What is Cyber Essentials?
The short answer is that Cyber Essentials is a framework that forms an achievable minimum standard for UK organisations and businesses. The official answer is below:
The Cyber Essentials scheme has been developed by Government and industry to fulfil two functions. It provides a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats, within the context of the 10 Steps to Cyber Security. And through the Assurance Framework it offers a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions.
From the Cyber Essentials Assurance Framework.
Cyber Essentials was launched in 2014 but few businesses took note, this has resulted in untold losses for the UK economy and has caused many businesses to cease trading due to the losses they have suffered.
The ever growing threat landscape means that the average UK “Micro” or “Small” business owner/operator who uses a computer, laptop, tablet or even smart phone in their every day business life is unaware of the current threats and has no way of even identifying them.
Look at the official definition of Cyber Essentials, it states that it fulfils two functions:
- A clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats.
- And through the Assurance Framework it offers a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions.
Cyber attacks cost organisations like yours thousands of pounds and cause lengthy periods of disruption. Do you have a plan for what you would do if your customer database was stolen, your website was forced offline, or you couldn’t access your email or business-critical data?
Cyber criminals don’t just attack banks and large companies – they target any organisation which isn’t properly protected, even small businesses – like yours.
The majority of cyber attacks exploit basic weaknesses in your IT systems and software. Cyber Essentials shows you how to address those basics and prevent the most common attacks. The scheme is designed by Government to make it easy for you to protect yourself. © Crown Copyright 2016
Cyber Essentials – Basic Controls
What are the 10 Basic Steps then? The diagram below from the National Cyber Security Centre explains the 10 steps in simple terms.
Lets look at them one by one.
Cyber Essentials accepts that your probably has a Firewall and will usually accept that so long as the Firewall is active and that you are using the most current version, then you meet the minimum standard. But will that routers standard firewall really protect you. In recent years we have found hundreds of examples where standard firewalls within routers are not adequate. We have seen breaches where the firewall has been hacked and even had its software replaced with a different version by the hackers.
For this reason we nearly always recommend a professional dedicated Unified Threat Management Firewall solution. Of course there is an initial cost to these systems and there are ongoing licencing costs, but these costs can be minimised through good planning. An example may be to purchase the UTM Firewall with its one year licence option this year and then as that licence comes to an end decide if you are going to renew for one, two or three years. Usually there is a cost saving to purchasing a multiple year licence.
Another area of Network security that is often overlooked is that of separating departments by having different LANS (Local Area Networks). Having accounts on a different LAN to the rest of the company doesn’t necessarily restrict connectivity, but it does improve network security by making straight forward access to the accounting LAN more difficult for the casual user and even for the hacker. Putting even as small firewall on that LAN or configuring a larger Firewall with multiple LANS could easily make a hacker leave you alone and look for an easier target.
Cyber Essentials – User Education and Awareness
Education is always worth the time and effort. A half day training session could save you thousands of pounds in lost productivity due to an employee opening an infected email or attachment.
We provide several types of training including email phishing simulator training. You will find details HERE.
Cyber Essentials – Malware Prevention
The vast majority of computer users believe that their Anti-Virus tool will protect them from all the threats that are out there. Unfortunately this is not the case.
There are two things to consider here:
- A zero day threat is a new piece of malicious code called malware (virus, Trojan, worm etc.) is released into the wild (online).
- A zero day vulnerability refers to a hole in software that is unknown to the vendor. This security hole is then exploited by hackers before the vendor becomes aware and hurries to fix it—this exploit is called a zero day attack.
A hacker can use a zero day threat which is not likely to be recognised by your Anti-Virus to attack your systems or take the somewhat easier path of using a zero day vulnerability to get an existing piece of malware onto your system; once on your system through the security hole in the unpatched software the first thing the malware is likely to do is disable your Anti-Virus!
There is however a new threat vector (way in) that has recently been used by hackers to get ransomware onto users computers. This makes it almost impossible to stop but believe it or not we have found a solutions that will prevent all of the aforementioned attacks from taking place. What’s more, the solution has been so well designed that it is highly likely that it will stop zero day threats in the future.
