By Grant Hamilton, information security consultant, Alternative Solutions
CYBER Essentials provides organisations with guidance on what basic controls are required to reduce risks borne by internet-based threats.
No doubt most of you have been offered cybersecurity products or advice, or read articles about what you should or shouldn’t do, but what is rarely pointed out is that your company can make a big difference to its cybersecurity posture simply by making sure the fundamentals are done correctly.
It has been highlighted that companies can mitigate up to 80% of the most common internet-borne cyber-attacks by going back to basics and ensuring their systems are configured correctly with the appropriate settings enabled and controls in place. Typically this doesn’t require any additional product investment and can be done with the appropriate configuration and tools that the business already uses.
Jersey’s government has mandated that anyone in its supply chain should meet Cyber Essentials requirements and obtain self-assessment certification.
How easy is it to achieve Cyber Essentials?
Cyber Essentials is a scheme formed of two parts, a self-assessment and an independent audit. The requirements for both are designed around being affordable for any size of business, whether employing two or 2,000 staff. Cyber Essentials is a simple but effective government-backed and industry-supported scheme that will help you to protect your organisation against a range of the most common cyber-attacks. Cyber-attacks come in many shapes and sizes, but the vast majority are basic in nature and are carried out by relatively unskilled individuals. They are the digital equivalent of a thief trying your front door to see if you have left it unlocked.
This requires you to complete a questionnaire and review key parts of your system to ensure that you have configured it to best practice and enabled the appropriate protection measures. Running through this self-assessment process alone will provide you with protection against a wide variety of the most common cyber-attacks. This is important because vulnerability to simple attacks can identify you as a target for more in-depth unwanted attention from cyber criminals and others.
CE provides your stakeholders with peace of mind that you have considered your cybersecurity requirements and have at least met a minimum standard of the basic controls an organisation should have in place to protect itself and its clients’ data.
The process of obtaining Cyber Essentials certification is simple. Organisations assess themselves against five basic security controls and the Alternative Solutions qualified assessor verifies the information provided. The Cyber Essentials self-assessments are available through a secure hosted portal powered by the Cyber Essentials assessment platform. The assessments can be accessed and answered quickly and easily using an intuitive user interface.
Cyber Essentials Plus
Cyber Essentials Plus still has the Cyber Essentials simplicity in its approach. However, while the protections you need to put in place are the same, this time an assessor carries out a technical audit of your systems to verify the Cyber Essentials controls.
This higher level of assurance involves completing testing against a representative set of user devices, all internet gateways and all servers with services accessible to unauthenticated internet users. Your assessor will test a suitable random sample of these systems and then make a decision as to whether further testing is required based on this. Upon completion, your business will achieve Cyber Essentials Plus, which you are entitled to display on your website and email signatures as having been audited to that standard.
Completing Cyber Essentials is the first step towards a complete governance solution for your business.
If you are interested in obtaining Cyber Essentials for your business, or have any questions around cybersecurity, please contact Grant Hamilton, information security consultant, on email@example.com.