Why should you get Cyber Essentials?
Theres been a lot of talk recently about the UK Cyber Essentials certification scheme with some people saying it’s a great certification to have and some people saying it lacks in a lot of areas. But why should you get the Cyber Essentials certification for your business?
Here are my thoughts about why it’s a great certification to achieve and why it will help your business.
The Cyber Essentials scheme has been around for many years and during the early years of the scheme it didn’t receive much love in terms of being kept up to date and in line with technology and threat updates. However, this is now changing, and the Cyber Essentials scheme goes through regular updates. The most recent being in January 2022.
If you didn’t already know, the scheme is based upon best practices as recommended by the NCSC and other industry leaders and if the five main security controls are implemented correctly alongside the Cyber Essentials Requirements for IT infrastructure guidelines, it will help safeguard your business from internet-based threats.
The five security controls which need to be applied are:
- Firewalls: Ensuring that firewalls are in place between the internet and the company’s network or devices
- Secure configuration: Ensuring that the configuration of devices are implemented in a way to protect the devices
- User access control: Ensuring that user accounts are not running as a local administrator and unused accounts are removed/disabled.
- Malware protection: Ensuring that anti-malware solutions are in place to protect devices
- Security update management: Ensuring that all devices are kept up to date as soon as possible but within 14 days of release.
Now the implementation of these controls may seem like common sense and simple enough to do, however when you start looking at the scope of your business for certification, this can open a can of worms for the business.
But by implementing these controls, it will force the business (if large enough), to ensure that centralised management of devices and controls are put in place to make supporting and configuration of machines easier to do. Which allows the business to bring a standardised build into the environment, which is a win win for everyone.
Although the configuration of user accounts so that they are not local administrators will annoy some people (I’m looking at you developers), it will help to ensure that if a machine or user account is compromised the target area will be limited as the user account will be restricted to a small amount of change. However, if users where all local administrators, this could have the potential to spread throughout the network.
My ensuring that antimalware (even Windows Defender) is in place and kept up to date will ensure that your business is protected in the worst-case scenario, add this with patch management and ensuring that all devices are kept up to date, will help you safeguard the business from known (and unknown – zero day) attacks.
Under Cyber Essentials any devices which access organisational data or services (think email, documents, etc.), will be in scope of the assessment unless specifically excluded from scope. Now when you think about it this way, this then starts looking at mobile devices, personal phones and such. Something that will need serious thought before steaming ahead for certification. Pwndefend have a good blog article discussing the use of a tracker and dashboard for working towards Cyber Essentials compliance.
However, its not all doom and gloom, by ensuring that you apply these controls to all devices and get personal devices in cover (if applicable) through the use of technical controls, then this helps to protect your business from internet-borne threats.
You also must remember that when applying Cyber Essentials to your business, that the controls and certification are what they say they are. They are the base security essentials for your business, meaning that you the business, are applying the necessary solutions to help safeguard your business from possible attack.
Yes, the scheme doesn’t cover everything to help safeguard your business, it doesn’t cover backups and restorations in any detail, yet, and there is no mention of user security awareness training, but these are more orientated to business operations.
It is also worth noting that if you are also tendering for government and/or MoD work, you will need to have achieved Cyber Essentials to get a foot in the door. We’re also seeing a lot of supply chains looking for evidence of this certification as well, so it makes sense that you get certified now rather than waiting until you need to go for it and time is of the essence.
However, I still think that no matter the size of the business, achieving Cyber Essentials is a good step in the process and can open the eyes of people within the business and lends itself to thinking outside the box and looking at ways to further protect the business. Then depending upon the business, you may look to go towards the Cyber Essentials Plus certification, which adds an audited element to the process, giving more weight and showing that you are doing what you say you are doing.
I hope this helps you think whether Cyber Essentials is a good fit for your business, if it is and you want to get certified, get in touch with us to see how to start the process quickly and easily.