This extensive guide will give you a detailed overview of Cyber Essentials and Cyber Essentials Plus. You can use the table of contents in the right-hand sidebar to navigate to different sections.
Irrespective of the nature of your organisation, its size, sector and the type of IT used, it is highly likely you use technology that leaves you exposed to hackers. In the same way that you conduct your life with security in mind by repeating behaviours such as locking your front door when you leave the house, or not leaving valuables in an unattended car, cyber security should start with ensuring the basics are done well. This is easy to say, but in practice, much harder to do. The Cyber Essentials standards ensure organisations focus on the basics and the controls in the Cyber Essentials standard are a great starting point. In this guide, we’ll address Cyber Essentials and also explain what Cyber Essentials Plus is.
Why is cyber security important for my business?
Before we dive into the ‘what’ of Cyber Essentials, it’s first important to understand the ‘why’: the value that cyber security brings to your business. Rather than scare you with a long list of hacks, ransomware attacks and data losses, we advocate that you think of cybersecurity as a business enabler. It can be used to foster trust and confidence with existing customers – and can be a differentiator in winning new ones. We’re observing many more businesses ask about cyber security in their supply chain and request that their suppliers and partners meet a standard of security. As the tide of cyber security rises, we think it’s important your organisation isn’t left behind and beached.
Cyber Essentials is a UK Government-backed standard with technical controls recommended from the UK’s National Cyber Security Centre (NCSC).
What is the NCSC?
The NCSC is the public-facing part of the Government Communication Headquarters (GCHQ), created in 2016 to help protect the UK’s critical services from cyber-attacks, manage major incidents, and improve the underlying security of the UK’s Internet through technology improvements and via advice to citizens and organisations. Their vision is to help make the UK the safest place to live and work online.
The NCSC aims to:
- Understand cyber security, and distil this knowledge into practical guidance made available to all;
- Respond to cyber security incidents to reduce the harm they cause to organisations and the wider UK;
- Use industry and academic expertise to nurture the UK’s cyber security capability; and
- Reduce risks to the UK by securing public and private sector networks.
The NCSC’s website is full of great advice for individuals and organisations, however, there’s so much advice there it’s hard to know where to start. We recommend organisations commence their cyber security journey preferably early in their lives and achieve certification against the Cyber Essentials standard. To understand why we recommend this, read a bit more about Cyber Essentials, below.
What is Cyber Essentials?
Cyber Essentials is the NCSC’s flagship cyber security standard. As they claim: “Cyber Essentials helps you to guard against the most common cyber threats and demonstrate your commitment to cyber security”. The standard was independently reviewed and found to be effective by Lancaster University: “With the CE tools, more than 99% of the vulnerabilities in SMEs interviewed were mitigated”.
Whilst the NCSC advertises Cyber Essentials as suitable for any size of organisation, our experience is that it’s better suited to small and medium-sized enterprises (“SME”), or organisations with a small IT footprint. Larger and more complex organisations, particularly those with an IT department and/or a risk management function, should look towards the NCSC’s 10 Steps, ISO 27001 or the NIST Cyber Security Framework.
Who runs Cyber Essentials and Cyber Essentials Plus?
The NCSC works with IASME to deliver Cyber Essentials.
What is IASME?
IASME is a small British company that provides information assurance and security guidance and standards for small and medium-sized organisations. After a commercial tender, IASME was chosen by the NCSC to take over full responsibility for Cyber Essentials delivery and from 1st April 2020 became the NCSC’s Cyber Essentials Partner. IASME sets the professional requirements for organisations to become a Certification Body, delivers training and ongoing professional education for assessors. IASME sets the questions for Cyber Essentials, and then processes and oversees the quality of the Certifying Bodies’ submissions.
We’ll now take a look at what you need to do to achieve Cyber Essentials and Cyber Essentials Plus.
What are the recent changes to Cyber Essentials?
