Why is ‘Cyber Essentials’ required?
Besides the obvious, being secured against common attacks, maybe it is best to first understand why this is so important. When it comes to cyber-attacks, as you may have seen in the news, companies have data breaches through complex attacks involving months of covert work, but sometimes it’s as simple as a malicious email attachment breaking through the filters. CE is designed to test out these common attack vectors in a controlled manner, to ensure that your security controls, practices and processes meet the expected standard.
Many of the common attacks are frequently performed by lesser skilled attackers, or as they’re commonly known: ‘Script Kiddies’. Individuals using other hacker’s/security researcher’s tools, despite little to no knowledge of how they work, firing prospective attacks at a large attack-surface of many companies and hoping for the best, trying to become the next Dade Murphy (Hackers 1995 reference).
The CE assessment aims to ensure that your business is set up to guard against these types of attacks.
What does ‘Cyber Essentials’ testing involve?
When it comes to cyber essentials, there are two levels of certification; Cyber Essentials and Cyber Essentials Plus. In this next section, we’ll break them down a little.
This is a self-assessment form that you’re required to fill out, answering questions regarding your security policies, details about how often you update your systems, and the general security posture you have. Remember, it is important to fill these in as accurately as possible. Once the form has been completed, you simply send it back to the vendor who will review your answers and provide guidance on whether you have passed or failed the Cyber Essentials certification.
Cyber Essentials Plus
CE+ involves all the steps from CE, however, this time your infrastructure will be tested! This includes public-facing IP addresses/websites, workstation/laptop builds mobile device control, and email filtering solutions. We’ll break this down a little further.
Public-facing IP addresses and websites
If you happen to host any services which can be accessed from the internet, such as a file server, VPN server or web server, these addresses/domains will have to be counted towards the scope. Domains that are held by companies like Microsoft or AWS may be exempt from the scan, however, it is best to check with the chosen vendor to confirm this. The perimeter of your corporate network is also within the scope of scanning.
A representative sample of your device estate will be assessed for criteria such as patch management, configuration, and access controls. This sample is taken based on the types of devices you have, and the types of builds that are used on them. If you have a large variety and variability in the types of devices, the manufacturers, and the types of builds, the assessment will have to cover each of these.
E-Mail payload tests will also be undertaken to assess whether appropriate filtering is in place to prevent malicious files from entering your corporate network.
Mobile device control
Does your company support ‘Bring Your Own Device’ (BYOD) or issue corporate devices? Are system updates enforced? Are all the installed apps updated? Sometimes mobile devices are the last thing a business thinks to secure, however, we use them to access corporate information!
I’ve gone through the assessment, now what?
Whether you’ve done a CE or CE+, it’s not an on-the-spot “Fail” or “Pass”. The vendor will notify you of any issues which are present that will prevent you from passing, allowing two working days from the point of notifying you to remediate the issues and provide evidence showing the controls put in place. The issues which might prevent you from passing straight away include any vulnerability of a CVSS3 value of 7.0 or higher, malicious payloads making it to end-users and able to be executed within a certain number of clicks, or patch levels not at an acceptable state.
If you pass straight away or can remediate within the allocated two working days… Congratulations! You’ll be presented with a certificate based on the type of assessment that was undertaken.
However, if you are unable to pass within the two working days, you’ll have to wait thirty days before a new assessment can be conducted.
This certificate is valid for 12 months, starting from the date of completion, so put it on your calendar to book another assessment in 10-11 months.
There we have Cyber Essentials in a nutshell. The result will mean you’re in a position to understand and have confidence in your security posture against common attacks. The certification provides assurance to your clients and partners that you take security as a serious priority. To learn more about CE, we have written an extensive guide – read online here, and download your free copy or visit our page on everything you need to know about Cyber Essentials.
If you need help on where to start with your cyber-security needs, contact us for a friendly, no-obligation chat.