point – demonstrating to their customers through the Cyber Essentials Plus certification that they take cyber security seriously.

Here are 4 benefits of achieving Cyber Essentials Plus:

  1. External audit – Cyber Essentials Plus is assessed by a qualified auditor, who will review your controls and provide you with an impartial view of your status. Additionally, auditors will provide guidance on how to best protect your devices and company data. 
  2. Protects your organisation from 80% of common cyber threats– The 5 technical controls within the scheme when implemented, helps your organisation protect from 80% of common cyber-attacks and tighten security. The 5 controls are firewalls, secure configuration, control user access, anti-malware and phishing.
  3. Increased credibility and reputation– Achieving Cyber Essentials Plus certification shows your commitment to protecting your own data and that of your customers and clients. The certification increases the reputation of your business and shows your organisation is taking preventative actions to reduce the threat from cyber-attacks.
  4. Win government contracts and open business opportunities– If your organisation is looking to bid for government contracts you will need to be Cyber Essentials Plus certified. New business opportunities are opened as it demonstrates to business partners and new clients that you are working in a safe and secure digital environment.
The Cyber Essentials Plus scheme does not include a penetration test as part of the assessment to achieve the certification. 

What is Cyber Essentials Plus?

Cyber Essentials Plus is an audited version of the Cyber Essentials basic, which is a self-assessed online questionnaire. The Plus consists of: 

  • Audits all controls of Cyber Essentials basic
  • An onsite or remote audit (depends on company size & complexity)
  • External vulnerability scan

Getting a Cyber Essentials Plus Quote:

Each quote is bespoke to the company. This is based on company size, complexity and internal mark-up. It’s quick and easy to get a quote from us, just fill out this form. We will then reach out to you to arrange the audit date.

Pre-Audit: 

We have created this checklist which should be thoroughly looked through before the date of the audit. By following the document it hugely increases your chances of successful certification.

During the Audit:

There are several steps to a Cyber Essentials Plus audit, regardless of being done remotely or onsite. The steps of the audit are: 

  1. Signup to app.cybersmart.co.uk if you do not have an account already with us. 
  2. Deploy the CyberSmart apps on all devices and ensure all controls are passing. 
  3. Obtain external IP addresses and start the vulnerability scan. This automatically checks for any open (TCP & UDP) and vulnerability ports in your network. This will generate a report with scores for each vulnerability. 
  4. Any score of 6.9+ CVSS or higher must be resolved to pass (usually close port or update service).
  5. Send fake viruses and inbound malicious emails to 90% of represented devices within the organisation from both the web (e.g. Chrome) and native mail add. NOTE: If you use standard builds, only one machine of each operating system needs to be tested.
  6. Check the latest patching for all machines. Any out of date patches to operating systems and software must be updated. 
  7. Review sufficient malware protection is in place for all machines.
  8. Screenshot everything along the way for the auditor to write the report post-audit.

If anything from the Cyber Essentials Plus needs actioning, the auditor will liaise with the most relevant technical person within the company.

Post-Audit:

Now the audit is complete the auditor needs to write up the full report which depending on if any remediations are needed, can take 1 – 3 working days. 

After the report is finished, the auditor will issue your official Cyber Essentials Certificate and send the report, certificate and badges over to you.To achieve Cyber Essentials Plus you will need to complete a self-assessment questionnaire which will be reviewed and verified by a Certification Body Assessor 

Before filling out the questionnaire, you should ensure all devices within the scope of the assessment (any PC, laptops, mobile phones, tablets or servers that handle company data) are compliant with the Cyber Essentials Plus standard:

Choose the most secure settings for your devices and software

☐ Know what ‘configuration’ means

☐ Find the Settings of your device and try to turn off a function that you don’t need

☐ Find the Settings of a piece of software you regularly use and try to turn off a function that you don’t need

☐ Read the NCSC guidance on passwords

☐ Make sure you’re still happy with your passwords

☐ Read up about two-factor authentication

 

