Cyber Essentials is a scheme launched in 2014 and sets out the baseline standards for basic Cyber Security in businesses. The Government consulted and worked with industry organisations to come up with what we now know as the Cyber Essentials Accreditation.
Cyber Essentials come in two levels of certification
Cyber Essentials - an independently verified self-assessment. Organisations assess themselves against five basic security controls and a qualified assessor verifies the information provided.
Cyber Essentials PLUS – a higher level of assurance. An independent assessor examines the same five controls, testing that they work in practice by simulating basic hacking and phishing attacks.
So, what are the five controls that Cyber Essentials tests in our business?
· Boundary firewalls and internet gateways
· Secure configuration
· Access control
· Malware protection
· Patch management
Between these five areas, 64 questions are asked to see if you meet the required standard that together mitigate over 99% of[II1] the most common, unskilled cyber-attacks that businesses fall victim to every day.
Cyber Essentials has become the minimum standard required for working with some central government departments, and this is pushed down the supply chain, and is widely expected to be required across government departs and local government over time.
Let's take each of those 5 controls and give some examples as to what is expected:
1. Boundry firewalls and internet gateways
This area looks to check that only safe, and necessary internet traffic is accessed by correct configuration on the firewall and also that the firewall configuration is protected with strong credentials, and restricted to only those that require access.
2. Secure Configuration
The secure configuration checks are there to reduce the level of vulnerabilities that are in systems as default and that machines or services run with the minimum level of security for the role being fulfilled. An example of this would be to remove administrative privileges for employees and change all default password to secure ones.
3. Access Control
This area looks at user accounts and makes sure they are assigned to authorised individuals only, and that they provide access to only those applications, computers and networks actually required for the user to perform their role.
4. Malware Protection
This is the one that’s always in the news currently, and this area is used to confirm that you have adequate security to stop the running of known malware and to prevent harmful code from causing damage or accessing data. This is the area that most people concentrate on protecting themselves for, but without the other controls within the Cyber Essentials standard it is not effective.
5. Patch Management
Patch management is the process for which you ensure that devices and software are not vulnerable to known security issues for which fixes are available. Software vendors regularly release fixes and patches for vulnerabilities that the standard requires are installed in a timely manner.
As you can see the 5 areas cover all the basics, but they are basic areas that most SME's do not control within their businesses, if they do some of them, it's rare that small businesses do them all, and to a good standard.