Cyber Essentials Requirements

Cyber Essentials Requirements for Your Business

ByAndrew Lugsden

There are a number of Cyber Essentials Requirements that are necessary for your business to meet and achieve certification including technical controls, policies, procedures, and training.

The National Cyber Security Centre (NCSC) provides regular updates to the Requirements for IT Infrastructure document which details each of the security controls that your business needs to adhere to in order to achieve Cyber Essentials certification.

The following article covers each of the categories and requirements detailed within this requirements document and the Cyber Essentials Self Assessment Questionnaire, to provide options and solutions for how your business can meet each of these requirements.

Table of Contents

    The Cyber Essentials Scheme

    Cyber Essentials is a UK Government-backed and industry-supported scheme to improve security standards and provide basic security controls to which all organizations can adhere.

    Cyber Essentials defines the following five main key control categories which are intended to secure your business against a wide range of different cyber threats:

    • Firewalls
    • Secure Configuration
    • Security Update Management
    • User Access Control
    • Malware Protection

    Why Become Cyber Essentials Certified

    Cyber Essentials Certification

    The Cyber Essentials certification program provides a cost-effective opportunity for your business to:

    • Demonstrate its commitment towards IT Security
    • Protect your business from the most likely cyber attacks
    • Bid on new business that requires cyber security requirements

    Cyber Essentials was developed between organizations in the cybersecurity industry and working with the National Cyber Security Centre (NCSC) to provide a comprehensive set of security standards, which could be achieved, by companies of all sizes including small businesses and medium-sized organisations to provide a range of protective measures against such threats as:

    • The use of insecure and untrusted networks
    • Preventing your users from accessing malicious websites
    • Minimizing the risk of Phishing and malicious file execution
    • Reducing risk through restricted user access controls and permissions
    • Safeguarding against the latest known threats through maintaining regular updates

    The Cyber Essentials Certification Process

    Cyber Essentials Process

    The Cyber Essentials assessment consists of a certification body, and a trained and qualified assessor, reviewing a self-assessment questionnaire, which defines how your business manages its security. The questionnaire currently consists of a range of questions that outline how your business manages its cybersecurity relating to devices, processes, and policies.

    For additional verification and assurance of your security standards, a technical audit is also available through an additional Cyber Essentials Plus certification, which consists of vulnerability testing, also conducted by a certification body and trained and qualified assessor, against the devices and systems that are outlined in the self-assessment questionnaire.

    Cyber Essentials Requirements And Technical Controls

    Cyber Essentials Technical Controls

    Each of the five Cyber Essentials key controls has its own set of requirements that need to be in place within your business to ensure you can achieve certification.

    The requirements can include policies, procedures, technical requirements, or user training but it is important to ensure you have each requirement in place and can provide supporting evidence where necessary when planning to complete the Cyber Essentials Plus certification.

    Within the Cyber Essentials requirements list, there can be some overlapping requirements, such as using secure passwords for your firewalls, as part of the secure configuration of devices, and for the accounts you issue to your users.

    Rather than repetitively list these requirements, within this article they are defined once, and it is considered a secure approach to have these password requirements as part of the setup process for any of your accounts, devices, and services, and to revisit any systems currently in use to ensure they adhere to the defined Cyber Essentials standards.

    Firewall Key Controls

    Firewalls Key Control

    A Firewall always needs to be in place between your network devices, such as laptops, servers, routers, and the Internet. However, this doesn’t need to be a physical Firewall device.

    1. If you have Software Firewalls set up on your individual devices, this is suitable for Cyber Essentials, providing the software Firewall meets the other requirements for the Firewall Key Control, including approving any accessible services on your device, reviewing any software firewall changes, and restricting any accounts which can access your device and software firewall.
    2. If you do have a Physical Firewall in place, it is important to ensure your other devices are still protected if they leave the office and the protection of the physical Firewall.

      This could be done through a Virtual Private Network (VPN) which keeps your devices connected to the office and physical Firewall, or could be set up to make sure the Software Firewall is enabled on devices as they leave the office.
    3. For many businesses, there may be services that are made accessible remotely through your Firewall, whether this is a Physical or Software firewall.

      This could be a File Server setup to allow access to business documents, a VPN setup to provide remote access to your offices, or other services configured to provide your employees with remote access to business services and devices.

      Where you do have services made accessible, it is required to maintain a document which:
    • Details each of the services that are enabled
    • Defines why each service is enabled
    • Records any risks that have been considered when enabling the service
    • Includes signed approval of a Director or a Board Member of the business, as services are approved.

    Secure Configuration Key Controls

    Secure Configuration Key Control

    For each of your devices and configured accounts, it is important to maintain a consistent and secure setup process. This minimizes the risk of compromised devices through issues caused by weak credentials or brute force password guessing attacks.