Control who has access to your data and services

☐ Read up on accounts and permissions

☐ Understand the concept of ‘least privilege’

☐ Know who has administrative privileges on your machine

☐ Know what counts as an administrative task

☐ Set up a minimal user account on one of your devices

 

Protect yourself from viruses and other malware

☐ Know what malware is and how it can get onto your devices

☐ Identify three ways to protect against malware

☐ Read up about anti-virus applications

☐ Install an antivirus application on one of your devices and test for viruses

☐ Research secure places to buy apps, such as Google Play and Apple App Store

☐ Understand what a ‘sandbox’ is

 

Keep your devices and software up to date

☐ Know what ‘patching’ is

☐ Verify that the operating systems on all of your devices are set to ‘Automatic Update’

☐ Try to set a piece of software that you regularly use to ‘Automatic update’

☐ List all the software you have which is no longer supported

Alternatively, use CyberSmart which guides you step by step, in a non-technical way to implementing and achieving Cyber Essentials Plus. Cyber Essentials Plus can seem like a daunting process and in some cases customers have given up because they did not fully understand the process. 

CyberSmart has created a simple checklist you can run through to help prepare your business for Cyber Essentials Plus

Pre-audit checklist to ensure a smooth onsite audit

  • Confirm all software (including Adobe, Java, etc) is fully up to date on all devices including servers. (May want to download a 7-day trial version of Nessus Professional for a Credentialed Patch Scan)
  • Remove all software that is rarely used on each device – old browsers such as Firefox are a common issue.
  • Ensure all devices including laptops have up to date AV engines and signature files – preferably using an enterprise management dashboard app.
  • Ensure all executable attachments are prevented from being delivered to the email client.
  • Ensure the AV plugin for each browser in use has been activated and updated.

The auditor will ask you to provide the following

  • Domain administrator level access. Either create a new admin account for the audit process, or ensure someone with admin level is present during the audit.
  • A list of all devices (Firewalls, Servers, PCs, laptops, workstations, tablets and mobile phones) that are in scope with details of their current operating system. Please note, if Windows 10 is in use a registry edit will be required for these devices to allow the scans to run. I will provide further details on this at a later date if applicable.
  • A full user listing with details of who will be present on the day of the assessment, please include email addresses.
  • A consent form will be required prior to starting the onsite test and this will be prepared once the visit dates have been agreed.

The testing process includes the following tests

  • Confirmation of the devices to be tested
  • Scanning of devices to identify vulnerabilities using Nessus Professional scanning software – requires details of the admin credentials for each device
  • Observing and gathering evidence (screenshots) of how devices process emails with test attachments – access to user device required
  • Observing and gathering evidence of how devices handle downloads of file attachments from our test websites – access to user device required
  • Checking the installation and configuration of anti-virus software
What is Cyber Essentials Plus?

Cyber Essentials Plus is an audited version of the Cyber Essentials basic, which is a self-assessed online questionnaire. The Plus consists of: 

  • Audits all controls of Cyber Essentials basic
  • An onsite or remote audit (depends on company size & complexity)
  • External vulnerability scan

Getting a Cyber Essentials Plus Quote:

Each quote is bespoke to the company. This is based on company size, complexity and internal mark-up. It’s quick and easy to get a quote from us, just fill out this form. We will then reach out to you to arrange the audit date.

Pre-Audit: 

We have created this checklist which should be thoroughly looked through before the date of the audit. By following the document it hugely increases your chances of successful certification.

