Cyber Essentials seems to be everywhere, but what does it truly mean for your organisation? We've created the Ultimate Guide to Cyber Essentials to help you understand the fundamentals as well as the technical aspects of Cyber Essentials without the complicated jargon.Every single question you have around Cyber Essentials will be answered and that's a promise!
So, take a seat, grab a cuppa and put your feet up while I explain everything you need to know about Cyber Essentials.
- Understanding the threat to your organisation
- What is the solution to the cyber threat?
- What is Cyber Essentials?
- How many certifications are there for Cyber Essentials?
- Achieving Cyber Essentials
- Achieving Cyber Essentials Plus
- Cyber Essentials vs Cyber Essentials Plus
- How much does Cyber Essentials cost?
- Why do you need a pre-assessment?
- What are the benefits of a Cyber Essentials certification?
- The Cyber Essentials Accrediting Bodies
- Getting Started with Cyber Essentials
- The Cyber Essentials Process
- Post Certification
- Additional FAQs
Can we be honest with each other for a second? On a scale of 1-10, how much do you really understand the world of cyber security?
Despite the fact most organisations spend 5.6% of their overall IT budget on security and risk management, many organisations still don't understand what cyber security is and subsequently, they don't know how to keep hackers out.
Cyber security isn't a priority for most organisations until it is too late and in fact, some organisations think their IT Support company are knowledgeable enough to handle all of their cyber security. I know this sounds crazy but listening to your IT support company could cost you 4% of your turnover.
Over the last 10 years we've seen a massive growth in cyber crime, in fact, I dove into the data from the Office for National Statistics (if you want to nerd out like me click this) and found out that there were 506,000 cases of unauthorised access to personal information (including hacking) in 2018 alone. Those are just the cases that were reported to the police! Unfortunately, these numbers are only rising as we become more and more reliant on technology within our organisations.
With that said and UK organisations experiencing an estimated 65,000 cyber attacks daily, organisations cannot afford to leave cyber security to the last minute.
As you can imagine, there's a significant number of organisations wishing they could go back and make amends. The popular phrase "It's never too late" clearly does not apply for cyber security.
Who is a threat to your organisation?
Whether it's an accidental error by one of your employees or a hacker half-way around the world attempting to gain access to unauthorised data, there are five common sources of the cyber threat which are shown below:
What are cyber criminals trying to do to your organisation?
Cyber criminals have many different ways to get your data, for instance they will:
- Infect your systems with malware (ransomware) - malware is software that is specifically designed to disrupt, damage, and gain unauthorised access to your computer systems.
- Use Social Engineering - the use of deception to manipulate your employees into divulging confidential and personal information that will be used for fraudulent purposes.
- Exploit vulnerabilities - weaknesses in your systems which can be exploited by an attacker.
Vulnerabilities exist within all systems and software. The challenge is ensuring that your systems are constantly up to date and that vulnerabilities are identified and remediated quickly to ensure your risks are mitigated and your attack surface reduced.
- Overload with DDoS (Denial of Service) - hackers use multiple systems to flood and target the bandwidth and resources of your systems. Your website and systems receive so many requests that they are unable to deliver a response and either fail completely or just stop responding to any legitimate requests.
How do they do this?
The attackers use a control server and issue a command to ask all the compromised systems in control of the server to send requests to your web site or system all at the same time.
From April 2017 to April 2018, 43% of UK organisations suffered a data breach or attack. I know that sounds terrible but the good news is, 32% of UK organisations experienced a data breach or cyber attack from April 2018 to April 2019 - an 11% decrease.
I know what you're thinking, the number of daily attacks are incredibly high at 65,000 but the number of breaches are going down. How can there have been a decrease? How is that possible?
Well, a lot of people have been talking about Cyber Essentials recently and rightly so. With the ever-growing push from government, clients and suppliers, you've probably already heard of it too. So you're wondering, why is everyone talking about Cyber Essentials?
UK organisations are beginning to prioritise cyber security by implementing Cyber Essentials and that's exactly why UK organisations have seen such a decrease in the number of breaches.
Whilst I've answered a few of your immediate questions, I appreciate there's a lot more on your mind and that's exactly why I've created The Ultimate Guide to Cyber Essentials for you so let's start off with the essential knowledge...
Cyber Essentials is a UK government information/data assurance scheme operated by the National Cyber Security Centre (part of GCHQ) that encourages organisations to adopt good practices surrounding data security. Cyber Essentials has been designed by the government to make it easy for you to protect your organisation against common cyber threats.
