While Cyber Essentials might not be a good fit for all organisations, you cannot argue with the numbers – a recent insurance company confirmed that of their customers, those compliant with Cyber Essentials were 60% less likely to suffer a breach.
A common criticism of the scheme is also that it’s a “box ticking” exercise which is only true if:
- Your operational security is so good that it’s trivial to complete, in which case – why not do it? It comes with free insurance, the cost is negligible and provides a clear commitment to security.
- You do not actually meet the requirements but just say you do (you just tick the boxes to get the certificate).
Which ever side of the fence you sit on, if you do choose to implement the standard, there are a few specific items where businesses invariably come unstuck.
Understanding Cyber Essentials Challenges
What is Cyber Essentials?
The Cyber Essentials Scheme is a UK government-supported initiative that outlines cyber security controls across five themes to help organisations safeguard themselves against cyber attacks.
The objective of this certification, which includes a cyber essentials assessment, is to protect organisations from the most common cyber threats.
Where possible, the scope of a Cyber Essentials certification should encompass the entirety of IT infrastructure, including:
- User-owned devices that can access organisational data or services.
- Commercial web applications accessible from the internet.
- Cloud services if the data or services are hosted on them.
For organisations that have legacy equipment, this can be excluded from the scope provided it is segregated from the in-scope network.
Meeting Cyber Essentials Requirements
To comply with Cyber Essentials requirements, organisations must ensure the safety of their IT infrastructure, user-owned devices, and commercial web applications. This involves implementing protective measures, including:
- Secure configurations.
- Effective user access control.
- Up-to-date malware protection measures, such as anti-malware software, whitelisting, and sandboxing.
Overcoming Cyber Essentials Certification Hurdles
One of the most challenging aspects of Cyber Essentials compliance for organisations is the strict requirement to apply updates that fix high severity (or above) software vulnerabilities within 14 days of release.
While two weeks may sound reasonable, this requirement applies to all systems and software so for most organisations, this end up being high double digits.
Organisations are often in a good position to quickly deploy security updates to their laptop and PC operating systems easily enough. The challenge comes from more critical infrastructure such as servers where downtime is problematic and from third party applications which are varied and have no common update system.
Consider that the average laptop will have word processors, image editors, music applications, PDF viewers, zip/archive programs, Internet browsers and much more. Then also consider that most users have their own preferences for many of these. This soon becomes a large an unruly list of applications to manage and update.
To more easily maintain Cyber Essentials compliance, a clear approach to limiting the number of applications allowed on systems and deploying patch management solution to automated and report on the update process.
Least privilege / admin accounts
Many organisations provide their users with special privileges on their user accounts, allowing them to install software and change sensitive settings on their devices. Cyber Essentials stipulates that while users may have a legitimate need, such levels of access shouldn’t be available on their “day-to-day” user account. If a user’s role requires them to have administrative or elevated levels of access to systems, this must be provided by a second user account (for example john.doe.admin) that isn’t used for day-to-day activities.