Cyber Essentials and Cyber Essentials Plus are UK government-backed schemes that are designed to help protect organizations against 80 percent of most common cyber-attacks.
This scheme lays out five basic security controls that must be implemented in order to defend against today’s most common cyber threats. These controls are closely aligned to other notable security frameworks, including the Basic CIS Controls as well as the PCI DSS requirements.
Both the Cyber Essentials and Cyber Essentials Plus help demonstrate that your organization is taking cyber security seriously and has the five key security controls in place. Cyber Essentials Plus includes all of the controls covered in Cyber Essentials, but the controls must be independently assessed by a certification body. Self-attested certification or third-party certification will give your organization the peace of mind that your security defenses are operating correctly and ready to defend against common cyber-attacks.
What are the benefits of the Cyber Essentials for your organization?
By proving your compliance with the Cyber Essentials, your organization demonstrates a commitment to data protection and cyber security by establishing a fundamental security baseline. This commitment will reassure your customers that you’re working to secure your IT infrastructure against the most common cyber threats. In doing so, your certification will help boost your reputation and in turn attract new business with the promise that you have the necessary security controls in place. While the Cyber Essentials are not a mandatory security framework, many organizations as well as government contracts require Cyber Essentials certification in order to do business.
What are the five basic security controls?
Before your organization starts storing and processing customer data, it’s vital to have the basic security controls in place. Here are the five technical controls that make up the Cyber Essentials framework:
- Firewalls - To start off, you’ll need to have a firewall in place, and most importantly, you’ll need to be using it correctly. Firewalls must be properly set up in order to prevent authorized access to your internal network. The firewall must be applied across your entire network and protect every single device within your IT infrastructure. In addition, firewall admin passwords must be changed regularly and at a minimum use at least an 8-character password.
- Secure Configuration - Next, you’ll need to ensure that all of your devices and software are configured to have the most up to date security settings. While it should go without saying, organizations must minimize functionality and only use software with an essential business justification to help minimize vulnerabilities and provide only the services required. Additionally, it’s important to remove all default accounts and other non-essential user accounts, and to implement a strong password policy and account lockout features. This control has also been deemed essential by the Center for Internet Security (CIS) as part of the Basic CIS Controls, specifically CIS Control 5: Secure Configuration for Hardware and Software in Mobile Devices, Laptops, Workstations and Servers. NNT recently partnered with the CIS to host a joint webinar on this security control – watch the webinar on-demand now.
- Access Control – In the event that a hacker (or malicious employee) manages to break through your defenses, you’ll want to have proper access control measures in place in order to limit what they can do. This starts with making sure that user accounts are only assigned to authorized individuals, and that these users only have access to what they need in order to do their job. Organizations must also ensure that all systems are username and password protected, that a process is in place where account creation is approved by management, and implement a leavers process to delete or disable accounts. You’ll want to minimize the number of administrator accounts too. Keeping a small number of high-privileged admin accounts will help minimize the risk of compromise and will allow your organization to keep track of who exactly has access to what.
- Malware Protection – Modern malware is everywhere and constantly evolving to avoid defenses. The degree of damage caused by malware varies according to type, but it is a rapidly growing threat that must be properly managed to reduce an organization’s attack surface. It’s critical for organizations to have anti-malware software installed in order to protect systems, valuable data and overall privacy. Aside from anti-virus software, organization’s must train their employees to spot the signs of phishing emails, remind employees to never open attachments or click links from unknown senders, and avoid untrustworthy websites that could put your organization's security at risk. This security control is also included in the CIS Controls, specifically CIS Control 8: Malware Defenses.
- Patch Management – Keeping software and operating systems up to date with the latest patches is an absolute must, as most patches are released to address a security vulnerability. So, install patches and most importantly, do so regularly in order to fix any known security vulnerabilities within your IT infrastructure. Additionally, make sure your organization is only using supported and licensed operating systems, applications and software. Hackers are known to target organizations using unsupported applications, so make sure to remove any applications that do not have on-going support or updates. To learn more about the dangers of running outdated devices and software, read out latest Whitepaper: The Problem with Running Outdated Software.
NNT's SecureOps™ Suite & the Cyber Essentials
The Cyber Essentials are viewed as a starting point for cybersecurity controls and represent a minimum level of security that all organizations regardless of size should be aligned with. NNT’s SecureOps™ suite can help your organization achieve and remain compliant with the Cyber Essentials. To learn more, visit our Cyber Essentials web page and learn how to get started.
Share this post