Blog
FAQ: What is Cyber Essentials?
July 2nd, 2018
Cyber Essentials is a government-backed scheme designed to help organisations of all sizes reduce their risk of common cyber-attacks. It allows businesses to obtain one of two Cyber Essentials badges and has the support of industry organisations like the Federation of Small Businesses, the CBI and numerous insurance organisations.
What are the certification levels?
There are two levels of certification available: Cyber Essentials and Cyber Essentials Plus.
What are the requirements?
In order to become certified your IT infrastructure must meet specific requirements. These are defined by five technical controls:
- Firewalls – You must configure and use a firewall to protect all devices, particularly those that connect to public or other untrusted wifi networks
- Secure Configuration – Only use necessary software, accounts and apps
- User Access Control – You must control access to your data through user accounts. Only give administrative privileges to those who require them and control what an administrator can do on those accounts
- Malware Protection – You must implement at least one measure (e.g. Anti Malware, Whitelisting, Sandboxing) to defend against malware
- Patch Management – You must keep all your devices, software and apps up to date
Companies applying will also need to test all their in-scope public-facing IPs. For most companies, this will be the block of IP addresses they get from their internet service provider, but it also includes IP addresses at all in-scope locations like data centres and cloud providers.
You can exclude IP addresses from tested if you do not have control of the security configuration of the service, for example where the address belongs to the cloud provider.
Cyber Essentials Plus also includes a technical audit of in-scope systems. This includes a representative set of workstations, mobile devices and build types in use by the organisation which an unauthorised user could access.
To determine the number of build types you must review the number of operating systems and software suites installed. For instance, if more than one browser or Office suite is used then each variant will need to be tested.
What are the benefits of Cyber Essentials?
- Protects your organisation from approximately 80% of cyber-attacks, according to the UK government.
- Demonstrates your commitment to security and data protection to customers and stakeholders.
- Boosts your reputation and increases your chance of securing new business by showing you have cyber-security measures in place.
- Cyber Essentials permits you to work with the UK government, Plus gives you the opportunity to work with the MoD.
- Lets you focus on your business objectives, knowing you are secure.
What are the requirements for Cyber Essentials certification?
- Firstly, complete a self-assessment questionnaire.
- Then, a senior company representative signs off the questionnaire.
- An external certification body then verifies the questionnaire.
- The external certification body undertakes an external vulnerability scan of Internet-facing. networks and applications to verify there are no known vulnerabilities present.
What are the requirements for Cyber Essentials Plus certification?
- Firstly, complete a self-assessment questionnaire.
- Senior company representative signs off the questionnaire.
- Then, an external certification body then verifies the questionnaire.
- The external certification body undertakes an external vulnerability scan of Internet-facing. networks and applications to verify there are no known vulnerabilities present.
- They will also test the security and anti-malware configuration of each device type/build. This is done using malicious email attachments and web-downloadable binaries, including an on-site assessment.
How to get Cyber Essentials certified
QuoStar offers a Cyber Essentials consultancy service for organisations that require additional guidance. Our service includes Gap Analysis, technical support and guidance to implement the required controls, practical advice to ensure ongoing security and guaranteed certification. Please click here for more information on our Cyber Essentials consultancy service.
How to create an email retention policy
Email retention policies are all about decreasing the risk to your company. But for a truly successful policy, you need to strike the balance between a retention period which is too long and keeps useless mail around and one which is too short and loses mail that was important. Your policy needs to take into […]
The benefits of an email archiving solution
There are typically three ways in which businesses can archive their email; save absolutely everything, rely on users to archive emails or utilise an email archiving solution. With 269,000,000,000 (yes, that’s billion!) emails being sent and received every day, storing every single one is not really feasible. And with 200 billion of those being SPAM, […]
Does a bigger cloud provider guarantee better service?
When choosing cloud, is a big name always best? Over recent years, we’ve seen a number of significant outages at a good number of the larger cloud providers and platforms out there. Some have been just blips and some outages have lasted days. And to prove it’s not just small providers facing downtime issues here’s […]