During the Audit:

There are several steps to a Cyber Essentials Plus audit, regardless of being done remotely or onsite. The steps of the audit are: 

  1. Signup to app.cybersmart.co.uk if you do not have an account already with us. 
  2. Deploy the CyberSmart apps on all devices and ensure all controls are passing. 
  3. Obtain external IP addresses and start the vulnerability scan. This automatically checks for any open (TCP & UDP) and vulnerability ports in your network. This will generate a report with scores for each vulnerability. 
  4. Any score of 6.9+ CVSS or higher must be resolved to pass (usually close port or update service).
  5. Send fake viruses and inbound malicious emails to 90% of represented devices within the organisation from both the web (e.g. Chrome) and native mail add. NOTE: If you use standard builds, only one machine of each operating system needs to be tested.
  6. Check the latest patching for all machines. Any out of date patches to operating systems and software must be updated. 
  7. Review sufficient malware protection is in place for all machines.
  8. Screenshot everything along the way for the auditor to write the report post-audit.

If anything from the Cyber Essentials Plus needs actioning, the auditor will liaise with the most relevant technical person within the company.

Post-Audit:

Now the audit is complete the auditor needs to write up the full report which depending on if any remediations are needed, can take 1 – 3 working days. 

After the report is finished, the auditor will issue your official Cyber Essentials Certificate and send the report, certificate and badges over to you.CyberSmart will support you throughout the process to achieve your Cyber Essentials Plus. We have a team of cyber security experts who are available to provide expert advice and guidance. 

Live chat is available though the dashboard during business hours for any queries you may have. 

CyberSmart also has a dedicated helpline [020 7993 6990] available to answer all queries you may have about the Cyber Essentials Plus process.The Cyber Essentials Plus scheme is open and available to all businesses. 

Contact our team to book in your onsite or remote audit with our qualified auditor. 

If you have not already done so, complete your Cyber Essentials self-assessment questionnaire and submit for review by our Assessors. Once your self-assessment questionnaire submission is approved, our team will reach out to arrange an audit with a CyberSmart qualified auditor.

They will validate the answers submitted in the self-assessment questionnaire for Cyber Essentials, and perform an in-depth assessment of the security of the organisation.  

If there are areas that we identify that are in breach of the assessment we will provide remediation actions and timescales that you can apply prior to us issuing the certification. 

Upon successful completion, CyberSmart will award your certificate. You will receive both a digitally and physical copy of your certificate along with official branding collateral including the Cyber Essentials Plus badges Cyber Essentials Plus is a government-backed certification scheme that enables you to demonstrate that your business has taken the necessary steps to protect against cyber attacks. This scheme tests your information system against five technical security controls.

Cyber Essentials Plus is an externally audited version of Cyber Essentials, performed by a qualified auditor on your devices and systems so the key controls are the same.

Firewalls

This control will apply to every business where employees have access to the internet. Internet gateways and firewalls will identify and prevent unwanted traffic gaining access to your network, computers, and systems. The controls you need to apply will include changing any default/admin passwords, ensuring firewalls are properly set up, etc.

Secure Configuration

A new computer or piece of software is rarely properly configured with its factory settings. This means if you carried on using a device on its default settings, it is open to cyber risks. All computers and network devices should be configured securely to reduce risk. This will include reducing or removing unnecessary software and changing default settings and passwords.

Access Control

A significant number of data and cyber breaches occur from abuse of administrative user accounts in a business. Organisations and businesses should aim to only let certain individuals have special access privileges according to their role and responsibilities. Companies can look to manage this by performing a number of controls, such as having unique usernames and passwords, and keeping all account information in a secure, protected location.

Malware

Where computers and systems are exposed to the internet, they will need to be protected from malware. Malware is a programme, or virus, that has been coded with the intent to perform unauthorised actions on one or more computers. Organisations should at a minimum look to protect all computers that are connected to the internet via cable or wireless. Other actions include having up-to-date malware software as well as setting regular (daily) full scans to ensure early detection of malware.