Think of it like this,
You're in the middle of your driving test, hoping to achieve your driving license. The assessor in the passenger seat understands what you need to do in order to pass and the assessor will be using a checklist to determine whether you pass or fail.
The company certifying your organisation are the assessor and Cyber Essentials is the checklist.
Cyber Essentials is the standard to compare the current condition of your Cyber Security against. The aim is to reach the Cyber Essentials standard and once this is done, you achieve the Cyber Essentials certification and your organisation will have reduced its cyber threat immensely.
Not too complicated right?
The reason the government's 'Department for Business, Innovation and Skills' created Cyber Essentials in 2014 was to ensure all suppliers doing business with the UK government are responsibly handling any personal and sensitive data they possess.
It's important to remember Cyber Essentials gives you a "point in time snapshot" assessment of your organisation which means you'd need ongoing security solutions such as SOC and SIEM on top of your Cyber Essentials certification to be able to have the peace of mind to understand your cyber security on a daily basis. (I'll explain this further later!)
There are only two certifications for Cyber Essentials - Cyber Essentials and Cyber Essentials Plus. They are both achieved in different ways and both respectively have their benefits for your organisation.
Cyber Essentials 'Basic' is a 'DIY' certification, it can be completed by your organisation's own IT department or a certified, external third party if you don’t have the capacity or technical expertise in-house. Your organisation completes a self-assessment questionnaire and the responses are then independently reviewed by an external certifying body.
Cyber Essentials Plus requires an external certifying body to carry out the system tests rather than the 'DIY' nature of Cyber Essentials.
A Cyber Essentials certification shows your clients and customers that you care about your cyber security whereas Cyber Essentials Plus shows you are doing absolutely everything in your control to protect their data.
Cyber Essentials Plus requires the use of an external certifying body throughout the entire certification process whereas Cyber Essentials uses an external certifying body to examine the responses from the self-assessment questionnaire.
Cyber Essentials is available for an annual recurring fee of £299 (excluding VAT) with monthly instalments available.
Before the purchase of Cyber Essentials Plus, a pre-assessment is recommended at the upfront price of £1499 which is followed by the £1499 cost of Cyber Essentials Plus. However, if you decide to buy both together, the total cost of the package is reduced to £2899.99. Monthly instalments are also available for Cyber Essentials Plus.
There are many reasons why you need the Cyber Essentials pre-assessment but the main purpose of it is to highlight which areas of your cyber security require attention and improvement. Without the pre-assessment, it can be more expensive to figure out where the 'gaps' are; as you will have to rely on your internal IT department or external IT company to carry it out.
The last thing you want to be doing is wasting money, the pre-assessment guarantees that you won't do that. It basically tells you 'where you are and what the current situation is'. You can then determine what is required to address the issues identified. Once 'fixed' you can then move onto Cyber Essentials Plus assessment and certification.
- Cyber Essentials is the only government backed UK cyber security standard, which means you will be aligning yourself with the most recognised standard in the country.
- Earlier I mentioned how Cyber Essentials is the main reason for the decrease in UK organisations experiencing data breaches and attacks in 2019. If you were wondering how this was possible, it is because the five Cyber Essentials controls (we'll get into these later!) will reduce your organisation's cyber threat by 80%. Hence, the fall in data breaches and attacks makes sense as more organisations are protected in 2019 than in 2018.
For most organisations, 80% is still not enough and bridging the 20% gap requires SOC (Security Operation Centre) and SIEM (Security Information and Event Management) where you will have dedicated teams working towards fixing security issues in real time. (I'll explain later!)
- Time. Money. Resources. With a bird's eye view of your cyber security from the executive level, you can iron out any inefficiencies in your practices as well maximising productivity as your team will have more time on their side.
- You've always dreamt of landing that HUGE government contract, without Cyber Essentials, you'll have to stop dreaming. Being Cyber Essentials certified is a minimum requirement for any organisation looking to obtain government contracts and your organisation is right to have the ambition of gaining government contracts.
Ambition shouldn't be punished or limited, it should be encouraged.
With Cyber Essentials, you will be giving your organisation the opportunity to grow and thrive.
When mentioning government contracts, it's impossible to not mention that Cyber Essentials also gives your organisation the opportunity to bid and work with the Ministry of Defence.
- As I mentioned earlier, whilst the Cyber Essentials certification shows that you care about data, the Cyber Essentials Plus certification shows that you're making every effort to protect data.
This will make a big difference when your organisation is trying to obtain cyber insurance - as the brokers will be willing to offer you a reduced premium since they can see your organisation is incredibly cyber safe.