On 30th November 2021, the NCSC announced new requirements for Cyber Essentials and Cyber Essentials Plus. The new conditions apply to organisations commencing certification from 24th January 2022. Organisations currently Cyber Essentials certified, should prepare themselves for their next certification against the new standard.
Organisations already undergoing assessments, or have assessments before 24th January, will continue to use the previous standard, meaning the process will not be altered. The NCSC recognises some organisations will need to make extra efforts to meet the new standards, so they have allowed a grace period of up to 12 months for some of the requirements.
Cyber Essentials applications planned to begin on or after 24th January 2022 must use the updated version of requirements. In our view, the updates to Cyber Essentials will make certification more difficult to ascertain. However, this is no bad thing. Security, after all, is becoming ever more complicated as organisations embrace mobile-first, cloud and online led operating models.
The NCSC has created an FAQ page on the Cyber Essentials update if you want further information. Moreover, below, we will explore the new requirements in more detail.
What do I do to achieve Cyber Essentials?
Cyber Essentials is easier to achieve than its more demanding sibling (Cyber Essentials Plus), but its focus remains to do the basics to a level that will deter hackers and protect your organisation.
The first step of certification is to establish your organisation’s scope – this being the IT assets within your infrastructure subject to assessment.
|Infrastructure||In scope||Out of scope|
|Devices||User-owned devices that are used for work purposes, as well as company-owned mobile devices or laptops, are in scope.||User devices used solely for the purpose of native voice applications, native text applications and two factor authentication, are considered out of scope.|
|Routers||Routers supplied to your employees fall in scope. Implementing a corporate (single tunnel) Virtual Private Network (VPN) transfers the boundary to the corporate firewall or virtual cloud firewall.||Internet service provider routers and user-owned routers fall out of scope, meaning that firewalls controls – to be discussed later – must be applied on user devices.|
|Cloud||Where you use data or services hosted in the cloud, these services are also in scope. While some controls are implemented by cloud service providers, it is ultimately your responsibility to ensure all controls are implemented correctly via contractual clauses or documents referenced by contract, such as security statements or privacy statements.||N/A|
|Web applications||Commercial, publicly accessible web applications created by development companies (rather than in-house) fall in scope by default.||Custom components of web applications are out of scope.
If you use other externally managed services (such as remote administration), it may not be feasible for you to meet all the conditions, so you can choose whether to incorporate these services into the scope, depending on feasibility.
There are five, basic controls to enforce:
- Use a firewall to secure your Internet connection
- Choose the most secure settings for your devices and software
- Control who has access to your data and services
- Protect yourself from viruses and other malware
- Keep your devices and software up-to-date
- Firewalls work to restrict inbound and outbound network traffic. They help defend against attacks by implementing stringent firewall rules, which can allow or block traffic depending on its source, destination and type of communication protocol. Every device in scope must be safeguarded by an appropriately configured firewall.
In situations where you do not control the network, a device is connected to – as is often the case in the ‘work from home world’ – then a software firewall must be configured on the device. Software firewalls have similar functions to traditional firewalls, except they only protect the device they are configured to, rather than all, or part of, a network. Firewalls are not something you can set up and forget about. You will need to routinely assess your firewall rules and administrative privileges to ensure they continually meet CE’s minimum-security requirements.
- Ensuring your devices have the most secure settings includes setting up a password or code to access your laptops and mobile phones. Preferably you’ll use a biometric access option as this is often more secure and also has a greater degree of convenience for the user. You should also disable or remove any functions, accounts, or services which you do not require – see our comment about ‘attack surfaces’ below. All your devices and accounts should be password protected, with two-factor authentication (2FA) enabled where possible. 2FA is an effective security measure that often involves a code being sent to your smartphone which you must enter in addition to your password.
- To minimise the potential damage that could be done if an account is accessed by someone else, misused or stolen, staff accounts should have just enough access to software, settings, online services and device connectivity functions for them to perform their role. Extra permissions should only be given to those who need them and only for a limited period. This is an important control because an attacker with unauthorised access to an administrative account can be far more damaging than one accessing a standard user account. Most devices are delivered with admin accounts as standard and it’s quite simple to set up an admin and standard user account on laptops. The standard account should be used for the vast majority of work and, we can’t emphasise this enough – by limiting admin access you are greatly increasing the protection afforded to your organisation with little or no cost involved.
