Exploring Cyber Essentials Challenges in 2023

While Cyber Essentials might not be a good fit for all organisations, you cannot argue with the numbers – a recent insurance company confirmed that of their customers, those compliant with Cyber Essentials were 60% less likely to suffer a breach.

A common criticism of the scheme is also that it’s a “box ticking” exercise which is only true if:

1. Your operational security is so good that it’s trivial to complete, in which case – why not do it? It comes with free insurance, the cost is negligible and provides a clear commitment to security.
2. You do not actually meet the requirements but just say you do (you just tick the boxes to get the certificate).

Which ever side of the fence you sit on, if you do choose to implement the standard, there are a few specific items where businesses invariably come unstuck.

Understanding Cyber Essentials Challenges

What is Cyber Essentials?

The Cyber Essentials Scheme is a UK government-supported initiative that outlines cyber security controls across five themes to help organisations safeguard themselves against cyber attacks.

The objective of this certification, which includes a cyber essentials assessment, is to protect organisations from the most common cyber threats.

Where possible, the scope of a Cyber Essentials certification should encompass the entirety of IT infrastructure, including:

• User-owned devices that can access organisational data or services.
• Commercial web applications accessible from the internet.
• Cloud services if the data or services are hosted on them.

For organisations that have legacy equipment, this can be excluded from the scope provided it is segregated from the in-scope network.

Meeting Cyber Essentials Requirements

To comply with Cyber Essentials requirements, organisations must ensure the safety of their IT infrastructure, user-owned devices, and commercial web applications. This involves implementing protective measures, including:

• Secure configurations.
• Effective user access control.
• Up-to-date malware protection measures, such as anti-malware software, whitelisting, and sandboxing.

Overcoming Cyber Essentials Certification Hurdles

Software patching

One of the most challenging aspects of Cyber Essentials compliance for organisations is the strict requirement to apply updates that fix high severity (or above) software vulnerabilities within 14 days of release.

While two weeks may sound reasonable, this requirement applies to all systems and software so for most organisations, this end up being high double digits.

Organisations are often in a good position to quickly deploy security updates to their laptop and PC operating systems easily enough. The challenge comes from more critical infrastructure such as servers where downtime is problematic and from third party applications which are varied and have no common update system.

Consider that the average laptop will have word processors, image editors, music applications, PDF viewers, zip/archive programs, Internet browsers and much more. Then also consider that most users have their own preferences for many of these. This soon becomes a large an unruly list of applications to manage and update.

To more easily maintain Cyber Essentials compliance, a clear approach to limiting the number of applications allowed on systems and deploying patch management solution to automated and report on the update process.

Least privilege / admin accounts

Many organisations provide their users with special privileges on their user accounts, allowing them to install software and change sensitive settings on their devices. Cyber Essentials stipulates that while users may have a legitimate need, such levels of access shouldn’t be available on their “day-to-day” user account. If a user’s role requires them to have administrative or elevated levels of access to systems, this must be provided by a second user account (for example john.doe.admin) that isn’t used for day-to-day activities.

MFA (multi-factor authentication)

Using MFA (or multi-factor authentication) provides a significant boost to the safeguarding of user accounts but only if it is turned on! The Cyber Essentials standard requires that ALL user accounts that have MFA available have it enabled (for all users).

Mobile devices

Many users access company data on their mobile devices, whether this be financial information, contacts, files or even just email data. If any devices are access company data, they are in scope of Cyber Essentials and so must be up to date and supported by the manufacturer. This can prove difficult for organisations of all sizes because they rarely have mobile device management solutions (MDMs) and mobile devices are an emotive subject for employees and placing restrictions on them often causes friction.

Bring Your Own Device (BYOD)

Organisations often allow employees to access company data on their personal devices. Just like company owned devices, if it used to access company data it is in scope and all of the elements of the Cyber Essentials standard apply. This means only installing applications from a controlled source, no rooting/jailbreaking of devices and more critically, the devices must be up to date and supported.

As these are not company devices, it is challenging politically to take away access or force users to allow the company to control and limit the devices.

An important point however is that if an employee is only using their mobile device for MFA, it is out of scope of the Cyber Essentials standard.

Summary

In conclusion, Cyber Essentials standard is a good way to improve an organisation security (and to demonstrate it to third parties) but it is often more challenging than companies realise.

By understanding the challenges we’ve outlined above, companies can plan and strategise how to overcome them and pass the Cyber Essentials certification first time!