What is Cyber Essentials

The Cyber Essentials Scheme was created by the UK Government and industry working together to design a basic set of requirements that all businesses could apply with limited experience of cyber security. Those business that apply these requiresnt would then be able to publicly demonstrate their commitment to cyber security via the Cyber Essentials Badge.

The process is designed to be easy/low cost and provide a respected minimum standard in Cyber Security.

The Scheme is designed to address the most common internet based treats to your business cyber security, particularly attacks that uses tools that require little skill by the attacker, these tools are widely available are are increaling used. These threats are as follows:

  • hacking, using known vulnerabilities in Internet-connected devices, using tools and techniques found on the internet
  • phishing, ways of tricking users into installing or executing a malicious applications, such as email attachments
  • password guessing, manual (typed in) or automated (using tools found online) attempts to log on from the Internet to your systems, by guessing passwords

The devices in scope of the scheme are:

  • desktop/laptop PC’s (inc surface)
  • tablets and smartphones
  • all types of server and network equipment

The scheme has been proven to be effective, and provides:

  • your customers with reassurance that your business is working to secure their data
  • builds trust with suppliers
  • tendering advantage where it is required for contracts and thus competitive advantage
  • a good starting point for Data Protection (GDPR) security

Cyber Essentials Basic – Self Assessment

Cyber Essentials Basic is a multi choice self assessment questionnaire covering the 5 core elements of the Cyber Essentials Scheme that all organisations should adhere to:

  1.         Firewalls, Using a firewall to secure your Internet connection
  2.         Secure Configuration, Choosing the most secure settings for your devices and software
  3.         User Access Control, Controlling who has access to your business data and services
  4.         Malware Protection, Protecting yourself from viruses and other malware
  5.         Patch Management, Keeping your devices and software up to date

Your business must ensure that the business meets all the requirements. The first thing you should do is determine what is in scope, then review all 5 requirements for those systems. CyberAggress can provide guidance on which devices are in scope and how you can meet the requirements, we do not however offer IT support, but we happy to work alongside your own.

Cyber Essentials Plus

Cyber Essentials Plus (CEP) is the part of the scheme that tests your systems are compliant with requirements and that those controls are effective. It requires that your business has already obtained certification at the basic level within the last 3 months. Unlike typical vulnerability testing the Cyber Essentials Plus audit tests the defense mechanisms used by business rather than just looking for vulnerabilities to exploit.

The cost of the audit depends on the number of devices, the number of locations, and complexity of the networks in scope. Get in contact for quote by email.

 

Cyber Essentials Plus works alongside ISO 27001 proving the information security management controls are working.

 

I want Cyber Essentials

Extra’s

  1. Cyber Essentials Plus – Pre-Assessment – gap analysis prior to audit From £500*
  2. Add on IASME Governance with GDPR Readiness certification, Shows a good standard of Information Governance and covers the core areas of GDPR +£150*
  3. Full IASME Governance Standard audited assessment £POA

* Plus VAT

** Minimum of 4 hours support required for IASME Standard if support is required.

What’s in it for me?

  • Competitive advantage
  • Win contracts over those that don’t have it
  • If you deal will with Government/local authority contracts it is in now mandatory for many
  • Reduce your risk, save money on your insurance premium
  • Free Cyber insurance for one year**
  • Show due care and active risk management ready for GDPR (General Data Protection Regulation)
  • Avoid or reduce the impact of a breach, reduce the cost to recover, reduce the fine the ICO could hit you with
  • Established minimum standard
  • Best practice with many official bodies (Accountants, Lawyers, Estate-agents…)
  • According to a Cyber Security Breaches Survey 2017 46% of all UK business have identified at least 1 security breach in the last 12 months (2016-2017) (https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2017)
  • Only half of all firms (52%) have enacted ‘basic’ technical controls across the five areas laid out under the Government-endorsed Cyber Essentials Scheme
  • This means that 48% of businesses still do not have the basic protection in place or have not formalised their approaches to cyber security
  • Crypto-ransom is a multi billion dollar industry, Cyber Essentials reduces your businesses risk of being a victim
  • 72% of cases where firms identified a breach or attack are related to staff receiving fraudulent emails (phishing)
  • 33% of cases are related to viruses, spyware and malware (hacking)
  • 27% of cases are related to people impersonating the organisation in emails or online (hacking/phishing)
  • 17% of cases are related to ransom-ware (hacking/phishing)
  • Cyber Essentials will directly mitigate 80% of commodity hacking or phishing attempts
  • Gaining certification and actively practising good cyber security house keeping can significantly reduce the risk of most common cyber attacks, and shows a level of risk management as required by GDPR/Data Protection Law.
  • Cyber Essentials is mandatory for Central Government Contracts some require Cyber Essentials Plus as minimum in addition to ISO 27001
  • Cyber Essentials is backed by the UK and Scottish Governments.

How Do I get it?

  1. Call 01292 811 811 or email us at cyberessentials@aggress.co.uk
  2. We will discuss your needs and timelines
  3. From here you will either:
    1. complete the online submission through our portal and get certified on meeting the requirements
    2. or, for basic, have a walk/talk through with our certified assessor via phone and email over a total of 2 to 4 hours of support, depending on your location the assessor may visit, and help you determine where you are and where you need to be to meet the Cyber Essentials requirements. When you and the assessor are happy you can formally submit through our portal.
    3. where Cyber Essentials Plus is required a scoping exercise will ensure good coverage and efficient testing takes place, expediting the process.

*all prices are plus VAT
**details of the insurance policy available on request

Background to Cyber Essentials

Cyber Essentials Scheme was set up by the UK government in 2014 and is now a worldwide recognise baseline standard for IT security. At it’s core it covers 5 areas of IT and IT security controls, the scheme focuses on preventing attacks originating from the internet aimed at a businesses IT infrastructure. Theses attacks come from the network boundary (connection to your broadband) to the end device (PC/Laptop/Server/Smart Phone etc).

Cyber Essentials offers a sound foundation of basic hygiene measures that all types of business can implement and potentially build upon. Implementing these measures can significantly reduce your business’s vulnerability. However, it does not offer a silver bullet to remove all cyber security risk; for example, it is not designed to address more advanced, targeted attacks and hence businesses facing these threats will need to implement additional measures as part of their security strategy.

What Cyber Essentials does do is define a focused set of controls which will provide cost effective, basic cyber security for all sizes of business.  With Cyber Essentials you get a choice over the level of assurance you wish to gain (basic/plus) and the cost of doing so.

It is important to recognise that certification only provides a snapshot of the cyber security practices of the business at the time of assessment, maintaining a robust cyber security stance requires additional measures such as a sound risk management approach, as well as on-going updates to the Cyber Essentials control themes, such as patching.

It offers the right balance between providing additional assurance of an business’s commitment to implementing cyber security to third parties, while retaining a simple and low cost mechanism for doing so.