    1. For each of your existing devices and for any new device you set up within the business, develop a Secure Build Process, which can be set up as a checklist, ensuring all your devices are configured to the same secure settings, wherever possible.
    2. The checklist you develop could include additional settings as recommended by the National Cyber Security Centre (NCSC) or the CIS Benchmarks, but for the Cyber Essentials requirements should include the following:
    • Remove any unused or unnecessary software. Many operating systems can often have preinstalled software which is unnecessary for your business.

      The additional software can introduce further patching and maintenance requirements for your business, and can also be affected by vulnerabilities over time which impact the security of your business.

      An initial act for any device your business uses should be to review all the installed software applications and remove any considered unnecessary.
    • Remove or Disable any default or unnecessary user accounts, and change any default passwords where built-in user accounts cannot be removed. Similar to built-in software, your devices and services may also include default built-in accounts.

      In many cases, default accounts have default passwords, which are well-known and can present a security risk to your business. Remove or disable unnecessary user accounts and change the default password for these accounts.
    • For each of the user accounts which are enabled, and where configuration options are available, ensure the authentication methods are also set up to a secure standard:
      • Develop a password policy that can be used for all employees and their accounts, and ensure everyone is trained and educated on the importance of choosing strong passwords.
      • Enable Multi-Factor Authentication for your accounts wherever available. This is of particular importance for any accounts which are internet accessible, such as Cloud services, 365, Google Workspace.
      • Train your users to use 12-character passwords for their accounts, and enforce this through technical controls wherever available.
      • Where your devices or services allow it, use technical controls to block the use of common and weak passwords. The NCSC has provided a file containing 100,000 common and known passwords, however, smaller lists can be found by searching for the Top 10 or Top 100 worst passwords.
      • Restrict the number of login attempts that can be made against your accounts. This could be done by:
        • Login Throttling. This ensures that the number of login attempts that can be made against an account are restricted.
          The restriction may be configured for a set time period, the number of attempts from the same IP Address, the number of attempts against the same username, or other methods of restriction.
        • Similarly, the number of login attempts against a specific username can be set up with a maximum cap, which locks the account from use after 10 unsuccessful login attempts.
    • For each of your devices, where you can change the configuration, such as with laptops, desktops, and phones, set up automatic locking which is enabled after a short period of inactivity.

      This should then require a password, pin, fingerprint or face ID to be used to open up access to the device again.
    • For each of your devices where you can edit the configuration, such as laptops, desktops, phones, there can be options to automatically run software which is downloaded from the internet or connected from a USB drive.

      In many cases, these settings are disabled by default, but it is always worth checking for any built-in settings on your particular operating system and ensuring they are disabled.

    Security Update Management Key Controls

    Security Update Management Key Control

    For each of the devices, software, and services that your business manages, it is necessary to ensure they maintain support from the vendor and continue to receive regular security updates.

    The updates that are applied, helps organisations protect against the latest cyber threats and the newest vulnerabilities which are identified in your systems.

    As the time period between a new vulnerability being identified and a working exploit method being developed can often be measured in days or weeks, it is also important to apply any available security updates quickly.

    To adhere to the Cyber Essentials requirements for updating your systems, the following should be adhered to:

    1. Maintain an asset list of each of your devices and their installed software, including the versions of each. This can help ensure all your assets are documented and all your updates are applied regularly.
    2. Only use devices, operating systems, and software that are currently supported by the vendor and still receiving security updates.
    • IASME provides a list of some operating systems and their current support status, listed here.
    • A more comprehensive list of operating systems and software is maintained by endoflife.date.
    1. To ensure your updates are applied it is recommended to enable automatic updates, wherever available.

      However, while this can be an easy method to manage your user devices, it may be more difficult to manage servers and other equipment with automatic updates.

      For any device or software, where automatic updates are not enabled, refer to your asset list and conduct a regular review of each, to ensure the latest available updates are applied.
    2. Whether you apply updates automatically or through manual checks, it is required to have your updates applied within 14 days from when they are released by the vendor.

      Typically these update requirements only apply to vulnerabilities that have a Critical or High impact on your business, however, it can be best practice to ensure all available updates are applied as they become available.
    3. While not a specific requirement of Cyber Essentials, a vulnerability scan does become a requirement when aiming to achieve Cyber Essentials Plus.

      A further consideration for your business security, and to ensure updates are applied to all of your devices, can be to introduce and manage your own vulnerability scanning software.

      While this can often be expensive there are free vulnerability scanning tools available, particularly for smaller businesses. The Nessus Essentials vulnerability scanning tool can be used to conduct vulnerability scanning of your devices, using an authenticated scan, as detailed in the following post.

    User Access Key Controls

    User Access Key Controls

    An important element of security is to take precautionary measures to limit the impact that a compromised account may have on your business. One of the measures that can be taken to mitigate this impact is to reduce the access and permissions that regularly used accounts have.

