Cyber Essentials is an internationally recognized IT security standard created by the UK’s National Cyber Security Centre to ensure proper levels of cyber resilience, secure IT devices and processes are enabled, and organizations follow industry best practices for protecting various digital infrastructures. The UK government requires small, medium, and large organizations working on sensitive projects to hold this certification.
Achieving Cyber Essentials also helps EU, US, and UK organizations with a solid foundation and starting point in demonstrating a commitment to cybersecurity best practices.
Organizations that invest in Cyber Essentials Basic/Plus certification demonstrate their commitment to protecting their data, employee information, and customer information by deploying high-level cybersecurity processes and proven adaptive controls.
How Do Organizations Become Certified?
Becoming certified with Cyber Essential is a self-assessment process. Achieving this certification gives the organization sound peace of mind, knowing that what it has deployed will assist in its efforts to reduce security challenges and protect critical stakeholders.
Furthermore, organizations wanting to achieve Cyber Essentials Plus will start by filling out an online questionnaire and must engage a compliance assessor to review and certify their documents.
Therefore, candidates for the Cyber Essentials Basic/Plus should work with an approved assessment firm to help with any steps to fill out the questionnaire. The assessor will review the questionnaire answers and advise of any required changes before submission for certification.
Completing the Self-Assessment
The self-assessment question focuses on what security controls and cyber resilience practices the organization has deployed today and whether these adaptive control properties are maintained.
Organizations wanting to get Cyber Essential certification must deploy the proper adaptive controls in their environment and establish baselines regarding their current capability. Here are the five required adaptive controls.
1. Deploying Firewalls
To meet Cyber Essentials requirements, all devices connected to the Internet must have a firewall. Firewalls create a buffer between inside and outside networks. Ensure firewalls are active on all devices and keep track of port openings and closings.
- Close all ports not required for business use.
- Document any changes to port configuration through a change control process.
- Establish remote access zones by IP address to ensure only specific users can access approved resources.
- Enable the personal firewall application on all end-user devices.
2. Enabling Consistent System Hardening Schemes on All Servers
Organizations should follow industry best practices for hardening systems by locking down all servers, network devices, and virtual instances to ensure that default user accounts and passwords are disabled.
- Disable default login details on all server’s virtual machines.
- Uninstall software not required for business consumption.
- Disable user accounts, including past administration logins.
- Create a password enforcement policy and apply it to all hosts.
3. Enabling Organization-Wide Access Control
Organizations wanting to achieve the Cyber Essential Basic/Plus certification must configure role-based access control (RBAC) on all devices, servers, and hosts. They must assign specific access to individuals and groups that align with their business function. Deploying an RBAC solution can often take time and effort.
Furthermore, small-to-medium businesses (SMBs) often leverage native Microsoft Active Directory (AD) tools to meet their RBAC requirements with minimal resources. Microsoft AD offers SMBs excellent access control tools for their products and connectors via LDAP to third-party tools for devices and hosts not running Microsoft solutions.
4. Patch Management for Cyber Essentials
Organizations must deploy an enterprise-wide patch management solution to ensure all devices, hosts, applications, and operating systems receive security updates and product enhancements.
Moreover, organizations should validate whether their patch management solution works as expected as part of their self-assessment process. More to the point, as vendors release feature enhancements and security updates, organizations should document the turnaround time for their IT and SecOps teams to deploy these updates within their questionnaires.
5. Deploying Anti-Malware Solutions
Malware exploits systems through malicious links, email attachments, or unauthorized applications. Ultimately, to prevent unauthorized system access, organizations must install anti-malware software on all devices with internet access.
Here are some additional protection steps organizations can take regarding malware attacks:
- As a good practice, organizations should uninstall any unsupported or outdated software on every device. Malware, including ransomware, exploits exposed vulnerabilities within operating systems and applications that have fallen behind on patches.
- Ensure the organization leverages the software asset management tool to help keep track of license subscription consumption, including anti-malware and anti-virus. This validation is critical to ensure the organization has enough licenses to cover all devices, endpoints, and servers
What is the Difference Between Cyber Essentials Basic and Cyber Essentials Plus?
In general, organizations seeking Cyber Essential Basic certification will complete a thorough self-assessment and file their questionnaire with certification firms to validate completeness only. Organizations wanting to achieve Cyber Essential Plus have a few more steps.
- Cyber Essentials Plus extends the Cyber Essentials Basic self-assessment questionnaire.
- This certification involves a certified auditor’s thorough examination of an organization’s IT systems to ensure that all necessary controls declared in Cyber Essentials stand effectively implemented in the network.
- Organizations seeking Cyber Essentials Plus certification must first get Cyber Essentials Basic. They must also submit a verified self-assessment within three months before applying.
- Once your organization has engaged an assessor firm, their assessment consultants will choose a few computers as a sample before conducting an audit.
- This audit will confirm whether the resources, including patch management, property-deployed firewalls, secure hardening of hosts and platforms, and anti-malware software, are deployed and updated per industry best practices.
Should Organizations Outside of the UK Pursue Cyber Essentials?
Cyber Essentials is for UK and international organizations wanting to leverage a straightforward approach with fewer controls than other cybersecurity frameworks.
However, the UK’s Ministry of Defense (MOD) mandates that all suppliers comply with the Cyber Essentials Basic/Plus certifications if they conduct business with or are part of the MOD supply chain.
Cyber Essentials is not a set of laws, so non-compliance will not cause penalties or fines. However, organizations choosing not to achieve this certification could face the following repercussions:
- Organizations can not take part in or become awarded government contracts.
- Customers seeking only firms with the certification will likely impact an organization’s ability to attract new business opportunities.
- Organizations with the Cyber Essentials certification are eligible for £25,000 in cyber insurance if their annual turnover exceeds £20m.
Other Countries including Australia model Cyber Essentials within their own framework.
Australia
The “Essential Eight” is a cybersecurity framework developed by the Australian Cyber Security Centre. This framework has eight strategies that outline the minimum controls organizations should implement to protect against cyber threats.
Ireland
Ireland currently does not have a cyber security framework or standard in place for SMEs, similar to the UK’s Cyber Essentials program.
However, a cyber security baseline framework for Irish SMEs is necessary to protect organizations from common cyber-attacks. I would enhance cyber security readiness, enabling SMEs to act as a first line of defense against cyber criminals.
Furthermore, should you need help getting your Cyber Essentials Basic or Plus within the UK, we partner with the consulting firm Rightcue, which can assist you. For organizations outside the UK, please contact us at Cubic Consulting at https://cubic.consulting.
Our team can assist with assessing your security posture strategy based on the Cyber Essentials Basic/Plus guidelines, as well as assessing your questionnaire, vulnerability scanning, and post-remediation strategies.
- Executive Board Members Seeking Greater Security Discussion with CISOs
- What are the Top 2024 Cybersecurity Predictions Surrounding Ransomware and Generative AI Attacks?
- How Can the Board of Directors Increase Their Knowledge of Cybersecurity, Risk and Compliance?
- Do SMEs Need a CISO Amid Rising Cyberattacks?
- How Does the Board of Directors Oversight Validate the Organization’s Cybersecurity Strategy?
- Securing Your Online Footprint: Insights from Stefanie Drysdale