Information is a global currency, and cyber criminals are ready and waiting to steal it. Companies need protection, and some need help to determine whether their security posture is adequate. For UK-based organizations, the NCSC Cyber Essentials program provides a foundational level of clarity and guidance on their security measures.
What Is the Cyber Essentials Program?
Many companies understand the value and importance of a robust cybersecurity posture to avoid potentially devastating assaults on their IT systems. However, some simply aren’t fully qualified to protect their networks against cyber threats themselves.
The National Cyber Security Centre (or NCSC) grew out of the need to help smaller, struggling UK businesses with cybersecurity protocols and defenses. The Centre gives UK-based companies practical guidance, responds to security incidents, and reduces risks through programs such as Cyber Essentials.
Benefits for UK-based organizations
This government-backed scheme certifies organizations’ cybersecurity, irrespective of their size or scope. The Cyber Essentials program:
- Allows organizations to understand their current cybersecurity posture
- Provides proof of protection against the most common cyberattacks that are usually very low-level and perpetrated by basic or moderately skilled threat actors
- Helps organizations attract customers who value data protection
Depending on their industries, some companies are required by law to be Cyber Essentials certified.
Cyber Essentials vs. Cyber Essentials Plus
There are two levels of Cyber Essentials certifications: Cyber Essentials and Cyber Essentials Plus. The first is achieved once a business completes a self-assessment that allows the NCSC to review it on a preliminary basis. It confirms a company has the necessary technical controls to safeguard itself from common cyber threats.
Cyber Essentials Plus gives businesses the same confidence as the Cyber Essentials certification. The additional step with Cyber Essentials plus is the NCSC carries out a more in-depth technical test. In addition, organizations applying for the Cyber Essentials Plus must pass either an on-site or remote assessment, internal vulnerability scans, and an external vulnerability scan conducted by the certification body.
5 NCSC Pillars of Basic Security
The most fundamental of IT security systems must include five security controls These determine whether an organization can receive a Cyber Essentials certificate. These components include:
This type of network security system acts as a barrier between a trusted network such as a company’s intranet and untrusted networks like the internet. Firewalls monitor and regulate traffic that flows between these networks and every endpoint on your system. They use predetermined security controls which prevent outside actors from gaining unauthorized access to the trusted network.
IT systems have broad capabilities to enable their use, usually shipped with default settings/configurations. During initial setup, lock down as many of these capabilities as possible, allowing only those needed to perform prescribed functions. Configure computers and network devices to limit their attack surface. Ensure administrative actions require administrative privileges, locking down certain access points and change standard configurations (like a standard password). Also ensure devices share limited information about internal networks to external ones as this assists attackers in the reconnaissance phase.
User access control
Ensuring only specific people can access servers, applications and networks is a critical component of IT security. Limiting administrative rights prevents threat actors from retrieving openly available information. User access must be kept to a minimum by following the principle of least privilege. The National Institute of Standards and Technology (NIST) defines least privilege as “a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.”
While firewalls protect systems from external attacks coming in from outside networks, malware protection prevents viruses and other malware from advancing the attack sequence, by elevating privileges, killing security controls, or moving laterally which can result in the infiltration of internal networks to corrupt and compromise data, files and access. Today, the majority of malware is fileless, meaning it takes advantage of existing software used for IT administration to perform malicious actions, such as PowerShell.
Good software developers try to address bugs and security holes before shipping the software. But they are not infallible, so often vulnerabilities are discovered which need to be periodically patched. It is not uncommon for vulnerabilities to go undiscovered or unpatched for years. These vulnerabilities present hackers a perfect opening to exploit systems. It’s crucial to patch them efficiently and effectively, limiting the chance for cyber disruptions by reducing your attack surface.
Cyber Essentials Certification
UK organizations that want to continue their journey to improved cybersecurity can start with the Cyber Essentials or Cyber Essentials Plus certification as they guide on baseline protections that can be built on over time. To begin the certification process, contact the IASME Consortium, a certification agency partnered with the NCSC.
The first step is to complete IASME’s self-assessment questionnaire. Then, an IASME board member or equivalent signatory verifies and signs off on the assessment. Next, a certification body independently verifies and authorizes the organization.
Businesses can also explore the Cyber Essentials readiness toolkit. The NCSC can use this information to design a personalized action plan to help companies meet the minimum Cyber Essentials certification requirements. The toolkit also includes links to guides on how to achieve basic eligibility.
An organization’s Cyber Essentials certification is valid for 12 months. As aforementioned, this certificate is a good idea for businesses new to cybersecurity who need to start with the basics. A Cyber Essentials badge also may be mandatory for organizations applying for government contracts.
How long it takes to get the certificate depends on an organization’s current security posture. Sometimes, if a company meets the relevant criteria off the bat with no need for adjustment, they can receive their certificate in as little as a day or two. It’s more common for the process to take at least a fortnight.
Excellent protection starts with knowing where an organization’s IT system’s security currently stands. For UK-based businesses, Cyber Essentials certificates can help a company prove their security posture to their affiliates and discover where they can improve. And if your organization needs an external solutions provider to improve your security posture, connect with Fortra’s Alert Logic to learn about our managed detection and response (MDR) solutions.