What is Cyber Essentials

The Cyber Essentials Scheme was created by the UK Government and industry working together to design a basic set of requirements that all organisations could apply with limited experience of cybersecurity. Those organisations that apply these requirements would then be able to publicly demonstrate their commitment to cybersecurity via the Cyber Essentials Badge.

The process is designed to be low cost and provide a respected minimum standard in Cyber Security.

The Scheme is designed to address the most common internet based threats to your organisation’s cybersecurity, particularly attacks that uses tools that require little skill by the attacker. These threats are as follows:

  • Hacking, using known vulnerabilities in Internet-connected devices, using tools and techniques found on the internet
  • Phishing, ways of tricking users into installing or executing a malicious application, such as email attachments
  • Password guessing, manual (typed in) or automated (using tools found online) attempts to log on from the Internet to your systems, by guessing passwords or using passwords from another breach

The devices in scope of the scheme are (get in contact if you are not sure):

  • Desktop/Laptop PC’s (including MS Surface), physical and virtual
  • Tablets and smartphones
  • All types of server and network equipment (Layer 3 switches, Firewall, Routers etc), physical and virtual
  • Thin clients
  • PaaS, SaaS, IaaS
  • Staff owned devices where they are used to access organisational data or services

For more information see: Cyber Essentials Requirements for IT infrastructure

The scheme has been proven to be effective, and provides:

  • Your customers with reassurance that your organisation is working to secure their data
  • Builds trust with suppliers
  • Tendering advantage where it is required for contracts and thus competitive advantage
  • A good starting point for Data Protection (GDPR) security

Cyber Essentials Basic — Self Assessment

Cyber Essentials Basic is a multi choice self assessment questionnaire covering the 5 core elements of the Cyber Essentials Scheme that all organisations should adhere to:

  •         Firewalls
  •         Secure configuration
  •         User access control
  •         Malware protection
  •         Security update management

Your organisation must ensure that it meets all the requirements.

The first thing you should do is determine the boundary of scope and what systems or devices are in scope within this boundary. Then, review all 5 technical control areas for those systems, taking action as needed to  ensure that your organisation meets every requirement, throughout the scope you have determined.

CyberAggress can provide guidance on scope and how you can meet the requirements, we do not however offer IT support, but we are happy to work alongside your own.

Cyber Essentials Plus

Cyber Essentials Plus (CEP) is the part of the scheme that tests your systems are compliant with requirements and that those controls are effective. It requires that your organisation has already obtained certification at the basic level within the last 3 months inclusive of the duration of the audit.

Unlike typical vulnerability testing the Cyber Essentials Plus audit, tests the defence mechanisms used by organisation rather than just looking for vulnerabilities to exploit.

The cost of the audit depends on the number of devices, the number of locations, and complexity of the networks in scope. Get in contact for quote by email.

Cyber Essentials Plus works alongside ISO 27001 proving the information security management controls are working.

 

* Further information available on request.
** Access to the portal is limited to 6 months once your account has been created.

I want Cyber Essentials

Extra’s

  1. Cyber Essentials Plus — Pre-Assessment — gap analysis prior to audit
  2. Add on IASME Governance with GDPR Readiness certification, Shows a good standard of Information Governance and covers the core areas of GDPR POA
  3. Full IASME Governance Standard audited assessment POA

What’s in it for me?

  • Reduce risk to your organisation from internet based threats.
  • Show due care and active risk management ready for GDPR (General Data Protection Regulation).
  • Avoid or reduce the impact of a breach, reduce the cost to recover, reduce the fine the ICO could hit you with.
  • Established minimum standard.
  • Competitive advantage, win contracts over those that don’t have it.
  • If you deal will with Government/local authority contracts it is in now mandatory for many.
  • Reduce your risk, save money on your insurance premium.
  • Free Cyber insurance for one year**.
  • Best practice with many official bodies (Accountants, Lawyers, Estate-agents…).
  • According to a Cyber Security Breaches Survey 2017 46% of all UK business have identified at least 1 security breach in the last 12 months (2016-2017) (https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2017).
  • Only half of all firms (52%) have enacted ‘basic’ technical controls across the five areas laid out under the Government-endorsed Cyber Essentials Scheme, this means that 48% of businesses still do not have the basic protection in place or have not formalised their approaches to cybersecurity.
  • Crypto-ransom is a multibillion dollar industry, Cyber Essentials reduces your businesses risk of being a victim.
  • 72% of cases where firms identified a breach or attack are related to staff receiving fraudulent emails (phishing).
  • 33% of cases are related to viruses, spyware and malware (hacking).
  • 27% of cases are related to people impersonating the organisation in emails or online (hacking/phishing).
  • 17% of cases are related to ransom-ware (hacking/phishing).
  • Cyber Essentials will directly mitigate 80% of commodity hacking or phishing attempts.
  • Gaining certification and actively practising good cybersecurity housekeeping can significantly reduce the risk of most common cyberattacks, and shows a level of risk management as required by GDPR/Data Protection Law.
  • Cyber Essentials is mandatory for Central Government Contracts some require Cyber Essentials Plus as minimum in addition to ISO 27001.
  • Cyber Essentials is used and backed by the UK and Scottish Government.

How Do I get it?

  1. Call 01292 811 811 or email us at cyberessentials@aggress.co.uk
  2. We will discuss your needs and timelines
  3. From here you will either:
    1. Complete the online submission through our portal and get certified on meeting the requirements, or
    2. Have a remote walk/talk through of the questionnaire with our certified assessor, when you and the assessor are happy you can formally submit through our portal.
    3. For Cyber Essentials Plus a scoping exercise is required to ensure good coverage and efficient testing takes place expediting the process.

 

* Depends on the size of the organisation
** Limited to 6 months
***details of the insurance policy available on request

Background to Cyber Essentials

Cyber Essentials Scheme was set up by the UK government in 2014 and is now a worldwide recognise baseline standard for IT security. At its core it covers 5 areas of IT and IT security controls, the scheme focuses on preventing attacks originating from the internet aimed at businesses IT infrastructure. These attacks come from the network boundary (connection to your broadband) to the end device (PC/Laptop/Server/Smartphone etc).

Cyber Essentials offers a sound foundation of basic hygiene measures that all types of business can implement and potentially build upon. Implementing these measures can significantly reduce your business’s vulnerability. However, it does not offer a silver bullet to remove all cybersecurity risk; for example, it is not designed to address more advanced, targeted attacks and hence businesses facing these threats will need to implement additional measures as part of their security strategy.

What Cyber Essentials does do is define a focused set of controls which will provide cost effective, basic cybersecurity for all sizes of business.  With Cyber Essentials you get a choice over the level of assurance you wish to gain (basic/plus) and the cost of doing so.

It is important to recognise that certification only provides a snapshot of the cybersecurity practices of the business at the time of assessment, maintaining a robust cybersecurity stance requires additional measures such as a sound risk management approach, as well as ongoing updates to the Cyber Essentials control themes, such as patching.

It offers the right balance between providing additional assurance of a business’s commitment to implementing cybersecurity to third parties, while retaining a simple and low cost mechanism for doing so.