Why Adopt The Cyber Essentials Programme?
Why Adopt The Cyber Essentials Programme?
The government’s Cyber Essentials Programme was developed in collaboration with industry and is intended to help businesses mitigate common, online threats.
Operated by the National Cyber Security Centre (NCSC), it was launched in 2014 and has become a key element of excellence for cybersecurity.
Applicable to all sizes of organisations, it offers help to those seeking to implement a robust data security strategy, to protect both themselves and their clients. It does this by encouraging organisations to adopt good practice in information security and includes a simple set of security controls, protecting information from external and internal threats.
The controls, suggested by Cyber Essentials, are designed to prevent basic cyber attacks and come in two formats:
- Cyber Essentials – A self-assessment application that addresses basic threats and helps to prevent the most common attacks.
- Cyber Essentials Plus (CE+) – The same as for Cyber Essentials, but rather than being self-assessed, it requires verification of cybersecurity carried out independently by a certification auditor and includes a vulnerability scan.
Cyber Essentials offers a sound foundation of basic hygiene elements that all types of businesses can implement and potentially build upon. The government believes that implementing these measures can significantly reduce vulnerability. However, it isn’t a silver bullet to remove all cybersecurity risk; for example, it is not designed to address more advanced, targeted attacks, and hence, organisations will need to implement additional measures as part of their security strategy.
The Assurance Framework, leading to the awarding of Cyber Essentials Plus Certificates, has been designed to be light of touch and achievable at low cost. It is important to recognise that certification only provides a snapshot of cybersecurity practices, at the time of assessment.
It is always advisable to have an internal and external network scan before a certification test is booked, as the scan will highlight any areas of weakness giving time to fix issues and avoid having a failure on certification day, or a few ‘last minute’ fixes whilst the assessor is on-site!
The CE+ process falls into two sections, external and internal. Within these sections the assessor checks the following areas:
External System test details:
1 Review of customer questionnaire information on ports
2 Full-service scan / TCP and UDP service scans
3 External vulnerability scan
4 Web application testing for common known vulnerabilities, if in scope.
Internal system test details:
1 Internal vulnerability scan
2 Facility walkthrough.
3 Manual system checks:-
-
- Un-necessary user accounts
- Weak passwords
- User access control (privileges check)
- Un-necessary software
- Auto run feature check
- Security firewall and malware protection checks
- Review password, Internet security, starter & leaver policies, Patch Management.
4 Email system checks to test possible weaknesses.
5 Mobile device checks to confirm the latest operating system is installed and password enabled.
During the test, evidence is required such as audit logs from firewalls and servers.
For businesses who are willing to adopt these measures, the benefits can be many, including the ability to tender for contracts that require a Cyber Essentials Certified supplier (mandatory for public sector work) and enhanced customer trust and confidence.
Becoming accredited helps to meet the needs of GDPR as it covers the requirement to understand where Personally Identifiable Information (PII) data is held and therefore, can provide evidence for GDPR statements/policies, showing that as an organisation, you have considered such issues and had controls verified by an independent assessor.
Businesses now live with the spectre of cyberattacks as the norm. Adopting Cyber Essentials Plus is one way of taking control and starting the process of fighting back.
Every organisation can benefit from added protection. Call us on 0844 586 0040, or email [email protected] and we’ll be happy to advise you.