Cyber Essentials (CE) Accreditation is a government-operated cyber security scheme that offers businesses a framework to help significantly reduce their risk against common internet-based attacks; but is it worth it?
Developed by the National Cyber Security Centre (NCSC), Cyber Essentials incorporates five fundamental technical controls that, if implemented, can reduce risk by up to 80%.
Delivering the scheme is The Information Assurance for Small and Medium Enterprises Consortium (IASME), who work through certification bodies across the UK to handle the process.
Cyber Essentials starts by achieving the basic certification and is fully complete when you gain the Plus Certificate.
The process at the basic level, requires the filling out of a questionnaire relating to the security processes, policies and controls used within the business, but is not verified by the assessor.
The Plus assessment requires an official auditor to scan the infrastructure in order to determine whether or not the business is complying with the standard.
Recent changes came into force which have enhanced the certification standard and have been catching some organisations out, who had previously gained certification on the old standard.
What changed?
Home working is still very much a part of our lives and as such, has become an important aspect of the CE requirements.
The updated standard includes all home devices used to access company information along with any BYOD (Bring Your Own Device) machines a user wants to use holding company data..
Firmware is now included, whereas previously it was only software. This means all devices including Firewalls and switches must be updated when new firmware is released.
The other main change is there is now an emphasis on asset management as any major security incidents are caused by organisations having assets which are still connected to the network when that organisation is not aware the asset is still active. Effective asset management will help track and control devices as they’re introduced into the business.”
What else is in scope?
Other elements include: Thin clients/remote desktop (where a central server is used to process users computing requests); all servers, even if on a sub-net (separate network to the rest of the organisation,); Smart phones and tablets.
Cloud services fully incorporated
All cloud services utilised by a company will now have CE controls implemented. This is to encourage users to take full responsibility for security and not rely on their cloud service provider. Although some controls may be the cloud service providers duty to implement, companies should ensure they seek evidence that this has been done.
Access to cloud services must be protected by multi-factor authentication
The standard is making stronger passwords and multi-factor authentication (MFA) a requirement.
Passwords will have to be at least eight characters, with a second authentication method activated for additional protection. This will now be tested as part of the CE Plus audit.
Other password requirements include: that password-protected areas should either have MFA, login throttling, or account locking after (up to) ten unsuccessful attempts, and that all passwords follow one of these policies: MFA and a password of at least eight characters; a password of at least twelve characters; a password of at least eight characters and automatic blocking of common passwords. Biometrics, or a password/pin of at least six characters, should be used to lock a device.
Patching
Any updates labelled by the vendor as ‘high’ or ‘critical’, should be applied within 14 days.
All software should be properly licensed and supported by the vendor and any end-of-life software removed.
Account separation
There must be a separation between user and administrative accounts, with standard activities, like emailing and web browsing, removed on administration accounts.
New tiered pricing structure
The cost of Cyber Essentials will be another major change to the scheme. IASME has introduced tiered pricing, whereby the costs of certification will depend upon organisational size. This is due to assessments becoming increasingly complex and requiring greater technical input from assessors.
Is Cyber Essentials still worth having?
If you are looking to sell into some market sectors, for example; government contracts; it is mandated that CE certification is required, an obvious reason to have it, if you are in that area. However, many organisations are considering their supply chain and the data security they have. The CE certification is a recognised standard that proves the organisation takes data protection seriously and could help you to win business. Furthermore, having the certification can reduce cyber insurance costs and help stop the risk from cyber-attacks, which could cost considerable money to resolve as well as preventing trading.
In my opinion, obtaining the Cyber Essentials certification is absolutely worth the time and effort needed and should be a standard cyber security requirement for all businesses, no matter what their size.
Colin Tankard is managing director of Digital Pathways