With rising security threats and cyber-attacks against businesses and organisations, time is of the essence to improve your digital defences. A good approach to this is to follow the UK Government’s recently launched Cyber Essentials scheme.
Cyber Essentials is becoming recognised as a valuable roadmap and kitemark for businesses wishing to improve their cyber security and provide evidence that they meet minimum standards.
Developed by Government and industry, the scheme aims to fulfil two key roles:
- Firstly, to provide a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats.
- Secondly, through the scheme’s ‘Assurance Framework’ it offers a mechanism for organisations to demonstrate to their customers, investors, insurers and others that they have taken the essential precautions.
Cyber Essentials offers a sound foundation of basic cyber hygiene measures that all types of organisations can implement and then build upon. By implementing these measures an organisation’s vulnerability can be significantly reduced.
However, the scheme does not provide a silver bullet to remove all cyber security risk; for example, it is not designed to address more advanced, targeted attacks and organisations facing these threats will need to implement additional measures as part of their security strategy.
What Cyber Essentials does do is define a focused set of controls which will provide cost effective, basic cyber security for organisations of all sizes.
Assurance Framework
The scheme’s Assurance Framework provides a staged approach towards embedding established and sustainable information risk management from common Internet-based threats as well as the broader risks organisations may face.
Each stage adds confidence and it is for organisations to decide which they choose based on their assessment of risk, their customers’ expectations and cost considerations. The framework supplements other information security certification arrangements and covers the basic controls needed to defeat most threats from the Internet.
The framework consists of two stages, leading to two levels of accreditation or ‘badges’ – Cyber Essentials and Cyber Essentials PLUS.
Accreditation
Cyber Essentials accreditation involves undertaking the following, with completion of stage 1 being a prerequisite to stage 2.
Stage 1 – Cyber Essentials
You state your organisation’s compliance with Cyber Essentials requirements by responding to an online questionnaire covering the requirements for basic technical protection from cyber attacks. The completed questionnaire is sent for review to a recognised body which then undertakes an external vulnerability assessment, testing that individual controls on your internet-facing network perimeter have been implemented correctly, and that there are no obvious vulnerabilities.
Stage 2 – Cyber Essentials PLUS
Cyber Essentials PLUS encompasses the same controls as Cyber Essentials but offers a higher level of assurance through the use of an independent testing regime.
Scheme requirements
Cyber Essentials focuses on five key controls or requirements of your IT system as follows:
- Boundary firewalls and internet gateways – these are devices designed to prevent unauthorised access to or from private networks. Correct set-up of these devices either in hardware or software form is essential for them to be fully effective.
- Secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation.
- Access control – ensuring only those who should have access to systems or information have access through use of appropriate access measures.
- Malware protection – ensuring that virus and malware protection is installed and is up to date.
- Patch management – ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor have been applied.
Business benefits
Gaining accreditation delivers a number of key benefits to your business. These include:
- Peace of mind that your business is protected against the majority of common cyber-attacks that it is likely to encounter.
- Identification of areas for further improvement, even if you meet either of the two levels of accreditation.
- Visible evidence that your business has taken a rigorous approach to protecting itself by displaying either the Cyber Essentials or Cyber Essentials PLUS logo.
- Ability to respond to public sector tenders which now require accreditation for any supply that involves handling of sensitive and personal information or provision of certain technical products and services.
Making it happen
The scheme has been put in place to help protect companies against the majority of cyber-attacks to IT systems, in the main involving relatively low levels of technical capability. However, if you are serious about preventing attacks on your business it is likely you will need to do more.
Either way, unless your organisation has the expertise in-house, it is recommended that companies should enlist the expertise of their IT or Managed Service Provider. Synergy Technology can help you do this. Our hosted workspace solutions can provide your business with a secure yet flexible IT system. Coupled with effective email delivery services and anti-spam software solutions, Synergy Technology offers complete IT business solutions and subsequently peace of mind for your business.