- I'm sure you utilise services, you are a client to someone. Now think of the reassurance you'd feel if that service came back to you and said "we're doing absolutely everything in our power to protect your data and can prove it because we have the governments own standard". You'd appreciate the work they do more even more than you do currently.
This is the same feeling you'd want to give to your clients. You want your clients to appreciate what you do for them. It begins with protecting your clients and before you know it, you've enhanced your reputation in your industry. The industry will recognise you as one of the safest organisations in the sector, you can only begin to imagine what that could do for your organisation.
- There are organisations who simply do not care about cyber security, they believe it is not a priority and that they will never have a problem with it. It's an unfortunate way of thinking, their organisations won't last long in this day and age. Ideally, you'd want to separate your brand and identity from these organisations.
With a Cyber Essentials certification, you automatically show that you care about data as well differentiating yourself from your competitors who have yet to prioritise their cyber security.
Think of it now, your website will be updated with the Cyber Essentials logos and you will have put your organisation amongst an elite group of organisations in your industry who have shown they care about their data. If you show your clients you care about them, they'll care for you too.
- Can your suppliers trust you? If something went wrong, what are the chances they'd continue to do business with you?
Statistically, most suppliers end relationships with clients who suffer a breach. If you're wondering why, it's because they find out you did little to protect their data in the first place and this means the trust you had built has been lost. Without the trust, the supplier does not want to do business with you any longer.
With a Cyber Essentials certification, you will be protecting your organisation and therefore, you're giving your suppliers the trust they need to continue working with you. The choice is clear, you can give your suppliers uncertainty without Cyber Essentials or you can give them certainty with Cyber Essentials.
- I'm sure you've heard of GDPR (General Data Protection Regulation) as all organisations inside of the EU are required to comply with GDPR. It's important to comply for many reasons, but here's one that particularly stands out - your organisation could be liable to pay up to 4% of your turnover if breached.
The reason for this is the information commissioner's office can very quickly conclude that you did not do everything in your power to protect the data you hold. How? They can see you you didn't have Cyber Essentials when you were breached. Simply having the certification could've prevented the fine as they could see you did try to protect your data.
Most organisations would struggle if they lost 4% of their turnover, would you still be in business?
To further understand each benefit, feel free to click here to view 10 ways Cyber Essentials can benefit your organisation.
There are currently five accrediting bodies of the Cyber Essentials scheme: IASME, CREST, APMG, IRM and QG. These accrediting bodies appoint certifying bodies (such as Cyber Tec Security) who will certify your organisation for Cyber Essentials and Cyber Essentials Plus.
IASME and CREST are the two biggest accrediting bodies in the UK and the bulk of certifying bodies come from these two companies so I will be particularly focusing on these two major organisations. (Warning! It gets very technical...)
IASME assess and certify organisations against two standards:
- The IASME Governance Standard
- The Cyber Essentials Scheme
In addition to Cyber Essentials, IASME's Governance standard is designed specifically for SMEs (Small and Medium sized organisations) and offers a similar level of assurance to the internationally recognised ISO 27001 standard but is simpler and often cheaper for SMEs to implement.
The IASME Governance Standard is risk-based and includes aspects such as physical security, staff awareness, and data backup
CREST is an international not-for-profit accreditation body that represents and supports the technical information security market.
Whilst IASME focus on SMEs, CREST specialise with bigger organisations and in the technical information security industry.
The Future of Cyber Essentials
All five accrediting bodies have their own methodologies when it comes to implementing Cyber Essentials and each methodology has its advantages and disadvantages. Due to this, the government decided they would prefer if every organisation in the UK operated under the same methodology. Therefore, only one of the five accrediting organisations could become the main accrediting body for the United Kingdom.
CREST and IASME are the two biggest accrediting bodies and there were rumours in the industry that it would be one of these two organisations which would become the main accrediting body for the UK.
The rumours were correct.
It has been announced that IASME are now the main accreditation body for Cyber Essentials in the United Kingdom and this change will take effect on 1st April 2020.
What does this mean?
It means if you're already certified with one of the other four accrediting bodies, you will need to become Cyber Essentials certified through an IASME certifying body when your current certification expires. This also means every certifying body with the other four accrediting bodies will need to go through IASME's procedures in order to continue being a certifying body.
Cyber Essentials Controls
You're probably thinking... what on earth is a control?
