The Cyber Essentials Scheme

With rising security threats and cyber-attacks against businesses and organisations, time is of the essence to improve your digital defenses.   A good approach to this is to follow the UK Government’s recently launched Cyber Essentials scheme.

CYBER ESSENTIALS is becoming recognised as a valuable roadmap and kite mark for businesses wishing to improve their cyber security and provide evidence that they meet minimum standards.   Developed by Government and industry, the scheme aims to fulfil two key roles:

• Firstly, to provide a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats, within the context of the ‘10 Steps to Cyber Security’ – see next article for more details on this.  
• Secondly, through the scheme’s ‘Assurance Framework’ it offers a mechanism for organisations to demonstrate to their customers, investors, insurers and others that they have taken the essential precautions.   

Cyber Essentials offers a sound foundation of basic cyber hygiene measures that all types of organisations can implement and then build upon.  By implementing these measures an organisation’s vulnerability can be significantly reduced.

However, the scheme does not provide a silver bullet to remove all cyber security risk; for example, it is not designed to address more advanced, targeted attacks and organisations facing these threats will need to implement additional measures as part of their security strategy.

What Cyber Essentials does do is define a focused set of controls which will provide cost effective, basic cyber security for organisations of all sizes.   

Assurance Framework

The scheme’s Assurance Framework provides a staged approach towards embedding established and sustainable information risk management from common Internet-based threats as well as the broader risks they might face.

Each stage adds confidence and it is for organisations to decide which they choose based on their assessment of risk, their customers’ expectations and cost considerations.  The framework supplements

other information security certification arrangements and covers the basic controls needed to defeat most threats from the Internet.  The framework consists of two stages, leading to two levels of accreditation or ‘badges’ – Cyber Essentials and Cyber Essentials PLUS.

Accreditation

Cyber Essentials accreditation involves undertaking the following, with completion of stage 1 being a prerequisite to stage 2: 

Stage 1 – Cyber Essentials.   You state your organisation’s compliance with Cyber Essentials requirements by responding to an online questionnaire covering the requirements for basic technical protection from cyberattacks. 

The completed questionnaire is sent for review to a recognised body which then undertakes an external vulnerability assessment, testing that individual controls on your internet-facing network perimeter have been implemented correctly, and that there are no obvious vulnerabilities.

Stage 2 – Cyber Essentials PLUS.  Cyber Essentials PLUS encompasses the same controls as Cyber Essentials but offers a higher level of assurance through the use of an independent testing regime.

Scheme requirements

Cyber Essentials focuses on five key controls or requirements of your IT system as follows: –

1. Boundary firewalls and internet gateways – these are devices designed to prevent unauthorised access to or from private networks.  Correct setup of these devices either in hardware or software form is essential for them to be fully effective.
2. Secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation. 
3. Access control – ensuring only those who should have access to systems or information have access through use of appropriate access measures. 
4. Malware protection – ensuring that virus and malware protection is installed and is up to date.  
5. Patch management – ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor have been applied.

By following the ’10 Steps to Cyber Security’ as described in the following article, organisations will be able to meet these requirements.

Business benefits

Gaining accreditation delivers a number of key benefits to your business.  These include: –

• Peace of mind that your business is protected against the majority of common cyber-attacks that it is likely to encounter. 
• Identification of areas for further improvement, even if you meet either of the two levels of accreditation.  
• Visible evidence that your business has taken a rigorous approach to protecting itself by displaying either the Cyber Essentials or Cyber Essentials PLUS logo.  
• Ability to respond to public sector tenders which now require accreditation for any supply that involves handling of sensitive and personal information or provision of certain technical products and services.

Making it happen

The scheme has been put in place to help protect companies against the majority of cyber-attacks to IT systems, in the main involving relatively low levels of technical capability.  However, if you are serious about preventing attacks on your business it is likely you will need to do more.

Either way, unless your organisation has the expertise in-house, it is recommended that companies should enlist the expertise of their IT or Managed Service Provider.  They will be able to assess what you need to do to achieve accreditation and help implement the necessary safeguards.

Call us today to start the process of gaining your Cyber Essentials accreditation

www.amshire.co.uk            solutions@amshire.co.uk            0330 2020 340           @amshire