Cyber Essentials

When you are looking at cybersecurity, it is easy to read about all the security measures you could put in place but difficult to know which ones are appropriate for your business.

To identify the most suitable step for you, and to figure out the things you need to do in order to get to that step, it can helpful to get an objective view. Frameworks and schemes developed by governments and industry bodies can help to develop that objective view.

What is Cyber Essentials?

Cyber Essentials is a set of requirements developed by the UK’ National Cyber Security Centre.

“Cyber attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked.”

UK’s National Cyber Security Centre

It is described as a simple but effective framework that will help you to protect your organisation, whatever its size, against a range of the most common cyber attacks.

Where is it on the Ladder of CyberSecurity?

Step 2 in the Ladder of Cybersecurity

Managing cybersecurity risk is like climbing a ladder. To effectively manage the risk, you may not need to reach the top of the ladder. The most appropriate step on the ladder for you depends on the complexity and size of your business, your industry, your clients, your risk appetite, etc.

I would place Cyber Essentials on the second step of the ladder.

The first step covers the basics and is described in my guide to the basics. When these basics are in place, Cyber Essentials is a good next step.

Who is it for?

Cyber Essentials will help any business, whatever its size. It is certainly a good baseline for any business, as I will describe below.

However, if your business relies heavily on web-based services or third party outsourced partners, or if it has large, sophisticated, or regulated clients, it is unlikely to be sufficient.

Cyber Essentials: A good baseline. But it may not be sufficient.

Why is it worth a read?

Simplicity is its trademark

1. You can read it – it’s written in plain English.

The requirements document is only about ten pages long and written in a way that makes it easy for ‘normal’ people to understand.

The short document describes what you need to do to comply with the requirements of Cyber Essentials. But more importantly, it describes the reasons behind these requirements – Why they reduce the risk of a successful attack. (Although, it does mention ‘firewall’ in the first paragraph!)

2. You can take it step-by-step

Even if you don’t want to implement all of the requirements, Cyber Essentials is a very approachable reference point and baseline that you can use as a benchmark for your business.

You can take it step-by-step and select the pieces you want to focus on. The requirements are so clearly-written, you could probably copy a sub-section of the Cyber Essentials Requirements document and paste it into an internal document to guide your activity. You wouldn’t need to get everyone else up to speed on Cyber Essentials before you make progress.

If you plan to comply fully with the requirements of Cyber Essentials, you can also take it step-by-step by choosing which elements of your business will be in scope (called the ‘boundary of scope’).

As a result, you can align to Cyber Essentials at a pace that suits you.

3. It is pragmatic about passwords

Cyber Essentials defines a reasonable password standard.

  • It requires a standard minimum of 8 characters but no maximum.
  • It does not require very complex passwords or regular password changes. In fact, it recommends against these common approaches.

This reflects the reality (and the scientific evidence) that shows if you force complex and regularly-expiring password:

  • Staff will use short passwords. Short, complex passwords are easy for hacker’s computer processes to crack.
  • Staff will reuse the same password across systems. If the criminal finds out one password, they now have the key to many systems.

What are its limitations?

Cyber Essentials focuses on the technical IT infrastructure that the business uses (e.g. laptops, servers, firewalls). It is important to recognise what this focus means.

1. It does not address the staff / human aspect of cybersecurity

Don’t forget the human defences

If you look at the most common attacks, they rely on a human being fooled by an email. This is why awareness and training is so important (even if it does not sound interesting or high-tech).

Cyber Essentials does not discuss the important role that staff play in your defences.

If you only use Cyber Essentials to assess your cybersecurity defences, you are blind to a massive defensive gap.

2. It understates the value of two-factor authentication

When you understand how the most common attacks occur, you understand the value of two-factor authentication. With two-factor authentication, a criminal with a password will still be unable to gain access to one of your systems (and the valuable information stored on it).

Cyber Essentials mentions two-factor authentication. It is within the ‘User access control’ section, where the fourth of six bullet points states: “implement two-factor authentication, where available”.

Perhaps I’m being unfair but I think:

  • This should be given far more prominence in the documentation, given the serious attacks that this one simple security measure can prevent.
  • This should be stated in more certain terms. Many businesses may see two-factor authentication as inconvenient and may interpret ‘where available’ as meaning ‘where it is obviously available and impossible to avoid’.

3. It does not address the web services / SaaS solutions that every business now uses

Most small businesses now use web-based email systems (e.g. Office365, Google for Business / Gmail). Most also use other web-based services for CRM, website, invoicing and accounting, etc.

Cyber Essentials does not show you how to assess the security of such services. It is focused on the technical components that you fully control.

You don’t full control web-based services – You pay a fee for the provider to take responsibility for things like cybersecurity. You may assume the provider has cybersecurity nailed, but you should verify this. Cyber Essentials does not mention this.

4. It does not help you to prepare your response to an attack

Even the most secure businesses could still suffer a cyber-attack. If James Bond wants to get in, he will get in.

That is why it is so important to have a plan about how you will respond. This is commonly referred to as an Incident Response Plan. I’ve described how you can get started on such a plan in section 4 of my guide to the basics.

Cyber Essentials does not mention Incident Response Planning because of its focus on technical security defences.

If you only use Cyber Essentials to assess your cybersecurity defences, you are blind to this gap in your readiness.

What is involved?

As I mentioned, the requirements document is only about 10 pages long so it is an easy read. I won’t repeat the details here.

At a high level, Cyber Essentials focuses on the technical IT infrastructure that a business will use (e.g. laptops, servers, firewalls) and it provides requirements across five control ‘themes’:

  1. Firewalls
  2. Secure Configuration
  3. User access control
  4. Malware protection
  5. Patch management

Can you prove that you comply with this framework?

This is where Cyber Essentials gets interesting and valuable.

Unlike many industry benchmarks or frameworks, you can ‘certify’ that you comply with the requirements of Cyber Essentials.

Self-Certification

You can self-assess your compliance and when you believe you are complying with the requirements of Cyber Essentials, you can state that you are Cyber Essentials Certified.

There is a clear problem with this level of certification, as you are marking your own homework. Anyone who knows about cybersecurity would not assign significant value to your self-certification.

However, that does not mean it is not valuable. By stating you comply with Cyber Essentials, it does at least suggest you have read about Cyber Essentials and implemented at least some of the measures required.

Independent Certification

This is where Cyber Essentials could be very valuable, especially for a business that is under pressure from its clients to prove that it takes cybersecurity risk seriously but does not have the resources or interest to get to the top of the ladder or to seek and maintain ISO27001 certification.

Cyber Essentials Plus certification involves an external assessor verifying that your security measures comply with the requirements of Cyber Essentials. If you pass the test, you can then state that you are ‘Cyber Essentials Plus’ certified.

In theory, it is only possible for UK businesses to receive Cyber Essentials Plus certifications (as it is a UK government initiative). However, there are assessment firms outside of the UK who claim to be able to assess and certify non-UK businesses.

The cost of this certification process will depend on the size and complexity of your business and the scope of the certification required. For small businesses with a relatively straightforward IT environment, expect to pay in the region of €3k.

Where can you learn more about it?