What does Cyber Essentials cover?
Cyber Essentials is a UK Government backed scheme that helps protect your business against a range of the most common cyber-attacks. Cyber-attacks can come in many forms and may be carried out against businesses of any size of industry. However, the vast majority of these attacks are basic in nature and are the digital equivalent of a thief trying your front door or window to see if it’s unlocked. By implementing the controls specified in Cyber Essentials, you can help protect your business against the majority of these commodity attacks.
The Control Categories
Cyber Essentials is broken down into 5 separate topics, with a number of assessment questions asked against each category. In the sections below, I list the main criteria, but note these are not the full list of controls you should implement prior to applying for certification.
- Do you have a firewall in place?
- Do you regularly review your firewall rules?
- Do you remove firewall rules as soon as they are no longer required?
- Have you applied the principle of least privilege?
- Have you limited the usage of your administrative accounts?
- Do you use multi-factor authentication where possible?
- Do you have a strong joiners/movers/leavers process?
- Do you use standard builds or ensure that unnecessary software has been removed from your devices?
- Do you check to see if all your accounts are used and required?
- Have your default passwords been changed?
- Do you update all of your software and operating systems?
- Remember to include mobile phones, firewalls, switches and IoT devices!
- Do you have anti-malware software installed?
As part of the assessment, you also need to state which parts of your business are in scope. Ideally, this should be your whole organisation and at the very least any areas that have internet access. Note that if you do not include the whole of your business, you will not be eligible for the free cyber insurance that is available (Note there are other conditions that apply as well).
Also included in the scope of the assessment are the number of staff who are classed as working from home. For the purpose of the assessment, if more than 50% of their work is carried out at home, the member of staff is classed as a home worker. This may also mean their home router is in scope for your assessment. Remember, the assessment is carried out at a particular point in time and so the questions need to be answered as relevant at that moment, rather than what may have happened in the past.
If your business is using a managed office, you need to consider what aspects of the infrastructure might be in scope for your assessment.
If you are using Infrastructure as a Service (IaaS) for example AWS, this will be in scope as you are able to control the operating system. Even if the management is outsourced to another company, it is still in scope as it remains the responsibility of your business.
However if you are using Software as a Service, for example Quickbooks or SalesForce, this may not be in scope if you are unable to apply the required controls. Similarly, Platform as a Service may also be out of scope if the Cyber Essentials controls can’t be applied.
The question whether mobile devices (i.e. phones and tablets) are in scope or not can be a little confusing. However the simple rule of thumb is if they are accessing business data, including cloud services, or holding business data such as email or SharePoint for example, then they are in scope.
A similar principle applies to Bring Your Own Device. Any device used to access or hold business data is in scope. This also means home computers which are used for the occasional access to webmail are also in scope.
What do I need to pass the Cyber Essentials assessment?
To begin the assessment process, you must complete a questionnaire which asks specific information about each control topic. Once you have completed the questionnaire and have submitted this along with your assessment fee, your responses are verified by a qualified assessor. You need to achieve a compliant mark against the majority of the questions. It is important to note that all questions need to be answered. If you omit any questions, this can be an automatic failure of the assessment. Similarly, not implementing a certain control may also result in an immediate failure of your assessment.
If you do fail the assessment you have 2 working days to carry out any remediation actions and resubmit your assessment. This first re-assessment is carried out free of charge. If you fail a second time, you will need to pay another assessment fee and wait a month before resubmitting.
Once you have passed the assessment, you will receive your Cyber Essentials certificate. This is valid for 12 months.
How can Nexor help?
You may find the thought of achieving Cyber Essentials a little daunting. Perhaps you need guidance on deciding which parts of your business should be in scope for assessment, or maybe you don’t know the best way to answer a particular question based on the control implementation you have carried out. You may want to check your readiness prior to the formal assessment. Nexor can offer a range of services to help your business get Cyber Essentials certified. Contact us now to speak to one of our Consultants.
Author Bio – Sarah Knowles
Sarah Knowles is Nexor’s Senior Security Consultant. She is a NCSC certified Security and information Risk Adviser, an ISC2 Certified Information Systems Security Professional (CISSP), ISO 27001 Lead Auditor and a Cyber Essentials and IASME Governance Assessor. She has a technical background primarily in Microsoft technologies and has provided security governance, compliance and risk management to both HMG and private sector clients.