- We encourage you to protect yourself from viruses and other malware. Malware is short for ‘malicious software’, that is software specifically designed to disrupt, damage, or gain unauthorised access to a computer system. One specific example is ransomware, which you may have heard of. Ransomware can make your data or systems unusable until you make a payment or perform an action demanded by the attacker. A common approach now is for the attacker to copy your data and then threaten to release it unless a payment is made. Windows has Defender, which is effective enough to pass Cyber Essentials, provided you have enabled its features. Anti-malware features are often included for free in commonly used operating systems and these should be used on all devices.
- Finally, for the love of any otherworldly entity, when your device asks you if you want to close down your programmes, update and restart, do just that. Keeping your operating system up to date is another simple yet outstandingly effective way to protect your organisation. Why? Because when coders write software, they make mistakes. These mistakes sometimes are not realised until the software has been released and is in use by people like you and me. When the mistake has been spotted the software provider releases an update which ‘patches’ that flaw. The sooner the flaw is patched, the better. So turn on automatic updates, restart all of your devices at least once a week and sensibly dispose of any device which is no longer supported. Cyber Essentials focuses on operating systems rather than device types, so if your device is too old to handle the latest operating software from Microsoft or Google then it’s time to upgrade.
What do I do to achieve Cyber Essentials Plus?
Now let’s look at the elements of Cyber Essentials Plus which make it more demanding to pass. To achieve Cyber Essentials Plus, an organisation must meet the standard of Cyber Essentials and, in addition, have a vulnerability scan and other technical assessments. These are verified by a Certification Body and you are not able to self-certify.
The additional elements of Cyber Essentials Plus make it a really good standard to adhere to as it checks against several areas which could be exploited by a hacker. These assessments have to be completed by a qualified, third-party Certification Body. Let’s look at them in turn.
A vulnerability scan is completed using a software tool such as Nessus. This scan will identify any areas of concern. Part of the process of achieving Cyber Essentials is checking what applications you’re running and removing any software you don’t need. This process reduces what is often termed as the attack surface, as the fewer applications you have, the fewer vulnerabilities should be present. The smaller the attack surface you present, the fewer options an attacker has to be successful.
If you can download, install and run Nessus (or other equivalent vulnerability scanning tool) this will give you an idea of the vulnerabilities which exist on your digital estate. By performing a sample scan and ensuring there are no high or critical findings you’re in a great position to succeed with the Cyber Essentials Plus assessment. If there are findings, and a patch from the vendor has been made available 14 days prior to testing, there is guidance to assessors concerning the location of the vulnerability and its impact on the success of the assessment.
An IP address (Internet Protocol address) is an identifying number for network hardware connected to a network. Having an IP address allows a device to communicate with other devices over an IP-based network like the internet. For each IP only necessary ports should be opened, traffic to ports not in use should be blocked and no there should be no vulnerabilities scoring above 7 (CVSS 3.0).
A scan of your exterior facing IPs is often the first step in an attack. This type of scan is passive, in that it won’t be noticed but it will identify any open ports. Open ports allow data to flow from your devices out to the Internet and vice versa. Only ports which allow essential traffic should be open, open ports that aren’t managed enable hackers to gain easy access. Think of these as being like locking your front door, but leaving the patio doors at the back of your house wide open.
If you use an anti-virus, it’s essential to ensure it is using the latest version. Many providers of anti-virus software will adapt their product according to the latest threats, so if you’re paying for an anti-virus solution you should ensure you benefit from your investment by making sure it is kept up to date. For each device with anti-malware, you need to ensure all definitions are released in the last 24 hours prior to the assessment and all antivirus engines from the last 30 days have been installed.