Simply, technical controls are safeguards that are incorporated into computer hardware, software, or firmware. So, the controls for Cyber Essentials are:
- Boundary firewalls and internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
As aforementioned, the reason Cyber Essentials can protect your organisation from 80% of the cyber attacks is due to these five controls. These controls can be very confusing and well, you're not here to be confused so I've created a simple infographic for you to understand the fundamentals of each below:
Now that you're familiar with the fundamentals of the controls, it's best to dive in deeper on each control and understand the best practices for each.Firewalls and Internet Gateways:
Firewalls are the technical protection between your systems and external systems. It is the firewall which will filter anything that could be of harm to your systems.
Internet Gateways enable us to communicate by sending data back and forth. Without gateways, the Internet wouldn't be of any use to us.
- Your home based workers should be using a firewall or an office VPN.
- Your router or hardware firewall device will have default passwords which should be changed to passwords which are hard to guess and at least 8 characters in length.
- You should have a guest network for your clients and customers for when they want to use your servers. For instance, if a customer wants access to your WiFi, you should offer them the guest option as otherwise, you will be making your actual network susceptible to an attack.
- If you allow other people such as your managed service provider to access your settings via the internet, you should have two factor authentication set up or add them to the trusted list of IP addresses.
- You should enable firewalls on all your connected devices.
It's rare for computers to be secure straight out of the box as they often include an administrative account with a publicly known default password, unnecessary user accounts enabled (sometimes with special access privileges) and pre-installed unnecessary applications or services. All of these can present security risks.
- You should look to remove or disable the applications, system utilities and network services that are not needed in day-to-day use.
- You should remove or disable any user accounts that are no needed in day-to-day use on all devices.
- Change the default password for all user and administrator accounts on all devices and servers to a non guessable, strong 8 or more character password.
- Ensure each user and administrator has a non guessable, strong, 8 or more character password.
- You shouldn't include predictable words such as "password" or predictable sequences such as "12345"
- Prevent people outside of your organisation accessing confidential information through your external services (VPN server, mail server etc) by making this information private.
- Change passwords soon as you believe they have been compromised.
- Limit the number of unsuccessful login attempts to no more than ten within five minutes
- Create a password policy to guide your users. This includes guidance on how to choose non-guessable passwords, not to use the same password for multiple accounts, which passwords may be written down and where they can be stored.
- Disable auto-run and auto-play on all of your systems.
It is important to only give users access to the resources and data necessary for their roles, and no more. All users need to have unique accounts and should not be carrying out day-to-day tasks such as invoicing or dealing with e-mail whilst logged on as a user with administrator privileges which allow significant changes to the way your computer systems work.
- You should ensure that user accounts (such as logins to laptops and accounts on servers) are only provided after they have been approved by a person with a leadership role in your organisation.
- You should ensure that no devices can be accessed without entering a username and password. Users should not be able to share accounts.
- Stop any former employee accessing any of your systems.
- Ensure that staff only have the privileges they need to do their current job.
- You should have a formal, written-down process that you follow when deciding to give someone access to systems at administrator level. This process should include approval by a person who is an owner/director/trustee/partner of the organisation.
- You should ensure that administrator accounts are only used when absolutely necessary, such as when installing software. Using administrator accounts all-day-long exposes the device to compromise by malware
- You should ensure that administrator accounts are not used to access websites or download email. Using such accounts in this way exposes the device to compromise by malware. You may not need a technical solution to achieve this, it could be based on good policy and procedure as well as regular training for staff.
- You should track by means of list or formal record all people that have been granted administrator accounts.
- You should review the list of people with administrator access regularly. Depending on your organisation, this might be monthly, quarterly or annually. Any users who no longer need administrative access to carry out their role should have it removed.
- Enable two factor authentication for all administrative accounts.
Malware (known as ransomware) is generally used to steal or damage information. Malware are often used in conjunction with other kinds of attack such as ‘phishing’ (obtaining information by confidence trickery) and social network sites (which can be mined for information useful to a hacker) to provide a focussed attack on an organisation.
- Install anti-malware software
- Have a list of approved applications and only use and install these applications
- Update anti-malware software daily
- Scan files automatically upon access of anti-malware software
- Your anti-malware software should have a plugin for your internet browser or for the operating system itself that prevents access to known malicious websites.
- Restrict users from installing unsigned applications
- You should create a list of approved applications and ensure users only install these applications on their devices including employee owned devices.
- If using application sandboxing, ensure that applications within the sandbox are unable to access data stores, sensitive peripherals and your local network.
To protect your organisation, you should ensure that your software is always up-to-date with the latest patches. This is a requirement of Cyber Essentials.
