According to a statistical research of the University of Portsmouth for the government of the UK, more than 80% of the cyber-attacks affecting businesses in the UK could have been prevented by the implementation of some basic security controls.
To help organizations adopt good practices in information security, the UK government released a government-endorsed certification scheme called Cyber Essentials in 2014.
What is the Cyber Essentials Certification?
Run by the National Cyber Security Centre (NCSC), Cyber Essentials was developed in collaboration with industry partners such as the Information Security Forum, the Information Assurance for Small and Medium Enterprises Consortium, and the British Standards Institution.
On a very basic level, the goal of the certification is to protect the confidentiality, integrity and availability of company information from internet threats. However, it is important to note that Cyber Essentials is a basic level of due diligence from which to build on and not a comprehensive cybersecurity strategy. There are two types of certifications: Cyber Essentials and Cyber Essentials Plus.
The Cyber Essentials scheme addresses the most common Internet-based threats to cybersecurity — particularly, attacks that use widely available tools and demand little skill. The scheme considers these threats to be hacking, phishing, and password guessing.
What are the Benefits of Being Certified?
By achieving the certification, your business shows its commitment to cyber security. Your suppliers, partners and clients feel more confident in sharing data with you. If you are tendering for government projects, you must have Cyber Essentials. Some of the MoD projects and Local Authorities are asking for a minimum of Cyber Essentials Plus.
What are the Five Technical Controls?
Cyber Essentials tests the following 5 areas of your IT infrastructure:
Firewalls: Use of either personal, built-in or dedicated boundary firewalls to secure the Internet connection.
Secure Configurations: Choose the most secure settings for your devices and software, and do not use the “default” configuration settings, which come with everything enabled. Unfortunately, these settings can provide cyber attackers with opportunities to gain unauthorized access to your data, often with ease. Secure settings include the use of multi-factor authentication.
User Access Control: To minimize the potential damage that could be done if an account is misused or stolen, staff accounts should have just enough access to software, settings, online services and device connectivity functions for them to perform their role. Extra permissions should only be given to those who need them.
Malware Protection: To protect yourself and your business, you must defend against malware by using anti-malware measures, whitelisting and sandboxing.
Patch Management: No matter which phones, tablets, laptops or computers your organization is using, it’s important they are kept up-to-date at all times. This is true for both Operating Systems and installed apps or software. This includes policies for end-of-life management when the vendor no longer supports a hardware or a software.
What type of Cyber Essentials should you choose? What are the differences?
Cyber Essentials is a self-assessment one. The certification process has been designed to be light-weight and easy to follow. Once you select a Certification Body, you will need to answer the questionnaire provided by that certification body. Then, they will evaluate your answers and perform an external vulnerability scan on your IP addresses. If all goes well, you will pass, and a certificate will be issued. Cyber Essentials certification is right for small businesses that are looking to demonstrate they have the appropriate key controls in place.
On the other hand, Cyber Essentials Plus has exactly the same requirements as Cyber Essentials, but the critical difference is that it requires an independent assessment of your security controls to verify that you do indeed have the five technical security controls in place. The assessment involves a vulnerability scan, which will identify unpatched or unsupported software, open ports, incorrect firewall configuration, etc. The information gathered will guide any remedial actions, ensuring your company will meet the five technical controls to demonstrate good practice of information governance. As the external body works through your certification, you will have to supply evidence to ensure you meet all requirements.
Although Cyber Essentials Plus certification is more difficult to achieve, it is worth it since there is objective analysis of your existing security controls, which can drive a real improvement in your cyber defenses. As a result, Cyber Essentials Plus has become a much more highly regarded certification, suitable for small and large businesses that are looking for a real improvement in their existing cybersecurity controls. Cyber Essentials Plus is mostly suitable for businesses that have employees who work remotely and/or third parties who need to access corporate assets.
It is important to note that certification is only valid for a year, and it needs to be renewed every year. The purpose of Cyber Essentials is to improve your organization’s cyber-readiness. Annual certification is required and is an excellent opportunity to make sure that your security is up to date against today’s evolving digital threats.
Both Cyber Essentials and Cyber Essentials Plus require organizations to prove that security controls are in place. However, this can often be a pain point. Most organizations are worried or struggle with the time and the resources required to gather up the essential audit information. The process can be lengthy and difficult to achieve manually or with the incorrect tools.
Utilizing tools from established vendors, such as Tripwire, can help in collecting the required information. Tools such as Tripwire Enterprise can be used to not only collect the actual baseline state of the IT infrastructure, thus providing evidence of configuration status and readiness, but also to provide percentage reports showing how the same environment fairs against industry standards such as PCI DSS, CIS, ISO 27001 and many more.
Tripwire solutions are also able to offer information with regards to vulnerabilities such as risk score on a per asset/per vulnerability basis with their IP360 solution. Having this type of information coupled together with the Tripwire Enterprise integrity monitoring information would provide any organization with the audit information required to pass their Cyber Essentials certification.
Further, while log management is an area often overlooked by many organizations, collecting logs from each enterprise component serves several functions in an architecture that aims to identify and protect assets. Tripwire’s Log Center fully integrates with Tripwire Enterprise and IP360 to establish a baseline for the enterprise’s daily activity and to help maintain up-to-date system information about what systems exist in the enterprise along with their status.
With the proliferation of industrial IoT devices and sensors, it is equally important to safeguard both the IT and the OT side of an organization, especially if that organization provides critical services. Therefore, selecting a security vendor that is able to provide solutions for both worlds, IT and OT, should be a serious consideration when looking to achieve Cyber Essentials certification. Tripwire has a proven record and is a leader on IT/OT security with its Tripwire Industrial Visibility solution.