Cyber-attacks are rising exponentially amongst businesses of all sizes, so protecting your organisation against cyber-criminals has never been more important. To get started, all businesses whatever their size should look at implementing Cyber Essentials. But what is Cyber Essentials, and why does your organisation need it?
What is Cyber Essentials?
Cyber Essentials is a scheme run by the UK government which is designed to help protect organisations and companies whatever their size from common types of cyber-attack. Many of these attacks are often basic and carried out by people who are relatively unskilled, but they have been described as the equivalent of a burglar breaking into someone’s home after they have tried the front door to see if it is unlocked.
The scheme was launched as a certification scheme in 2014 by the Department of Business, Innovation and Skills and is run and operated by the National Cyber Security Centre (NCSC).
What are the benefits of having Cyber Essentials?
Cyber Essentials benefits organisations by:
- Stopping Cyber Attacks: by not protecting your computer systems you’re at more risk of a cyber-attack. This may result in your organisation losing critical data, disrupting cash flow and impacting your business reputation.
- Government contracts: if your organisation bids for contracts from the UK Government you will need to be Cyber Essentials certified.
- Customer trust: by becoming certified in Cyber Essentials, it shows your clients and customers that you take cyber security seriously and are taking the necessary steps to keep the data you hold about them safe. Displaying your credentials on your website, emails and other marketing materials shows your customers – and perspective ones – that you’re serious about cyber security and acts as a form of kitemark.
The Five Controls of Cyber Essentials
There are five technical controls (a “control” is simply a way to address a risk) you will need to put in place to achieve Cyber Essentials, which are:
- Office Firewalls and Internet Gateways: Secure your internet connection with boundary and host-based firewalls.
- Secure Configuration: Settings, passwords and two-factor authentication.
- User and Administrative Accounts: Protecting administrators and limiting access to data and services.
- Malware Protection: Viruses, white-listing and sand-boxing.
- Software Patching: Keep your devices and software up to date.
There is guidance available from the National Cyber Security Centre that breaks these down into their finer details. There is
Guidance from the UK National Cyber Security Centre breaks these down into finer details (although there is no definitive Cyber Essentials standard document, as there would be with an ISO standard or a law). These controls have been chosen as the highest priority ones from other, more detailed guidance such as the ISO27001 standard for information security, the Standard of Good Practice (from the Information Security Forum) and the IASME Governance standard. Although, Cyber Essentials has a narrower focus, emphasising technical controls rather than more general governance and risk assessment.
Cyber Essentials and GDPR
Cyber Essentials is also useful for those with an eye on GDPR – the EU’s General Data Protection Regulation – which came into effect in May 2018. The GDPR is a far-reaching regulation, intended to protect the privacy of individuals and their personal data within the European Union. The regulation specifies that “controllers” must determine their own cyber security approaches based on the personal information they hold and process.
While Cyber Essentials can help with this, it is not a complete solution for all GDPR obligations. But the Information Commissioner’s Office (ICO), whose job it is to uphold data protection law in the UK, recommends Cyber Essentials as “a good starting point” for the cyber security of the IT systems and networks you rely on to hold and process personal data.
Standard or Plus Certification?
Not everyone has the time or money needed to develop a comprehensive cyber security system, so Cyber Essentials has been designed to fit in with whatever level of commitment you are able to sustain. There are three main levels of engagement:
The simplest is to familiarise yourself with cyber security terminology, gaining enough knowledge to begin securing your IT systems, without becoming certified.
If you need more certainty in your cyber security (or you want to show others that you’re taking it seriously), you can apply for basic certification. Certification will include a remote vulnerability scan of equipment connected to the web.
For those who want to take cyber security a bit further, Cyber Essentials Plus certification is also available. The five controls are the same as for the basic level, but Plus also includes a more detailed vulnerability scan from inside your network (tested onsite), to check your devices are configured correctly.
The self-assessment option (not going for certification) still gives you protection against a wide variety of the most common cyber attacks, so we’d encourage you to do this as a minimum. This is important because vulnerability to simple attacks can mark you out as a target for more in-depth unwanted attention from cyber criminals and others.
Certification gives you increased peace of mind that your defences will protect against the majority of common cyber attacks simply because these attacks are looking for “soft” targets which do not have the technical controls in place. If you would like to bid for central government contracts which involve handling sensitive and personal information, or the provision of certain technical products and services, you may need to have Cyber Essentials certification, at either the basic or Plus level.
The cost of becoming certified
The process of obtaining basic Cyber Essentials certification is relatively simple and generally costs between £300 and £600 plus VAT. The scheme shows you how to address the basics and prevent the most common attacks. So far about 80% of companies and organisations with Cyber Essentials certification have chosen the basic version. It is often larger organisations that choose Cyber Essentials Plus due to the additional cost, which can be several thousand pounds (although this varies – shop around for the most appropriate deal for you).
Steps to certification
Certification involves three simple steps:
- Verify your computer systems that are in scope are suitably secure and meet the standards set by Cyber Essentials.
- Book an audit with a IASME accredited certification body.
- Complete and submit the questionnaire if you’re doing Cyber Essential Basic– your certification body will provide this and verify your answers. For Cyber Essentials Plus, you will arrange an on-site audit.
- Choosing a certification body
Certification is conducted by IASME Consortium for both type of certification. You will need to choose an IASME accredited certification body to perform your evaluation and award your Cyber Essentials certificate.
- Defining your scope and implementing the controls
Cyber Essentials defines a set of requirements in the five control areas and you will need to make sure your systems and software meet these before you move on to the next stage of certification. You may be required to supply various forms of evidence before your chosen certification body can award certification at the level you seek, so it’s best to have this available in case it’s asked for.
You will also need to define the scope of your intended certification. This determines what is certified and, in the case of Cyber Essentials Plus, what is tested. Generally, the scope will be defined by a physical location, such as your main office, remote offices or cloud services.
- The Cyber Essentials questionnaire
Having understood the requirements on the installation, configuration and maintenance of your IT, you are ready to complete the certification questionnaire and submit this to your certification body. The actual questionnaire you complete will be supplied by your certification body.
The certification body may come back to you with some clarification questions and, once you have answered these, a decision will be reached about whether or not your answers meet the requirements for certification.
Once the certification body says you’ve passed, you will be awarded your Cyber Essentials certificate and may use the logo on your website and marketing materials. Your certificate remains valid for one year, after which you will need to re-certify if you want to stay on the list of certified organisations on the NCSC website.