Patch Management

As with any software, there are often regular updates released to address security issues, add more features and improve performance. If there are any vulnerabilities in software that hasn’t been updated, this can become a weak spot that can be used to gain access to networks and computer systems. Organisations and businesses should ensure the following: remove out-of-date software, and ensure all security patches are updated as soon as they are available,and no later than 14 days after release.Businesses that have successfully been assessed against the scheme will receive both a digital copy for their official website and a physical copy to display at their premises. You will also be able to use the appropriate Cyber Essentials Plus badge to publicise this fact. You will also be listed on the NCSC Cyber Essentials Plus website as a certified organisation. Being able to advertise that you have met a Government approved cyber security scheme will give you an edge over competitors in the same market.

IASME & GDPR

What is IASME & GDPR?

IASME & GDPR also known as IASME Governance and GDPR readiness is an Information Assurance standard that is designed to be simple and affordable to help improve the cybersecurity of small and medium-sized enterprises (SMEs).  

The IASME & GDPR standard was developed over several years during a government-funded project to create a cybersecurity standard which would be an affordable and achievable alternative to the international standard, ISO 27001.

The standard is based on international best practice and covers the below controls. 

  • Risk assessment
  • Incident management
  • Backup
  • Policies
  • Data protection
  • Operational management

Achieving IASME & GDPR demonstrates that a business is taking the right steps to properly protect their customers’ information. 

The IASME & GDPR assessment requires a Cyber Essentials assessment and GDPR requirements and is available either as a self-assessment or on-site audit.

What is the difference between Cyber Essentials and IASME & GDPR?

Cyber Essentials is a Government scheme that helps businesses to guard against the most common cyber threats from the internet and demonstrate a commitment to cybersecurity. It covers five main technical controls which are firewalls, secure configuration, access management, malware, and patch management.

IASME & GDPR is aligned to the Government’s Ten Steps to Cyber Security and includes Cyber Essentials certification as well as controls around people and processes. It also covers the General Data Protection Regulation (GDPR) requirements. IASME & GDPR is aligned to a similar set of controls to ISO 27001 but is more affordable and achievable for small and medium sized businesses to implement.

How will I show that I have been certified for IASME & GDPR?

Businesses that have successfully been assessed against the scheme will receive both a digital copy of their official website and a physical copy to display at their premises. You will also be able to use the appropriate IASME badge to publicize this fact. You will also be listed on the IASME website as a certified organization. Being able to advertise that you have met an approved cybersecurity scheme will give you an edge over competitors in the same market.

What support do you give to help achieve IASME & GDPR?

CyberSmart will support you throughout the process to achieve your IASME & GDPR certification. We have a team of cybersecurity experts who are available to provide expert advice and guidance. 

Our IASME & GDPR questionnaire includes guidance and example answers for every question. 

We have also provided an IASME & GDPR policy pack which gives you access to over 20 templates that can be downloaded and modified for your business. 

Live chat is available through the dashboard during business hours for any queries you may have. 

CyberSmart also has a dedicated helpline [020 7993 6990] available to answer all queries you may have about the IASME & GDPR process. 

How long does IASME & GDPR certification last?

IASME & GDPR certification is valid for one year. To retain a valid certificate, annual recertification is required. 

It is required that businesses maintain the principles of the IASME & GDPR scheme on an on-going basis and not just prepare for assessment. 

What are the benefits of IASME & GDPR?

All businesses will hold and access some form of data. These can include client information, employee data, suppliers’ information, customer marketing records, etc. 

The benefits of achieving IASME & GDPR certification are:

  • Reduced risk of cyber attacks by strengthening physical and system security
  • Increased resilience in the event of system failures or disasters
  • Ongoing compliance with standards via ‘plan, do, check, act’ methodology
  • Increased protection of staff, clients, stakeholders, and our supply chain
  • Proactive risk management.

My organisation already complies with a standard in cyber or information security – for example, ISO 27001 or PCI DSS. Do I still need IASME & GDPR?

Businesses sometimes presume that if they have undergone ISO 27001 certification they will not need the seemingly less complex IASME & GDPR standard. The reality is, IASME & GDPR can still be very beneficial for companies who hold ISO 27001 and provide additional levels of assurance. 

