Cyber Essentials is a pragmatic initiative that was launched by the UK Government back in October 2014. Its primary objective is to make the UK a safer place to do business online. Based on an analysis conducted by CESG, the information security arm of GCHQ, it is understood that around 80 percent of common attacks originating from the Internet could be prevented by genuinely and consistently adopting this scheme’s highly simplified control set.
Whilst positioned within the context of the 10 Steps to Cyber Security, the ‘essentials’ assessment framework is focused on just five main control areas. They are as follows:
- Boundary firewalls and internet gateways
- Secure configuration – Ensuring that systems are configured in the most secure way for the needs of the organization
- Access control – Ensuring only those who are authorized have access to systems and at the appropriate levels
- Malware protection – Ensuring that virus and malware protection is installed and is up-to-date
- Patch management
Not limited to any one particular sector, the Assurance Framework, which was developed by CREST under a mandate from CESG, is intended to provide a clear way of differentiating those organizations who have proven to have fundamental controls in place and those who have not.
There are two different levels of certificate to which an organization can apply:
- Cyber Essentials certification – Awarded on the basis of a verified self-assessment approved by a senior executive, such as the CEO and verified by an independent certification body
- Cyber Essentials Plus – Offers a higher level of assurance through actual testing by an external certifying body via a range of tools and techniques
The certification process for each of the two levels is dependent upon a candidate company’s size and complexity. Whilst it is my hope that many would ultimately seek the latter, the first option provides a suitably low cost, non-convoluted means of certification for most organizations. A foot on the ladder, so to speak.
There has been a pleasing uptake in the scheme by many organizations. However, one could argue that those who have achieved certification were already aware and concerned about the need to protect their systems and assets. The fact that Cyber Essentials is mandatory for only those companies seeking central government contracts lends further credence to that claim.
As a result, we are left with the challenge of getting ‘buy in’ from less prepared organizations before they have a serious breach. Given the frequency and escalation of breaches over the last year, the likelihood of that happening without having such basic foundations in place is a very real one indeed.
There should be a renewed sense of exigency around promoting and where possible insisting upon the scheme when dealing with third parties in the UK. It isn’t a matter of bureaucracy or even compliance; it’s a simple matter of hygiene.
If an organization isn’t doing any of these things, then they should be concerned enough by now to start thinking about changing that position. If they are accessing your systems in any way or handling you data assets and cannot demonstrate a level of assurance, then you should be very worried indeed.
The irony of posting this article is that readers of The State of Security no doubt have comprehensive controls sets in place. With that in mind, please share either this article or the direct link to the official cyber essentials homepage to all your UK connections, and please continue to spread word of these resources at every relevant opportunity.
For those who are concerned about this area but are not sure where to start, there is even a quick online self-assessment questionnaire here. Perhaps that quiz might be worth taking yourself… just to be on the safe side.
About the Author: Angus Macrae is a CISSP (Certified Information Systems Security Professional) in good standing, a CCP (NCSC Certified Professional for the IT Security Officer role at Senior Practitioner level) and PCIP (PCI SSC Payment Card Industry Professional.) He is currently the IT security lead for King’s Service Centre supporting the services of King’s College London, one of the worlds’ top 20 universities
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.