The Cyber Essentials Scheme
With rising security threats and cyber-attacks against businesses and organisations, time is of the essence to improve your digital defenses. A good approach to this is to follow the UK Government’s recently launched Cyber Essentials scheme.
Recognised as a valuable road map and kite mark for businesses wishing to improve their cyber security.
Developed by Government and industry, the scheme aims to fulfil two key roles: –
- Firstly, to provide a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats, within the context of the ‘10 Steps to Cyber Security’
- Secondly, through the ‘Assurance Framework’ it offers a mechanism for organisations to demonstrate that they have taken the essential precautions.
Cyber Essentials offers a sound foundation of basic cyber hygiene measures that all types of organisations can implement and then build upon. Implementing these measures will significantly reduce your organisation’s vulnerability.
Cyber Essentials does not provide a silver bullet to remove all cyber security risk. Organisations facing these threats will need to implement additional measures as part of their security strategy.
What does Cyber Essentials do?
Cyber Essentials defines a focused set of controls which will provide cost-effective, basic cyber security for organisations of all sizes.
The scheme’s Assurance Framework provides a staged approach towards embedding established and sustainable information risk management from common Internet-based threats as well as the broader risks they might face.
Each stage adds confidence and it is for organisations to decide which they choose based on their assessment of risk, their customers’ expectations and cost considerations. The framework supplements other information security certification arrangements and covers the basic controls needed to defeat most threats from the Internet. The framework consists of two stages, leading to two levels of accreditation or ‘badges’ – Cyber Essentials and Cyber Essentials PLUS.
Cyber Essentials Accreditation
This accreditation involves undertaking the following, with completion of stage 1 being a prerequisite to stage 2: –
Stage 1 – Cyber Essentials. By responding to an online questionnaire covering the requirements for basic technical protection from cyberattacks you state your organisation’s compliance with Cyber Essentials requirements
The completed questionnaire is sent for review to a recognised body who then undertake an external vulnerability assessment, testing that individual controls on your internet-facing network perimeter have been implemented correctly, and that there are no obvious vulnerabilities.
Stage 2 – Cyber Essentials PLUS. Cyber Essentials PLUS encompasses the same controls as Cyber Essentials but offers a higher level of assurance through the use of an independent testing regime.
Cyber Essentials focuses on five key controls or requirements of your IT system as follows: –
- Boundary firewalls and internet gateways – Correct setup of these devices either in hardware or software form is essential for them to be fully effective.
- Secure configuration – secure configuration for the needs of the organisation.
- Access control – only those who should have access to systems or information have access through use of appropriate access measures.
- Malware protection – must be installed and up to date.
- Patch management – all the necessary patches have been applied.
Gaining accreditation delivers a number of key benefits to your business.
These include: –
- Protection against the majority of common cyber-attacks, therefore giving you peace of mind
- Clear identification of areas for further improvement, even if you meet either of the two levels of accreditation.
- Visible evidence that your business has taken a rigorous approach to protecting itself
- Ability to respond to public sector tenders.
Making it happen
Mainly involving relatively low levels of technical capability, this scheme has been put in place to protect companies against cyber-attacks to IT systems. However, if you are serious about preventing attacks on your business it is likely you will need to do more.
Companies should enlist the expertise of their IT or Managed Service Provider. They will be able to assess what you need to do to achieve accreditation and help implement the necessary safeguards.
Call us today to start the process of gaining your Cyber Essentials accreditation