Prepping for Cyber Essentials on a budget

Cyber Essentials is a UK Government backed scheme that is specifically designed for protecting organisations against common cyber-attacks.

Upon passing the scheme, your organisation receives a Cyber Essentials certification, a listing on the Cyber Essentials database, and you may also be entitled to Cyber Insurance. Cyber Essentials can be used either to certify your entire organisation, or it can be focused on a specific business unit if there is suitable network segregation.

The government acted in 2014 to reduce the security risk within their supply chain by introducing a mandate for any organisation embarking on a government contract to be certified against the Cyber Essentials scheme. Cyber Essentials was introduced to help organisations mitigate 80% of cyber threats.

With Lexcel 6.1, the Law Society has incorporated this scheme too and recommends that law firms should be accredited against Cyber Essentials, along with having an information management and security policy.

The National Cyber Security Centre (NCSC) encourages all organisations that are based in or trading with the UK to implement either the Cyber Essentials Basic or Cyber Essentials Plus scheme.

The areas of vulnerability that Cyber Essentials aims to assess include:

• Firewalls
• Secure Configuration
• Security Update Management
• User Access Controls
• Password Based Authentication
• Malware Protection

By implementing these technical controls, your organisation can defend itself against the most common cyber threats whilst being part of the endeavor to make the UK one of the safest places to do business.

Now that we’ve covered why Cyber Essentials is so important, let’s talk about how to prepare for it on a budget.

Cyber Essentials Basic requires you to answer a series of questions covering key aspects of your information security - this helps you to understand your organisations strengths and identify your weaknesses. The assessment is comprised of a Self-Assessment Questionnaire (SAQ) and allows for two attempts before a failure is awarded; if you do receive a failure, then you will be required to re-pay before you can attempt the assessment again.

Preparation is key to increasing the likelihood that you will pass on the first attempt; this will help you keep the cost down, and there are several measures that can be taken to prepare for your assessment.

Firstly, IASME provides a Cyber Essentials readiness tool that can be found on their website, from which your responses will help inform a personal action plan; the action plan will help you move towards meeting the Cyber Essentials requirements. This is a great resource for organisations that are confident yet would like some reassurance, or organisations that are completing a renewal.

If you require more in-depth support, then look no further. At Secarma, we offer Gap Analysis which allows us to support you in answering the SAQ, ensuring you understand what the questions are asking for, and how to ensure compliant answers. This is a great resource for organisations that are under time pressures and want to ensure a pass on the first attempt, are completing the Cyber Essentials SAQ for the first time, or for small organisations that may not have an IT department or sophisticated IT support.

Once your organisation has Cyber Essentials Basic, you can apply for Cyber Essentials Plus. This involves a manual assessment of the technical controls and protections put in place within your organisation to secure it against common threats. Coupled with Cyber Essentials Basic, this provides a deeper assurance that your corporate data and vital systems are protected. 

To prepare for the Cyber Essentials Plus assessment on a budget, we recommend following the below steps to increase your chances of achieving certification and ensuring protection.

Firstly, ensure all devices and systems are always updated to the latest releases, this will ensure that any high or critical security updates are installed, and vulnerabilities have been patched.

Secondly, we recommend that you implement account segregation. By guaranteeing that users do not operate using administrator accounts for daily tasks such as emails and web browsing, you reduce the opportunity for cybercriminals to cause significant damage to you organisation by preventing them from gaining access to your administrator accounts.

When you embark on a Cyber Essentials Plus assessment with us, we will provide you with a configuration document which, when implemented correctly, will support a smooth-running assessment. This is provided prior to the commencement of testing and will allow you to work with your IT team to ensure that everything is in place ready for our auditor to scan. It is also beneficial to have your IT team member available for the assessment days, as this will allow quick remediation of any issues encountered once the assessment has begun.

If you would like to learn more about Cyber Essentials and the steps you can take to mitigate 80% of cyber threats, then get in touch with one of our experts today for more information.

Contact us here at Secarma on 0161 513 0960 or email us at enquiries@secarma.com and speak to one of our Cyber Security Experts who will be happy to support your security needs.