Cyber Essentials – Removable Media Controls
Removable media forms a threat in several ways, here are three that are of great concern:
- Theft of data
- Loss of data (due to losing the removable data)
- Code injection on your system from malware on the removable device
Theft of data may seem unlikely, but every year employees are blackmailed into doing just this! Loss of data by losing the media device, we have worked on Audits where we have found that an employee has walked out of the building with a 2.5″ 500Gb hard drive containing confidential information, what is more, the device actually belonged to the company.
The code injection concern may be difficult for the average user to understand.
As article this is being written there is a USB Pen Drive near the keyboard that is used for just this purpose. Essentially the device can be programmed to perform a multitude of tasks, the program that is currently installed on it will gather all of the email address and password information from computer and send it to a secure email address, what is more it can perform this task in under 15 seconds and leaves no trace of its activity behind!
Used in Penetration Testing (often referred to as Pen Testing) this device forms part of our White Hat toolkit.
Sometimes the simple solution is to disable or prevent Pen Drives and External Drives from being plugged into a USB port on computers
Cyber Essentials – Secure Configuration
This seems obvious to us, but unfortunately many users find updates an inconvenience and put them off. When a vendor like Microsoft or Adobe provides an update, it is often to patch a newly discovered security vulnerability. Performing these updates is critical to protecting our computer systems at home and at work.
However, not all software security updates get performed, often we find that versions being used by customers we are checking are out of date.
Another source of concern is software that is no longer used, this sits on the computer doing nothing and therefore seems of little concern, however, most software will check for updates when it is started and so this old software that is no longer used may be full of vulnerabilities.
One of the things we are most proud of is that our amazing Malware Solution mentioned above also updates and patches software quietly in the background so that you can rest easy when it comes to outdated software (that doesn’t mean that old software shouldn’t be removed, it most definitely should).
Cyber Essentials – Managing User Privileges
You would be surprised at how many receptionists have Administrator privileges, this is often a misconfiguration by IT Support, not done maliciously, but quite often done as a quick fix to test something and then forgotten.
Being able to monitor access to specific systems or secure data is a really important part of protecting your systems. Performing privilege checks and maintaining appropriate access is critical to good security.
Cyber Essentials – Incident Management
All companies should have procedures and processes to help cover incident management. It may be part of a security requirement, a part of requirements by a governing body or it may be that you have adopted good practices like ISO 20000 or ITIL etc.
The general idea is to move forward, identify the root cause and put preventative measure, policies and procedure in place to prevent or at least mitigate future risk.
When we audit clients we spend a lot of time with staff at the front line, their experience is invaluable to making improvements and identifying common issues.
Surprisingly the vast majority of companies that we first time visit have no incident procedures other than a First Aid Accident Book!
These companies experience the same issues time and again, often the blame is placed on a different department, management or an external company. The fact is that there should be no blame, just a process to resolve the situation.
Time and again it has been proven that these processes and procedures save companies money and yet many organisations see only the initial cost in time and money rather than the long term benefits.
Cyber Essentials – Monitoring
Monitoring is one of the simplest things that can be done to identify performance issues, threats, risks and much more. Yet we often find that day to day most companies only monitor and measure sales. Reducing risk, reducing waste, monitoring data (you have it anyway, why waste it) can be seen as bean counting. In our experience monitoring is a critical part of IT performance and Testing.
For example, our parent company CTS utilises software with its contract clients that can monitor every aspect of computer performance, CPU Usage, Disk Drive health, Cooling Fan speeds, RAM Performance, even Print Job failures. By monitoring these and dozens of other performance indicators they are able to identify potential faults before they occur, as a result parts can be ordered and replaced before failure saving downtime and potential data loss.
Working from home or on the road is common practice for many firms these days, being able to access data as if you were in the office on your own computer is often essential to good business productivity and especially to sales.
The security risks are potentially enormous. Unencrypted cloud systems, Unencrypted Remote desktop Connections, Loss of Mobile Devices to name just a few. The solutions are easy to implement often don’t cost as much as people think and as a result help protect you, your business and your client data at one of the weakest links in the security chain.
NOTE: The information provided on this page is not an exhaustive list of security issues or resolutions, Cyber Essentials requires that a company completes a full checklist of questions for assessment.
Want to know more or need help?
If you would like to know more about Cyber Essentials or if you require assistance preparing for Cyber Essentials please contact us today on 01745 770033 or fill out the form below and we will be in touch to listen to your challenge.