The Cyber Essentials scheme was set up by the government and a group of cyber security experts to help many small to medium sized companies become digitally secure against 80% of known cyber threats. In this blog we will explore how Cyber Essentials could help your business, point you to several ways of implementing it, and suggest other things you can do to make your network secure.
What is Cyber Essentials?
If you are in retail, or eCommerce you should already be familiar with PCI DSS levels (SAQ-X), in a similar way the Cyber Essentials scheme was designed to help small and medium sized companies reach a ratified level of cyber security, at a reasonable cost. It includes multiple steps that can be taken to minimise the threat of a cyber-attack, or breach. The guide covers multiple areas of potential improvement for companies. These areas include: boundary firewalls and internet gateways, secure configuration, access control, malware protection and patch management. Each part is split into an introduction and several example steps on how to achieve security in that area. The main areas of focus for security include defence against hacking and prevention of phishing scams.
We do not warrant that following the steps in this blog post will allow you to pass the Cyber Essentials self certification questionaire, but it will help give you a good idea of what is actually involved. There are two levels of certification Cyber Essentials (for everyone), and Cyber Essentials Plus (for a higher security level, badges as shown below. The standard badge can be received by completing a self-questionnaire that is marked by an external body costing £300 plus any rectification work needed. The Plus variant can be obtained when a specialist inspector from the same external body comes to assess your network by performing vulnerability tests, also known as pen testing (penetration testing). For more information on the scheme you can also see the .gov website
How can Cyber Essentials be implemented?
The guide document can be found here but many companies, especially large companies, will already meet most or even all of the qualifications for several parts of the Cyber Essentials Scheme. For many smaller companies, however, having a high security standard such as this may have been put to low priority. Luckily the Cyber Essentials Scheme was designed for smaller and medium sized companies. All the steps provided to achieve a high level of security do not require a large amount of financial investment. The only costs would be new anti-virus/anti-malware or upgrades to Windows 10 from previous operating systems. If you think that your current system is ready to be certified then you only need to do a self-assessment (which can be found on this site) and pass to gain recognition of the standard. If not, then the document (linked above) will provide you with details on what is included in other similar I.T. standards.
Overview of the Cyber Essentials Guide
The guide document explains in many points how you can reach a certain standard required to gain the certification of Cyber Essentials or Cyber Essentials Plus. The main points that are covered by the document include:
1. Boundary firewalls and internet gateways
This area has points on maintaining secure passwords, blocking known malicious websites that may contain vulnerabilities, using the firewall to block out of date websites and only allowing admins to edit what can come through a firewall. You can achieve this by reviewing your firewall(s) and making sure to update it, along with keeping the admin passwords that can access it secure and changed often. merely having a firewall means nothing, it is how it is used.
2. Secure configuration
This area focuses on the removal of unneeded accounts (for example extra guest accounts and admin accounts), prevention of auto-run for .exe and external media, removal of old software and adding personal firewalls. Make sure that you only have one or two users max on a single workstation and that any passwords are changed on a regular basis.
3. Access control
This area covers administrator level security, how to keep certain privileges secure from non-admins and recommends making several features only accessible for admins. This means making sure that most, if not all, workstations only have a standard user login for those working there and that only one or two admin accounts are used over the regular users.
4. Malware protection
The malware protection section explains the importance of having anti-malware software and protection with regular scans and checks. We can help you choose and install recommended anti-Malware software. Keeping this software, along with your operating system, up to date at all times will help protect you and your data from being locked or infected with Adware/crypto locker style viruses.
5. Patch management
The Patch management section is an explanation on how it is important to keep all your software and operating systems updated to remove vulnerabilities. Often even companies like Apple or Microsoft leave bits of code that is vunerable to attack and so they "patch it up" with regular updates. This means that if you want to make sure that your syetem is secure at all times you should always have Windows automatic updates turned on and update as often and whenever you can.
All of these standards are required to gain the certification but you might have already reached the standard (or even above) in some of these areas. Each of the pages in the Cyber Essentials security questionaire also have one of the following icons:
The icon represents what type of security can be achieved by reading and following the points, if they will improve the security of your computers, laptops, tablets, phones, firewall or server and network. This will let you know quickly what area of your I.T. network will be affected by performing the steps in that section. This way you can quickly improve areas of security that you know are weak compared to others. Each section contains 4-7 steps to improve in that area.
What are the benefits of Cyber Essentials?
The Cyber Essentials Scheme is not only a great way of effectively securing your network and data but it is also backed by the government. It is part of a new move to educate people and businesses on how to prevent against cyber-attacks, and how to recover from them.
Being at the standard required by Cyber Essentials can also help you to reassure your current customers as they know their data is secure, and potentially attract new ones. In short having the badge is something to shout about. Having a single or several standards of security is similar to a restaurant having a high rating of food hygiene, customers are more likely to trust them over ones without.
These standards are incredibly important to have for companies that handle a lot of personal and sensitive data. It is also important for employers to know that they are responsible for the protection of their customers/employee’s personal data and so must keep it safe from harm.
The Cyber Essentials Scheme also has a section on how to moderate and control your employees' user controls and administrative powers. This will prevent a less knowledgeable employee from downloading and installing potentially harmful programs (at least not without permission from an actual admin).
Bongo IT have partners that can provided the certification, and we can get you to the standard needed. We can also supply a customised security guide for your company. Come and talk to one of our network and security experts today.
Enjoy the blog post? Then you would love our newsletter! Sign up here Signup and get a free Office 365 pitfall PDF guide
Call us on: 01865 988 217