You may have heard of the ‘cyber essentials’ scheme, which launched in June 2014. If you haven't it’s a government and industry backed scheme to help all organisations protect themselves against common cyber-attacks. In collaboration with Information Assurance for Small and Medium Enterprises (IAMSE) and Information Security Forum (ISF) they have set out basic technical controls for organisations to use which is annually assessed.
Once an organisation is fully compliant they receive a certificate to indicate to current and potential stakeholders that they have safety measures in place. Currently there are two levels of certification which are available being:
- Cyber Essentials certification process includes a self-assessment questionnaire (SAQ) and an external vulnerability scan. Defends against common attack vectors that target enterprise-level and corporate IT systems.
- Cyber Essentials Plus is a certification level recommended for businesses to demonstrate a higher level of security assurance. This includes all of the Cyber essential assessments but includes an additional internal scan and an on-site assessment.
Cyber Essentials addresses five key controls that, when implemented correctly, can prevent around 80% of cyber attacks.
It covers the following key areas:
1). Boundary firewalls and internet gateways:
If working correctly, firewalls and gateways provide a basic level of protection for internet users. Monitoring all network traffic, identifying and block traffic which can be harmful. If your firewalls are weak, not updated or are failing to detect harmful websites, it makes your business vulnerable. Cyber essentials objective is to:
- Ensure that only safe and necessary network services can be accessed from the Internet.
2). Secure configuration:
This refers to the security measures put in place when implementing infrastructure of computers and network devices. You may be vulnerable if you use default passwords user accounts on devices, leave ports open on firewalls or data is not encrypted.
Cyber essentials Objectives are to:
- Ensuring that systems are configured in the most secure way for the needs of the organisation
3). Access Control:
Unknowingly or deliberately, employees are an organisations biggest threat in regard to cyber security. You should have a user account management system in place which manages employee privileges.
Cyber essentials objectives are to:
- Ensuring only those who should have access to systems to have access and at the appropriate level.
4). Malware Protection:
Pretty self-explanatory but your business should have anti-malware software installed on all devices connected to the internet. However, you need to ask ‘How do we know our systems are up to date in order to deal with the latest threats?' and 'who is maintaining it?' Cyber essentials objective is to:
- Restrict execution of known malware and untrusted software, to prevent harmful code from causing damage or accessing sensitive data.
5). Patch management:
This refers to how up-to-date the software on your systems are. Using an old operating system such as Windows XP makes you more vulnerable to an attack. A mistake which the NHS had made resulting in their huge hacking incident taken place last year. Cyber essentials objective is to:
- Ensure that devices and software are not vulnerable to known security issues for which fixes are available.
You can complete a self-assessment questionnaire to see how your business currently measures up against the five security controls.
Why my business would need Cyber Essentials?
Providing products or services in the supply chain for defence, government contracts, aerospace or any major industry such as the motor industry? Be prepared to be asked by your customers to prove that your taking cyber security seriously. Cyber Essentials is a great way to do this. For some it is a requirement that you must be certified. For example new Defence Cyber Protection Partnership requirements state for "Very Low Risk" that "VL.01 Maintain Cyber Essentials Scheme certification". More government schemes also have it as a requirement.
For other organisations this is a vital step towards basic cyber security, as traditionally small/medium (SME) business owners believe they are not the target and hold 'invaluable' information. Contrary to peoples perception SME's are an attackers goldmine as they are more likely to pay ransoms, they often lack adequate cyber security measures, so it's easier to get away with and they could be a gateway to larger organisation if you are a supplier.
60% of small businesses suffered a malicious breach in the past year but only 1 in 4 felt 'well prepared' in the event of an attack; which on average costs a UK small business £16,264. By being fully Cyber Essentials compliant mitigates 80% of the risks faced to your business such as malware infections, social engineering attacks and hacking.
Giving you a competitive advantage over others within your industry, since you can offer unparalleled security and lower risk solutions to your stakeholders.
Take away the fear of cyber attack knowing you have implemented best practices to prevent 80% of attacks.
Be able to bid for UK Government contracts that involve the handling of personal and sensitive information, and increase your chances of securing business within the private sector.
Insurance agencies look favourably on SME’s with Cyber Essentials. As you can prove that measures are in place to optimise security and reduce the chance of a cyber attack.
Updated (15/01/18): Your route to GDPR compliance!
What is GDPR?: GDPR or the General Data Protection Regulation is the new legislation that is going to replace the current DPA (Data Protection Act). GDPR becomes enforceable from 25th May 2018 and is designed to ensure that all personal and customer data is handled and managed in a way that gives individuals the right to choose how the data is collected, stored and processed.
To find out more information, have a look at our GDPR blog series which covers a range of topics regarding the new legislation.
How this relates to Cyber Essentials? Cyber Essentials is recognised by the Information Commissioner's Office as the standard underpinning the data protection and network security aspects of GDPR compliance and as such should be part of any company’s approach to GDPR.
The ICO has already produced guidance for SMEs on IT security and I would also recommend consideration of the government’s cyber essentials scheme to assist in identifying the actions you need to take. You can expect to see more guidance on this in the context of GDPR.
- Elizabeth Denham - Information Commitioner (ICO)
However, GDPR will require more than just the Cyber Essentials basic technical controls; it'll also need IASME Governance. Together Cyber Essentials and IASME Gold are the affordable alternatives to ISO27001 for SME's and are seen as important steps in the journey towards compliance.
We are licensed to certify both the government-backed Cyber Essentials Scheme as well as IASME Gold. As a certifying body, we can help you achieve both these accreditations.
Join the 2000 companies nationwide that have opted for Cyber essentials to secure and boost their business.
If you'd like to discuss how ATG can help you obtain these accreditations without the headache or you're unsure which certification is more relevant to your business, click here to book a call with one of our consultants, alternatively contact us here.