The IASME & GDPR standard maps closely to a number of widely recognized cybersecurity and assurance standards and guides. This means it can be used to demonstrate compliance with many of these standards.

IASME has mapped the standard and assessment question set to the standards listed below. 

  • 10 steps the cybersecurity 
  • NIS Directive Cyber Assessment Framework (CAF) 
  • ISO27001 / ISO27002
  • NHS Digital Data Security and Protection Toolkit

Achieving IASME & GDPR will further demonstrate your level of cybersecurity. 

What policy templates are included in the GDPR policy pack?

For the IASME & GDPR standard, we have included a GDPR policy pack which includes a number of policy templates to support the baseline of your GDPR implementation. These policy templates will allow you to produce and maintain evidence for your organisations compliance.

The policy templates included are below: 

  • Administrator Access Tracker
  • Asset Register Template
  • Business Continuity Plan
  • Data Classification Policy
  • Data Mapping Tool
  • Data Protection Policy
  • Information Security Policy
  • Privacy Policy Template
  • Reporting to ICO Form
  • Risk Assessment – Risk Treatment Plan
  • Security Awareness – Training Guidelines
  • Security Incident Form Instructions
  • Subject Access Request Form

CyberSmart software

What is CyberSmart Software?

Security software can often be a black box, users know very little about what is going on behind the scenes and this doesn’t contribute to the overall education of users on good security practices.

We decided to remove the mystery and provide end-users with a direct insight into the security process. The CyberSmart software is a simple software application which is installed on all devices at your business that access company or customer data and ensure ongoing compliance. The CyberSmart software helps businesses to both achieve and maintain Cyber Essentials.  

The software application periodically checks and reports the compliance status of the device by running through a series of security checks and identifies any vulnerabilities or issues on devices in an easy, traffic light system. The software application displays exactly what checks are taking place and the results of those tests. For any checks that are failing, the software application provides step by step instructions on how to quickly remediate these to ensure you are working in a safe and secure environment. 

The software application simply feeds back information about security configuration settings to a cloud-based dashboard where you can monitor the compliance of your organisation.

What checks does the CyberSmart software run (Mac)?

The CyberSmart software runs a number of checks on the security configuration on each device. The checks mirror the five central areas of Cyber Essentials. The number of checks will vary depending on the device model and operating system. 

Below are the checks for Mac devices:

Automatic OS updating enabled

Automatic updates make sure your computer stays up-to-date protecting your operating system (OS) against any new threats or vulnerabilities. It also takes the hassle out of manually updating and can increase performance. 

Automatic app updates enabled

Automatic app updates make sure your software stays up-to-date protecting your system against any new threats or vulnerabilities. 

Firewall enabled 

Having a local firewall is important in the overall protection of your machine. It is one of the first layers of defence against outsiders. All operating systems have built-in firewalls that are easily accessible and effective. 

Stealth mode enabled 

This prevents your machine from being picked up via a network scan which could be used to launch further attacks. This is part of your firewall. 

System Integrity Protection enabled

SIP was introduced to prevent certain system-owned files and directories from being modified by processes that don’t have the right entitlements. 

GateKeeper enabled

GateKeeper protects your system by not allowing untrusted applications the ability to execute. 

Password enabled 

Having a password is a basic security step that should be taken. It ensures that you, and only you, can access your machine. The password should be a strong password (a minimum of eight characters long, with a mixture of capitalised and lowercase letters, symbols and numbers).

Anti-malware installed

Anti-malware is one of the first layers of defence against outsiders. You can use whichever anti-malware software you like as long as it performs real-time scanning, protects web surfing, and scans all incoming files.[/vc_toggle]The CyberSmart software runs a number of checks on the security configuration on each device. The checks mirror the 5 central areas of Cyber Essentials. The number of checks will vary depending on the device model and operating system. 

