Cyber-attacks are becoming a more common occurrence for small-medium sized enterprises. It has become very lucrative for malicious actors to target smaller organizations due to their lack of security. It has been reported by eSentire1 that cyber-attacks in the UK have grown by 140% in 2018. Although the headlines are usually dominated by large corporation breaches, according to Verizon2; 58% of all cyber-attack victims were small and medium-size enterprises. It has become vitally important that organizations of all sizes and in all sectors take steps to defend themselves against cyber-attacks as criminals perceive SMEs as low-risk targets by conforming to cyber security standards such as ISO 27001, NIST and Cyber Essentials.
Fireeye identified that only 10% of cyber crimes reported to police by SMEs result in conviction, which suggests that a staggering 90% of cases that are detected and reported are never resolved3. Which means it is very important that organizations protect themselves and prevent being breached in the first place as the nature of the crime itself, it is very difficult to catch the responsible and recover the damages.
What is Cyber Essentials?
Cyber Essentials is a cyber security standard developed by the National Cyber Security Centre (NCSC). The standard is to help organizations guard against the most common cyber threats. Organizations can be certified against the standard which can help demonstrate the commitment they have to cyber security3. The standard celebrated its 5th birthday in June of 2019, with the NSCS also recently announcing their intention to improve the scheme in order to ensure its continued relevance.
The standard was developed with two main objectives in mind:
- To make the UK a safer place to conduct business online.
- To provide an affordable certification for organizations to demonstrate that they have implemented basic cyber security controls that can protect organizations from “around 80% of common internet cyber-attacks” or 5 main areas of cyber security5;
A firewall is a security control designed to prevent unauthorized access from the external sources. The standard mandates that firewalls are turned on and are configured correctly.
Secure configuration refers to how your organization’s devices can be configured to be secure, controls such as changing all default passwords and having a strong password are required.
Access control governs and regulates who can view/access or use resources on the organizations computer network. Secure access controls can reduce risks from unauthorized access.
Anti-Malware is a vital control to help protect yourself from malicious programs that will damage or compromise your systems and data.
Patching is a security control that repairs system vulnerabilities which are discovered by vendors or the community. Proper patch management ensures that vulnerabilities cannot be exploited by a third party.
Difference Between Cyber Essentials and Cyber Essentials Plus
For the certificate, you may complete the Self-Assessment Questionnaire issued by an accreditation body. The accreditation body then performs an external vulnerability scan to check your external facing infrastructure. If the Self-Assessment Questionnaire appears to meet the requirements, the organization will be awarded the certificate.
Cyber Essentials Plus
The controls are and the requirements are exactly the same, however the accreditation process is different.
To obtain Cyber Essentials Plus, you must already have the certificate for the normal route. The difference in the accreditation, is that, with Plus, the accrediting body will send assessors to carry out the assessment on-premises. Manual testing of Anti-Malware, monitoring Access Control and carrying out a vulnerability scan will be conducted. If no High or Critical vulnerabilities are identified and the anti-malware passes the tests, the organization will be awarded the Plus certificate6.
In order to get certified, you must contact an Accreditation Body. There are currently five Accreditation Bodies that have been selected by the NCSC to govern Cyber Essentials. The Accreditation Bodies recruit Certification Bodies to assess and ensure that a high standard has been met. The current Accreditation Bodies are:
APMG International : https://ces.apmg-certified.com/
IASME Consortium: https://www.iasme.co.uk/cyberessentials/
QG Management Standards: http://www.qgstandards.co.uk/qg-accredited-certification-bodies/
Each Accreditation Body has organizations that are Certification Bodies that will carry out assessments and oversee organizations certification process.
Each Accreditation Body will also have their own questionnaire for their certification bodies to use when certifying and therefore have (slightly) different accreditation process.
Future of Cyber Essentials
It was announced last June that the NCSC plan to update Cyber Essentials and help streamline the process of becoming certified. As of right now the NCSC works with the 5 organization (Accreditation Bodies) listed above, in the future the NCSC plans to cut this down to just one partner. This will keep the end to end user experience consistent and also speed up the development of the standard itself.
The NCSC also plans to introduce a minimum criterion for Certification Bodies and assessors to ensure that those involved are working at the same standard with a given level of cyber security competency.
Certificates also currently do not have an expiration date, in the future, organizations will have to re-certify with an accrediting body once every 12 months in order to remain certified.
Although there is no set date on the transition to the purposed system, the existing contract ends at the end of March 2020, we can expect changes to start rolling out after this date.
Why is Cyber Essentials relevant to SMEs?
The Cyber Essentials standard was designed to be suitable for organizations of all sizes and across all sectors, it is most suitable for SME’s because of the constraints that SME’s experience, whether it be budget, time or expertise, the controls and advice given in the standard are relatively easy to implement without too much effort. The certification is great to work towards if you have little to no Cyber Security already and limited resources.
The UK Government require that all suppliers bidding for contracts involving handling of personal information and other sensitive data be certified. Almost 30,000 Businesses have been awarded the certificate since June 20147.
Organizations seeking guidance in cyber security should consider adopting the standard, whether you are looking to become certified or just to further protect your organization from the most common cyber-attacks (as the vast majority of cyber attacks use simple methods to exploit vulnerabilities in software). The standard seek to provide guidance on what is deemed “essential”.
For more information about NCSC read our blog ‘Introduction to the National Cyber Security Centre’ by Matt Quinn.