Understanding Cyber Essentials

Cyber Essentials is a government-backed cybersecurity certification scheme that sets out a good baseline of cyber security suitable for all organisations. It helps organisations to protect the data they hold and demonstrates to their customers that they take cybersecurity seriously.

Cyber Essentials is designed to help organisations implement basic levels of protection against cyber attacks. It focuses on five key areas:

Firewalls and Routers: Ensuring that internet-connected devices are protected by a firewall to prevent unauthorised access.
Secure Configuration: Ensuring that systems are configured in the most secure way for the needs of the organisation.
User Access Control: Ensuring that only those who need access to systems have it and that they are only able to access what they need.
Malware Protection: Ensuring that virus and malware protection is installed and is up to date.
Security Updates / Patch Management: Ensuring that devices and software are kept up to date and secure.

Firewalls and Routers: Networks must be protected by either a physical or virtual firewall.

In the cyber world, the commodity here is your data, and there are numerous people trying to get hold of that. On computers, there are some key layers of defence you can activate to keep your information safe.

The main methods are:

Using strong passwords
Enabling the firewall
Securing the router

* If employees work from home, their home router is not in scope for CE unless the organisation has supplied it.

* Use of a split tunnel VPN is not an expectable option - CE requires use of a single tunnel VPN

Secure Configuration: Set up your computer securely to minimise the ways a cyber criminal can find a way in.

Computers and cloud services are often not secure upon default installation or setup. An ‘out-of-the-box’ set-up can often include an administrative account with a standard, publicly known default password, one or more unnecessary user accounts enabled (sometimes with special access privileges ) and pre-installed but unnecessary applications or services. All of these present security risks.

The main methods are:

Remove or disable unused software.
Remove or disable unrequired accounts
Enable Device Locking
Disable autoplay and autorun
Correctly configure any open ports
- Remote Desktop Protocol - port 3389

User Access Control - Give users access to resources and data necessary for their role.

Unique accounts for each user (No shared accounts)
Separate user and admin accounts for different tasks
Account separation
Delete unused accounts
Account creation and tracking process
Strong unique passwords
One password for one account
No sharing of passwords and usernames
Password policy
MFA

Malware Protection: - Identify and stop viruses or other malicious software before it can cause harm

Protect your laptops, servers and desk top computers with malware protection software

Protect mobile devices

Malware protection strategy focuses almost entirely on controls or polices that dictate which applications or apps you allow to be installed on devices that access organisational data and services.

Only apps which have been application signed and approved by the official app store can be installed.
Only apps from an approved software list can be installed. eg: Apple App Store or Google Play Store.

Patch Management

Benefits of Cyber Essentials

Obtaining Cyber Essentials certification offers several benefits, including:

Protection: It helps protect your organization against common cyber threats.
Reassurance: It provides reassurance to customers and stakeholders that you take cybersecurity seriously.
Business Opportunities: It opens up new business opportunities, as some contracts require Cyber Essentials certification.
Competitive Advantage: It gives your organization a competitive advantage by demonstrating your commitment to cybersecurity.

Conclusion

Cyber Essentials is an essential step for organizations looking to improve their cybersecurity posture and protect themselves against common cyber threats. By implementing the necessary controls and obtaining certification, organizations can demonstrate their commitment to cybersecurity and gain a competitive edge in today's digital landscape.