Below are the checks for Windows devices:

Automatic OS updating enabled

Automatic updates make sure your computer stays up-to-date protecting your system against any new threats or vulnerabilities. It also takes the hassle out of manually updating and can increase performance. 

Automatic app updates enabled

Automatic app updates make sure your software stays up-to-date protecting your system against any new threats or vulnerabilities. 

Password enabled 

Having a password is a basic security step that should be taken. It ensures that you and only you can access your machine. The password should be a strong password (a minimum of 8 characters long, with a mixture of capitalised and lowercase letters, symbols and numbers).

Firewall enabled 

Having a local firewall is important in the overall protection of your machine. It is one of the first layers of defence against outsiders. All operating systems have built-in firewalls that are easily accessible and effective. 

Anti-malware installed

Anti-malware is one of the first layers of defence against outsiders. You can use whichever anti-malware software you like as long as it performs real-time scanning, protects web surfing, and scans all incoming files.

What devices and operating systems do you support?

CyberSmart software is available to install across desktops, laptops, servers, mobile and tablet devices. We currently support Mac, Windows, iOS and Android devices. 

We do not currently support Linux or Windows mobile devices. However, for Linux operating systems, we provide a step by step guide on securing and maintaining compliance for these operating systems.

Operating systems supported:

  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Enterprise
  • Windows 8.1 Home
  • Windows 8.1 Pro

 

  • Windows Server 2019 (with Desktop Experience)
  • Windows Server 2016 (with Desktop Experience)
  • Windows Server 2012 (with Desktop Experience)
  • Windows Server 2008 R2 (with Desktop Experience)

 

  • MacOS Catalina (10.15)
  • MacOS Mojave (10.14)
  • MacOS High Sierra (10.13)
  • MacOS Sierra (10.12)

 

  • iOS 9
  • iOS 10
  • iOS 11
  • iOS 12
  • iOS 13
  • Android Marshmallow
  • Android Nougat
  • Android Oreo
  • Android Pie
  • Android KitKat
  • Android Lolipop

How does the CyberSmart software protect my business?

The CyberSmart software will help lower the risk of cyber threats by continually monitoring their security. It provides a level of assurance that your business is complying with the fundamental security requirements for end-users and their devices.

The software application provides 24/7 monitoring across your business IT and alerts you to any vulnerabilities so they can quickly be remediated. 

CyberSmart software will continuously monitor end-user devices against the 5 control areas of Cyber Essentials and help protect against over 80% of cyber attacks. 

What else does the CyberSmart software check on devices?

The CyberSmart software predominantly checks native security configuration on devices and if any existing software installed on devices has any known vulnerabilities.  

For the anti-malware and firewall checks, the software will also check for third party installs (e.g.  Avira, Avast, Sophos, etc.) and include the name of the third-party user next to the check. 

By default, the software application is ‘report-only’ mode, meaning it cannot modify anything on the device, it simply feeds back information about security configuration settings and software vulnerabilities to your cloud-based dashboard. 

What data does the CyberSmart software collect?

The CyberSmart software application has been designed to collect minimal information, specifically relevant to meeting and maintaining security compliance requirements.

Here’s a list of the information utilised in addition to the security checks carried out by the CyberSmart application. 

Information related to the device:

  • Operating system 
  • Device ID
  • Hostname
  • Serial number

Information related to the user:

  • Current username
  • Windows domain, if in use
  • If user is an admin or regular user

Information related to the network:

  • Network interfaces

Information related to installed software:

  • Software installed and version

Information relevant to diagnostics:

  • App version and install type
  • In the event of a crash, the error that occurred

As we expand app functionality we may look at additional data points to support our goal of automating compliance. We have no plans for this to include any personal, sensitive data or information being sent across the network.

How many devices can I install the CyberSmart software on?

You can install the CyberSmart software on up to 5 devices per user. We support unlimited users within your organisation. We are already protecting devices for thousands of organisations, from sole traders to businesses with global locations. 

Why do I need the CyberSmart software?

