Cybersecurity is a vital concern for organisations, but many security strategies fall short: recent research shows that 44% of UK companies are lacking in basic cybersecurity skills. The consequences of poor security go far beyond the direct impacts of cyberattacks, and the benefits of effective security are numerous as well. Unfortunately, it can be extremely complicated and difficult to cover all angles and vectors of attack, protect large and spread-out attack surfaces, and maintain compliance with relevant regulations.
Cyber Essentials, first released in 2014 by the United Kingdom’s National Cyber Security Centre (NCSC), is designed to help organisations adopt good practices in information security. It is a government-endorsed scheme for broad protection against a wide range of attacks. Obtaining a Cyber Essentials Certification not only shows that your organisation has the required controls in place but also demonstrates a dedication to cybersecurity and threat protection.
About the Cyber Essentials Certification
Cyber Essentials was developed in collaboration with industry partners such as the Information Security Forum, the Information Assurance for Small and Medium Enterprises (IASME) Consortium, and the British Standards Institution. On a very basic level, the goal of the certification is to ensure that businesses have certain measures in place to protect sensitive data and other assets against cyberattacks. However, it is important to note that Cyber Essentials is a basic level of due diligence from which to build on and not a comprehensive cybersecurity strategy.
The Cyber Essentials scheme addresses the most common internet-based threats to cybersecurity — particularly, attacks that use widely available tools and demand little skill. These threats include hacking, phishing, and password guessing. There are two types of certifications that organisations can obtain, Cyber Essentials and Cyber Essentials Plus.
Cyber Essentials Certification
Cyber Essentials is the less rigorous route, as it is self-assessed. The certification process has been designed to be lightweight and easy to follow. Once you select a Certification Body, you will need to answer the questionnaire provided by that certification body. Then, they will evaluate your answers and perform an external vulnerability scan on your IP addresses. If all goes well, you will pass, and a certificate will be issued. Cyber Essentials certification is right for small businesses that are looking to demonstrate they have the appropriate key controls in place.
Cyber Essentials Plus
Cyber Essentials Plus has exactly the same requirements as Cyber Essentials, but the critical difference is that it requires an independent assessment of your security controls to verify the organisation’s security posture. The assessment involves a vulnerability scan, which will identify unpatched or unsupported software, open ports, incorrect firewall configuration, etc. The information gathered will guide any remedial actions, ensuring your company will meet the five technical controls to demonstrate good practice of information governance. As the external body works through your certification, you will have to supply evidence to ensure you meet all requirements.
Although Cyber Essentials Plus certification is more difficult to achieve, it can be worth it, depending on your organisation’s needs, goals, and resources. The objective analysis of your existing security controls can drive a real improvement in your cyber defenses. As a result, Cyber Essentials Plus has become a much more highly regarded certification, suitable for small and large businesses that are looking for a real improvement in their existing cybersecurity controls.
Cyber Essentials Plus is mostly suitable for businesses that have employees who work remotely and/or third parties who need to access corporate assets. It is important to note that certification is only valid for a year, as the purpose of Cyber Essentials is to continuously maintain your organisation’s cyber-readiness. The annual assessment and recertification is an excellent opportunity to make sure that your security is up to date against today's evolving digital threats.
Benefits of Being Certified
Obtaining a Cyber Essentials certification can be advantageous to your organisation in a number of ways. Firstly, it provides a baseline level of security by ensuring that the organisation is protected against many of the most common threats through a range of attack vectors. While Cyber Essentials is not comprehensive, aligning your security with the scheme does guarantee a certain standard of security.
Attaining the certification also demonstrates to current and prospective customers, employees, partners, and contractors that security is a priority for the organisation. With the seal of approval of a government-backed security scheme, your business can gain esteem and reputation as a security-forward organisation.
There are also many government contracts that require Cyber Essentials certification, and even more sensitive projects that mandate Cyber Essentials Plus. Obtaining one of these certifications can help your organisation meet requirements for working with certain sensitive data, products, and services.
Five Cyber Essentials Technical Controls
Cyber Essentials tests the following 5 areas of your IT infrastructure:
- Firewalls: Using either personal, built-in or dedicated boundary firewalls to secure the Internet connection.
- Secure Configurations: Choosing the most secure settings for all devices and software rather than using default configurations.
- User Access Control: Managing who can gain access to which software, settings, services, and data, using zero-trust principles to protect assets against compromised accounts and insider threats.
- Malware Protection: Defending against malware by using anti-malware solutions and practices, such as whitelisting and sandboxing.
- Patch Management: Keeping devices, operating systems, and installed software up to date, including policies for end-of-life management when the vendor no longer supports a hardware or a software.
Obtaining a Cyber Essentials Certification
Both Cyber Essentials and Cyber Essentials Plus require organisations to prove that security controls are in place. However, this can often be a pain point. Most organisations are worried or struggle with the time and the resources required to gather up the essential audit information. The process can be lengthy and difficult to achieve manually or with the incorrect tools. Utilizing tools from established and trusted vendors like Fortra’s Tripwire can help in collecting the required information.
Tools such as Tripwire Enterprise can be used to not only collect the actual baseline state of the IT infrastructure, thus providing evidence of configuration status and readiness but also to provide percentage reports showing how the same environment fares against industry standards such as PCI DSS, CIS, NIST and many more. Maintaining logs from all enterprise components, using tools like Tripwire LogCenter, also helps with documenting compliance and ensuring thorough reporting.
Organisations can also obtain insight into vulnerabilities such as risk score on a per asset/per vulnerability basis with Fortra’s Vulnerability Management solutions. Having this type of information coupled together with the Tripwire Enterprise integrity monitoring information can provide your organisation with the audit information required to pass your Cyber Essentials certification.
Meet Fortra™ Your Cybersecurity Ally™
Fortra is creating a simpler, stronger, and more straightforward future for cybersecurity by offering a portfolio of integrated and scalable solutions. Learn more about how Fortra’s portfolio of solutions can benefit your business.