    Where your employees are using regular accounts on a day-to-day basis, to access documents, emails, and internet browsing, it is important to restrict the permissions of these accounts, as they can be more susceptible to compromise.

    1. Daily use accounts for your devices, email, and other systems should not be set up as administrative accounts, but should only maintain the minimal permissions necessary to carry out daily tasks.
    2. There can be instances where administrator permissions are necessary, such as when making configuration changes. However, your regularly used accounts should never be used for this purpose. For these specific tasks, there can be a few available solutions.
    • A secondary account could be assigned to your user, which is only used to approve specific administrative tasks.
    • An IT Team could maintain separate administrator accounts, with remote access to devices, to conduct maintenance or apply changes.
    • A third-party IT Company could be used to help your business manage its IT Infrastructure. In a similar manner, the third party could then be provided with administrator accounts to remotely access your devices and conduct specific and business-approved tasks.

    With most operating systems, when attempting to run an administrative task, such as installing software or making configuration changes, while using your daily user accounts, each user would then be prompted to enter an administrator account and password.

    This can then either be entered by the user who has been issued with a secondary account or by the changes requested by the IT management team.

    1. For the Cyber Essentials requirements it is necessary to track and document each of the administrator accounts which are created, and have their creation approved by an authorised individual, such as Director, Owner, Partner of the business.

      However, similar to maintaining an Asset list for your devices, it can also be helpful to maintain a complete documented list of all of your accounts.

      This can be useful to ensure you accurately track each of your issued accounts, why they have been created, and who they have been issued to.

      This information can then be used to regularly review the permissions that have been assigned to each individual, and also you can remove or disable your accounts if an employee ever leaves your business.
    2. Where your users have been issued with secondary administrator accounts, it is also important to ensure these admin accounts do not start being used for general use or everyday tasks.
    • This could be set up using technical controls, to limit some of the activities your admin accounts have available, such as restricted web browsing or preventing an email inbox from being assigned to admin accounts.
    • However, it is also possible to conduct cyber security awareness training for your users and maintain company policy documents that define Acceptable Use for your users and admin accounts.

    Malware Protection Key Controls

    Malware Protection Key Control

    Protecting against potentially malicious files is an important element for any business’s security.

    Within the Cyber Essentials Certification process, it is important to have a solution in place that can protect your devices from possible malware that may be introduced through email attachments, websites, or other sources.

    1. For devices, such as your laptops, desktops, and servers, a commonly used solution can be to install and maintain up-to-date Anti-Malware software.

      There are lots of options for Anti-Malware software which would help to secure your business and devices. Ideally, if selecting between different options, it can be helpful for the software to detect potential threats from different sources such as:
    • The specific signature of files. This helps to block and quarantine files as soon as they are downloaded or accessed and before they can impact your business.
    • The behavior occurring on your device. This helps to identify programs that may be running malicious actions on your device such as attempting to access, encrypt, or change important system files.

    There are also several test files which have been made available from EICAR, which can be used to verify if your software is working as expected and blocking access to files with a malicious signature. The test files can be downloaded from the EICAR website available here.

    1. An alternative solution for protecting your devices, which is typically used to protect any mobile devices used by your business, is to limit the applications that can be installed and used. This process can be managed in several different ways.
    • A Mobile Device Management (MDM) system can be setup. These MDM solutions can be used to track each of the devices used to access your business and to create a configuration profile for the devices to adhere to.

      As part of the configuration standards, an approved applications list can be defined, which can be chosen from an approved app store. This limits the number of applications that can be installed on a mobile device used for business purposes.
    • As an alternative, where an MDM system is not in place, mobile devices can be managed through
      • User education and training, ensuring your employees understand the different security risks which can be introduced through device and account compromise and the need to limit the software which is installed on devices.
      • Defining an Acceptable Use policy for your devices, which your employees also receive training on and understand the importance of the security measures.
      • Defining an approved applications list for your mobiles, which also is communicated to your employees, and works to limit the applications which are installed on your devices.

    Conclusion

    Cyber Essentials Requirements For Certification

    Adhering to cyber security measures is an increasingly sought-after requirement when working with many potential clients and business partners.

    The Cyber Essentials certification program provides an accessible method of incorporating a well-known and industry-approved set of cyber security controls into your business.

    This also allows your business to incorporate the certification logos and marketing material into your business offering to advertise the fact that you have taken the necessary and proactive steps to secure your business.

    The Cyber Essentials Plus certification route, also provides additional verification to your clients and business partners that your business regularly undergoes active security testing to verify your organisation’s controls and security standards.

    Where you have any further questions regarding different cybersecurity solutions, or the Cyber Essentials certification program our consultants are available to address any concerns you may have.

    Contact Us Today

    Similar Posts