Cyber Essentials is a UK government scheme that outlines steps organisations can take to secure their systems.
It contains five controls that cover the basics of effective information and cyber security.
Anyone familiar with the scheme can implement the controls, regardless of their information security knowledge.
And although the controls are only basic – not to mention economical – they’re hugely beneficial to anyone who certifies. If implemented correctly, these five technical controls can prevent about 80% of cyber attacks.
This blog explains the five Cyber Essentials controls and how they keep organisations safe.
In this blog
- How does Cyber Essentials work?
- What are the 5 Cyber Essentials controls?
- Security update management
- Cyber Essentials – A guide to the scheme
How does Cyber Essentials work?
Most criminal hackers aren’t state-sponsored agencies or activists looking for high-profile targets. Nor do they spend countless hours staking out and researching their targets.
Instead, they tend to be opportunistic, looking for easy targets. And virtually every organisation holds valuable data worth stealing.
Just as burglars identify marks by scouting neighbourhoods and looking for poorly protected homes, cyber criminals look for easily exploitable weaknesses.
Cyber Essentials addresses this.
Its five controls help you avoid weaknesses and address vulnerabilities before criminal hackers can exploit them. Cyber Essentials certification also brings various other benefits.
You can certify to Cyber Essentials by completing an SAQ (self-assessment questionnaire) that covers the five controls. An independent assessor will verify the SAQ.
If you need help meeting those requirements, IT Governance is here. We offer a range of certification solutions, tailored to the level of support you need.
Further reading: In this interview, I go over the scheme and different implementation solutions.
What are the five controls?
1. Firewalls
Firewalls stop unauthorised access to and from private networks, protecting you from external threats.
Boundary firewalls and Internet gateways allow you to control who can access your system and where your users can go.
But for firewalls to be effective, you must correctly set up your firewall rules.
2. Secure configuration
Web server and application server configurations play a crucial role in cyber security. Failure to manage the proper configuration of your servers can lead to a wide variety of security problems.
Configure computers and network devices to reduce vulnerabilities and only provide necessary services.
This’ll help:
- Prevent unauthorised actions; and
- Ensure each device discloses only the minimum information about itself to the Internet.
A scan can reveal opportunities for exploitation through insecure configuration.
Finding this blog useful? Subscribe to our free weekly
newsletter – the Security Spotlight – to get future
insights like this straight to your inbox.
3. Security update management
All devices and software are prone to technical vulnerabilities. And once these vulnerabilities are discovered and publicly shared, threat actors can rapidly exploit them.
It’s important you regularly patch or update your software and applications. These will fix known vulnerabilities.
Also ensure all your software is both supported and licensed, and if it isn’t, upgrade or remove it.
4. User access control
Access control restricts access to your data and systems.
By keeping access minimal, you minimise the risk of information misuse, whether accidental or deliberate. It also ensures an attacker, if they gain access to a legitimate user’s account, can access as few resources as possible.
So, grant access on a ‘need-to-know’ basis. Assign admin accounts and privileges to only those who need them.
Further reading: This blog explains the Cyber Essentials requirements for access control in more detail.
5. Malware protection
Malware (malicious software) can cause chaos by stealing sensitive data, corrupting files, and blocking access until you pay a fee (ransomware).
Protecting against a broad range of malware can save your organisation a huge amount of money and protect your reputation.
To defend against malware, to meet the Cyber Essentials requirements, you can use:
- Anti-malware or antivirus software; or
- Whitelisting.
Other defences can include sandboxing and staff awareness training.
Further reading: To understand how cyber attackers deliver most malware, read this interview with head of GRC (governance, risk and compliance) Damian Garcia about the insider threat.
Cyber Essentials – A guide to the scheme
To find out more about Cyber Essentials, download our free guide.
Cyber Essentials – A guide to the scheme explains:
- What Cyber Essentials is;
- The benefits of certification;
- What to do to meet the requirements;
- Cyber Essentials vs Cyber Essentials Plus; and
- How certification works for both tiers of the scheme.
We first published a version of this blog in August 2018.