- Ensure all operating systems, applications and firmware on your devices are supported by a supplier that produces regular fixes for any security problems
- Use licensed software in accordance with the publisher's recommendations.
- Ensure all high-risk or critical security updates for operating systems and firmware are installed within 14 days of release.
- Remove older applications from your devices which are no longer supported by the manufacturer.
Certifying bodies will guide, manage and support you throughout the process but what actually is the Cyber Essentials journey, what would the process look like?
- Order placed
- Information required for assessment gathered by certifying body
- Organisation receives question set with guidance from certifying body
- Organisation reviews this and sends certifying body an amended question set which is reviewed
- Achieve Cyber Essentials
- Organisation requests pre-assessment
- Pre-assessment booked
- Portal to fill in answers and prepare assessment for marking
- Assessment is marked for compliance to Cyber Essentials Plus
- Results compiled
- Remediations are identified
- Full assessment and provisional dates for assessment agreed
- Final assessment is booked
- Final assessment report will be compiled and reviewed by assessor before being awarded.
- Cyber Essentials Plus certification achieved
As aforementioned, once you have achieved Cyber Essentials/Plus, you will be able to have the appropriate Cyber Essentials logos on your website.
Moreover, you would have reduced your cyber threat by 80%. This still leaves a 20% gap to bridge but how do you bridge the 20% gap?
An effective pair of tools which can help bridge the gap are SOC and SIEM.
What is SOC and SIEM?
A SIEM (Security Information and Event Management), is a tool that indicates suspicious activity through set-up rules and correlation intelligence and enables security analysts to act on suspected threats.
A SOC (Security Operations Centre) encompasses the people, processes, as well as technology involved in protectively-monitoring a network, responding to incidents, and researching/actively searching for known/unknown threats.
What does this mean for your organisation?
A SOC works best with a SIEM as the SIEM provides the foundation for the SOC's specialised security analysts to work on the threats presented by the SIEM.
Whilst a SIEM is the best tool for collecting and correlating information from your organisation, what happens when you get an alert? You need a set of skill security analysts to help you understand what those alerts mean and that's where SOC comes in.
By having SOC and SIEM for your organisation, you will be able to proactively monitor threats posed to your organisation and be able to prevent breaches and attacks before they happen. As Cyber Essentials shows you a "snapshot" of your cyber security at a specific time, the SOC and SIEM will ensure you are always up to the standard. This is hugely important as you could save money the following year when renewing Cyber Essentials as you may not need a pre-assessment.
The cyber threat is real and it's coming for every single organisation. With over a third of British organisations suffering an attack in 2019, it's up to those organisations to do their best to protect their stakeholders with 'essential' and fundamental investments - such as Cyber Essentials.
It's your duty to protect your stakeholders.
With Cyber Essentials, your organisation can guarantee protection against 80% of cyber attacks, land Government contracts and avoid huge fines from the ICO post breach.
I've linked the guide for you below, click below to download the Ultimate Guide to Cyber Essentials.
Still haven't got the answer you're looking for? I couldn't just leave you with an unsolved query so here are our some more answers to those burning questions!
Does Cyber Essentials expire?
Cyber Essentials will require annual renewal and the amount you'd pay depends on your certification.
Why should I renew my Cyber Essentials?
For the same reasons you chose to certify in the first place:
- To reduce your cyber threat by 80%
- To benefit from the Cyber Essentials scheme
- To grasp your organisation's cyber security position
Can I achieve Cyber Essentials Plus without Cyber Essentials?
To be able to achieve Cyber Essentials Plus, you must first achieve Cyber Essentials.
How do I become 100% secure?
We'd all love to be 100% secure, unfortunately, this is impossible. The best thing you can do is guarantee 80% protection from cyber attacks and then look to invest in SOC and SIEM to bridge that gap.
My IT team told me to buy tools, why should I bother with Cyber Essentials?
Listening to your IT team on this matter will cost you a fortune. Tools are not cheap and you cannot guarantee you'll be safer with them. However with Cyber Essentials, you'll automatically reduce your cyber threat by 80% and it should be seen as a 'first step' necessity. Think of tools as a supplement, they're beneficial for bridging the gap from 80% to 100% but they are not the main aspect of your cyber security.
How quickly can I become certified for Cyber Essentials and Cyber Essentials Plus?
You can become certified within 24 hours for Cyber Essentials and you would need to upgrade to Cyber Essentials Plus within 3 months of achieving Cyber Essentials.