With a growing culture of remote working, dispersed workforces, and endless professional systems, outstanding cyber hygiene is now critical for the success of small businesses. 

Unfortunately, certification in this field only guarantees protection at a single moment in time. We have found many businesses lapse in security within a few months of certification.

The CyberSmart software offers continuous compliance. It is easily installed on any device- personal or company-owned- and runs continually in the background, assessing its security every 15 minutes. When a device fails a security check, it is immediately reported to a centralised dashboard with simple step-by-step instructions on how to fix the issue. 

In addition to security monitoring, the app provides a platform for company policy distribution so every team member can have access to critical company policies on their device.

Do I need the CyberSmart software to achieve Cyber Essentials?

CyberSmart software is not a mandatory requirement to achieve Cyber Essentials, however, it provides ongoing monitoring and assurance that your business is working in a safe and secure environment. 

The Cyber Essentials process is a ‘snapshot’ in time and it can only be sure to be effective on the day of the assessment, similar to an MoT on a car. As with the MoT, the car will not remain roadworthy without regular maintenance. We, therefore, recommend that businesses maintain the principles of the Cyber Essentials scheme by deploying CyberSmart software across devices at the business. The CyberSmart software was developed to maintain Cyber Essentials on an ongoing basis.

What devices would I need to install the CyberSmart software on?

CyberSmart software should be installed on any devices that access company or customer data. This may include both personal and professional desktops, laptops, servers, virtual machines, mobile phones and tablets.

CyberSmart technical requirements

Web portal:

Any modern web browser

  • Chrome (recommended browser)
  • Firefox
  • Edge
  • IE 11
  • Safari

Operating systems supported:

  • Windows 10 Home
  • Windows 10 Pro
  • Windows 10 Enterprise
  • Windows 8.1 Home
  • Windows 8.1 Pro
  • Windows Server 2019 (with Desktop Experience)
  • Windows Server 2016 (with Desktop Experience)
  • Windows Server 2012 (with Desktop Experience)
  • Windows Server 2008 R2 (with Desktop Experience)
  • MacOS Catalina (10.15)
  • MacOS Mojave (10.14)
  • MacOS High Sierra (10.13)
  • MacOS Sierra (10.12)
  • iOS 9
  • iOS 10
  • iOS 11
  • iOS 12
  • iOS 13
  • Android Marshmallow
  • Android Nougat
  • Android Oreo
  • Android Pie
  • Android KitKat
  • Android Lolipop

Currently, we do not support:

  • Linux
  • ChromeOS

However, for Linux operating systems, we provide a step by step guide on securing and maintaining compliance for these operating systems. 

Minimum Hardware Specification (Desktop)

  • 1GB RAM
  • 3.3+ GHz (Manufacturer example: Intel i3 3rd Generation, AMD Ryzen 3)

Ports:

If machines are able to access the internet, no additional configuration is required.

  • TCP 443 (All traffic is over secure web HTTPS)
  • UDP 53 (DNS lookups)

Restrictive firewalls whitelist:

What is Smart Policies?

Smart Policies allows your business to digitally upload and share policies with end-users directly through the CyberSmart software application. You can easily upload policies, like your data security policy or your company handbook, from your dashboard and have these distributed to end-users in real-time and track who has read and agreed on each policy. The end-user can view policies across their devices and easily read through and agree. 

In a digital age, CyberSmart has removed the hassle of sharing and keeping a track of who has agreed to policies. If every device has our software installed, employees can access company policies anywhere and at any time.

What is the CyberSmart mobile app?

CyberSmart provides a mobile application that offers protection and assurance on mobile devices. Our mobile application will ensure all devices at your business are secure. The mobile application checks mobile devices are configured to the recommended security practices, as per the requirements of Cyber Essentials. It guides users on how to protect the device and themselves. It also supports Smart Policies to make sure end users can read and agree to policies on their mobile devices to comply with their business’s internal policies. 

It supports both user-managed and corporate provided devices.

