Cyber Essentials is a UK government scheme supported by the NCSC (National Cyber Security Centre) that sets out five basic security controls to protect organisations from around 80% of common cyber-attacks.
Over the past five years, the Cyber Essentials scheme has been vital in helping protect organisations from some of the most common causes of data breaches. The scheme is designed to help organisations of any size demonstrate their commitment to cyber security.
Understandably as awareness of Cyber threats increase, Cyber Essentials is being either mandated or actively encouraged across an increasing number of private and public sector contracts. Clients are increasingly expecting suppliers to demonstrate their adherence to basic Cyber disciplines, which when correctly implemented can protect an organisation against the most common cyber threats against data held in IT systems.
From April 2020 there was a change to the way the scheme was run with the previous five Cyber Essentials certification bodies replaced by one, the IASME Consortium, which licenses certification bodies to carry out Cyber Essentials and Cyber Essentials Plus certifications.
The five areas which Cyber Essentials cover are:
Firewalls – the requirement for them to be properly set up and managed to prevent unauthorised access to your systems, devices, and internal networks.
Patch Management – Software and operating systems should be regularly updated to fix known vulnerabilities.
Malware Protection – Anti-malware software should be installed to protect your computers, important data and privacy.
Access Control – User accounts should be assigned only to authorised individuals, be managed effectively, and provide the minimum level of access.
Secure Configuration – Computers and network devices should be configured to minimise vulnerabilities and provide only the services required.
Illuminet were first certified for Cyber Essentials in 2018 and our experience of the recent changes are that they have led to the need to provide much more granular detail of the organisations systems and infrastructure in order to pass the online assessment.
This led to significantly increased preparatory work as the assessment requires the following information:
- The quantities of laptops, computers and servers within the scope of the assessment, including model numbers and operating systems versions for all devices, including BYOD equipment.
- The quantities of tablets and mobile devices within the scope of the assessment including model and operating system versions for all devices, including BYOD equipment.
- A list of networks and network equipment in scope for this assessment including firewalls and routers.
It is fair to say that obtaining this data has given us a much better insight into our overall system and service topology, the network equipment and end user devices being utilised to access our systems as well as increasing the awareness across the organisation of the need to maintain devices at their latest patch levels.
Having acquired this level of information the maintenance and awareness work continues to ensure our systems and data continue to be protected for the safety of ourselves and our clients.