Testing email filters check to see if executable files can get through to your inbox. Often the settings in your email service help to protect you but these may need to be specifically configured. Your email should not allow files to be opened and run with just one click of your mouse. This is to ensure executable files – the type that carries viruses and malicious code – cannot be easily opened, enabling your staff to be part of your defences. They should know to think before they click.
For your email client(s) you will need to provide a sample test account or a user’s account can be used (from the devices provided). For each client, the assessor will send out emails with attachments and for each email, they will need to ensure the attachment does not reach the user. If it does reach the user, it must take at least two clicks to open and execute the attachment.
For each web browser on the laptops assessed the tester will access an URL and attempt to download sample files. When the file is downloaded, the browser must prevent the attachment from being downloaded. Alternatively, it must take more than two clicks to execute the attachment. The easiest way to achieve this will be to enable the “ask where to save each file before downloading” on the browser.
By preventing the attachment from being downloaded straight away you are allowing your staff to think if they really should download this file. Again, this feature can often be adjusted in your browser’s settings.
Mobile device protection
You will need to know where your information is flowing and across which devices, so if your staff have work emails on their mobile phones then those devices will automatically fall in the scope of this assessment. They must be running the latest operating software and only use apps from their respective official app stores.
Every mobile phone in the organisation must have the latest OS patches and updates, and the devices must not be rooted or jailbroken. All applications on the devices are to have been installed through the official app store.
Account separation between user and administration accounts
Compared to standard user accounts, accounts with administrative privileges have unfiltered access to devices, applications and data. You must ensure administrative privileges are only given to those employees who need them to fulfil their roles.
MFA access to cloud services
You will need to implement multi-factor authentication for your cloud and internet-connected services. This should be implemented for all users, including administrators. To ensure your employee’s user experience is not hampered by this extra level of security, consider deploying a single sign-on (SSO) solution, whereby a multi-factor token will only be needed to register a new device.
Backup your data
While backing up your data is not a technical requirement for achieving CE, it is highly recommended. Backing up involves creating a copy of your data and saving it to another device or in the cloud. Regularly performing backups ensures your data are always saved meaning, in the event of a security incident or device problem, you can recover quickly.
Where possible, we recommend turning on automatic backup, which regularly saves your information to the cloud, without you having to action anything.
Is Cyber Essentials for me?
We consider the Cyber Essentials standards as being suitable for SMEs due to the requirement to patch within 14 days, which can be a bit tricky for larger organisations that have a more complex IT arrangement. We suggest larger organisations implement the NCSC’s 10 Steps and plan to achieve ISO27001 or the NIST Cyber Security Framework once it makes business sense to do so. So, if you either have on-premises IT, use a cloud service provider, or have a mix of both, Cyber Essentials is a great step towards achieving security as standard culture in your organisation from the outset.
We also have some guidance on cyber security and business objectives here.
How do I become Cyber Essentials certified?
Organisations may apply directly for Cyber Essentials, although most use a Certification Body to support their application. Organisations that apply directly will have their application checked by a Certification Body before being awarded Cyber Essentials. A Certification Body is an organisation (like Evalian) that is trained and licenced by IASME to certify to Cyber Essentials or Cyber Essentials Plus. Organisations with a Cyber Essentials certificate are listed on the Cyber Essentials’ website, here: https://www.cyberessentials.ncsc.gov.uk/cert-search/
If you are considering using a cyber security consultant, we have some useful information here.
Your 4-steps to Cyber Essentials
We suggest taking the following steps to achieve Cyber Essentials.
- Conduct the free self-assessment questionnaire, available here. https://getreadyforcyberessentials.iasme.co.uk/questions/
- Review the results from the questionnaire: we can help with this and advise on achieving Cyber Essentials.
- Complete our onboarding questionnaire. This will help us define how many hours of work we will need to assess your organisation.
- Schedule assessment and celebration dates for joining hundreds of other organisations in deterring cybercriminals from accessing your data.
Download the PDF version of the guide to Cyber Essentials:
Read more articles and insights on our blog page.