What checks does the CyberSmart mobile application check?

The CyberSmart mobile application runs a number of checks on the security configuration on each device. The checks support the mobile security requirements of Cyber Essentials. 

Below are the checks for mobile devices:

Pin enabled

A PIN is a security code that verifies your identity and provides access to your mobile device. Like a password, it should be kept a secret to prevent unauthorised persons from accessing your private data or services.  This will also check if an alternative form of authentication is in place, most commonly biometric authentication (thumbprint or face scan).

The device is not jailbroken

Jailbreaking your mobile device will void your warranty. It can cause the operating system to become unstable and exposes the jailbroken phone to a higher risk of malware or compromise.

Phone model supported

Model of the device is supported by the manufacturer. The manufactures only support devices for a certain period of time. Older models won’t get security updates. 

Operating system secure

Maintaining your mobile device operating system (OS) by regularly updating from the manufacturer, is the best way to keep your device secure and minimise the risk to your privacy and data being compromised.

CyberSmart software for BYOD?

BYOD stands for Bring Your Own Device. Many businesses will allow employees to use their own devices for work purposes. CyberSmart software can be deployed on all devices including BYOD. We recommend installing the software on all devices that access company or customer data to ensure devices are secure and up to date.

How do you install the CyberSmart software?

The CyberSmart software is easily installed on devices. There are two options to install the software application:

Individual enrolment: 

Individual enrolment allows you to send an end user an instal link via email. The end-user will then follow the instructions to install the software. This method is predominantly used where there is no single platform for device management, where user-managed devices and bring your own device (BYOD) are in place. 

Bulk Deployment: 

Bulk deployment (or centralised deployment) is an advanced method where an MSI file is downloaded from the dashboard and installed via Group Policy, Mobile Device Management (MDM) or a Remote Monitoring & Management (RMM) tool. This method is predominantly used for centrally managed devices or where a third party such as a Managed Service Provider (MSP) maintains the devices.

CyberSmart Dashboard

CyberSmart’s Software Report

Software Discovery provides ongoing security assurance as a service by checking the software versions of desktop devices and identifies any known vulnerabilities. This information is reported back to the cloud-based dashboard. 

This empowers the business administrator to have access to security status of all devices in the organisation and take appropriate actions for any vulnerable software identified. 

What is the CyberSmart Dashboard?

Our cloud-based dashboard (also known as a portal) acts as the central hub where all information from the apps on your company devices feeds into and allows the administrator for the organisation to manage their security and compliance. This cloud-based dashboard offers visibility across your business and the ability to monitor and remediate compliance ensuring continuous protection. 

The cloud-based dashboard gives you access to compliance reports and the ability to digitally share policy documents with end-users and track adherence. It will show you if any software is vulnerable on your Windows and Mac devices.

If you are using self-enrollment, it allows you to add or remove users (or CyberSmart can do this automatically via Google/Microsoft sync). It allows you to download the latest MSI / PKG files if you are using bulk deployment.

The cloud-based dashboard also allows you to complete questionnaires for Cyber Essentials and IASME Governance & GDPR readiness.

How secure is the CyberSmart dashboard?

The CyberSmart dashboard has been designed by security professionals and experienced developers with security as its foundation. We utilise the most secure and resilient infrastructure from AWS which ensures servers are always patched and up to date.

Web servers store no sensitive information – this is retrieved from an AES-256 encrypted database accessible only within the virtual private cloud. Automated security tests are performed internally across the codebase on every commit. External automated web application security testing is performed daily. 

In addition, we undertake regular third-party security audits including web application penetration tests to ensure comprehensive coverage.

How does the CyberSmart Dashboard protect your business?

The CyberSmart dashboard allows you to monitor compliance throughout your business. You can check the compliance status of individual devices and fix issues with how-to and step-by-step instructions to ensure that anyone, regardless of technical or compliance knowledge, can ensure their business is safe and secure.