What is the Cyber Essentials Scheme?

Cyber Essentials is a government-backed scheme to improve the cyber security stance of businesses. The idea behind the scheme is to raise the bar of business in the UK concerning their approach and readiness for cyber incidents. It is also now a requirement when bidding for government contracts.

Should I Obtain Cyber Essentials?

The short answer is yes. Cyber Essentials helps any business improve its security stance and put in place a framework that makes it easier for a business to stay secure while also providing tips and advice on how to do so. If you can obtain the certificate and keep it year on year the business is likely to be in a better security stance than a business without Cyber Essentials. The certification can help businesses avoid cyber attacks such as phishing attacks, malware, ransomware and network attacks. It can also improve overall security posture by enforcing good practices such as password policies and other user account security. This can affect any business, even small businesses with only a couple of employees.

There are two levels to the Cyber Essentials scheme, Cyber Essentials and Cyber Essentials Plus. The main difference between the two is that the Plus scheme also includes a hands-on technical audit of your IT systems to verify controls are in place.

How much does Cyber Essentials cost? The cost depends on how much assistance your organisation needs the cost for a verified self-assessment is below but you may pay more if a third party is needed to assist in the assessment and any changes that need to be implemented to meet certification standards.

[1] Cyber Essentials pricing (Ref: https://iasme.co.uk/cyber-essentials/)

How Do I Obtain Cyber Essentials?

Getting cyber essentials can either be straightforward, or a bit of a challenge. This depends on the size of the business and the current state of the IT infrastructure. It is also beneficial if you have an IT employee who can understand and take charge of the technical aspects of the certification, but definitely not a hard requirement. While there are some technical aspects to the certification, some of the overall process is about thinking about security and how employees use devices within their working day and then building policies around this.

Cyber Essentials Main Objectives

Cyber Essentials is essentially broken down into 6 sections:

  • Boundary Firewalls – This is your protection from the internet, your firewall policy should only allow necessary traffic through.
  • Secure Configuration – Ensuring your system is deployed and configured correctly and securely.
  • User Access Control – Checking user access and ensuring users have access of least privilege. (Users should only have the minimum access needed.)
  • Malware Protection – Ensuring malware software with continuous scanning is in place on all systems.
  • Security Update Management – Ensuring all software is patched within 14 days of a new release.
  • Asset/Device Management - Ensuring there is a record of all devices, can also cover device management such as how Bring Your Own Device (BYOD) devices are controlled and managed.

The points above should also expand into any cloud environments your business should have, such as Citrix or virtual desktop solutions.

Let’s dig into each of these points.

Boundary Firewalls

Cyber Essentials states we must have the following in place for firewalls.

  • Passwords should be changed from the defaults or remote management disabled entirely. Passwords should conform to the organisation’s password policy. We will touch on this shortly.
  • Administrative management interfaces should not be reachable from the Internet unless there is a clear business need. If there is a business need for this, one of the following should be in place:
    • Multi-factor authentication.
    • IP whitelist with essential business IP addresses added only.
  • Unauthenticated inbound connections are blocked by default.
  • Inbound firewall rules are approved and documented by an authorised person and include the business need as to why they should be created.
  • All unnecessary firewall rules should be quickly removed or disabled when no longer needed.
  • Firewall appliances should be business, or enterprise-grade, and not consumer devices.

Guidance is also included that business devices should not be used on untrusted networks, such as public WIFI. If employees need to use public networks a business VPN solution should be set up to encrypt traffic.

Secure Configuration

Secure configuration applies to all business devices. This includes servers, desktop computers, laptops, tablets, mobile phones, thin clients, Infrastructure as a Service (IaaS), Platforms as a Service (PaaS), Software as a Service (SaaS).

Devices sometimes come with default configurations that should be considered weak points these can include:

  • Default publicly known user account credentials.
  • Default user accounts with special privileges, for example, Administrator or root.
  • Pre-installed, but unnecessary, applications or services.

Requirements for computers and network devices:

  • Remove or disable unnecessary user accounts such as old employee accounts, guest accounts or administrative accounts that aren’t used.
  • Change default or guessable account passwords. These should be in line with the business password policy.
  • Remove or disable unnecessary software. This includes applications, system utilities and network services.
  • Disable auto-run features which allow file execution without user authorisation. This can be done via a registry edit or group policy.
  • Ensure users are authenticated before being able to access organisational data or services.
  • Ensure appropriate device locking controls are in place.

Device Unlocking Controls:

Devices that require a user’s physical presence to access must be protected by either a password, PIN or biometric access control method. When possible one of the following should also be configured to prevent brute force attacks:

  • Throttling or rate limiting, to enforce a wait period after a number of unsuccessful login attempts. This should increase with each unsuccessful attempt. For example, the first failure could be 5 seconds, then 10, then 20, then 40, etc. You shouldn’t allow more than 10 login attempts in 5 minutes.
  • Locking devices after more than 10 unsuccessful attempts.

If PINs are used, they should be configured to be a minimum of 6 characters long.

Security Update Management

Security update management applies to servers, desktop computers, laptops, tablets, mobile phones, firewalls, routers, Infrastructure as a Service (IaaS), Platforms as a Service (PaaS), Software as a Service (SaaS).

Any device that runs software can have security flaws/vulnerabilities. Security update management aims to keep software fully up to date to ensure we get security fixes from the vendors as they become available. This can reduce the attack surface of the business.

Requirements:

All software within the scope must be kept up to date. All software installed on in-scope devices must:

  • Be licensed and supported.
  • Removed from devices when they become unsupported or have the device moved to an isolated network that does not have a connection to, or from, the internet.
  • Have automatic updates enabled where possible. Ensure you keep regular backups!
  • Be updated including manually applying updates within 14 days of release where the update:
    • Applies patches to fix security vulnerabilities described by the vendor as “critical” or “high” risk.
    • Applies security fixes for vulnerabilities with a CVSS v3 base score of 7 or above.
    • There is no detail of the level of vulnerability the update fixes provided.

It is recommended, but not mandatory, that all updates are applied as soon as possible or within 14 days of release for optimum security.

The NCSC also provides some guidance on installing software updates quickly without causing an impact on your IT systems here. This helps with the challenge of organisations wanting to test software updates before pushing them out to the whole organisation or their production environments.
It is also recommended to have regular backups this can help with reverting the system if an update causes any issues or goes wrong. It’s also just general good practice, we’ll touch on backups a bit more at the end of this post.

User Access Control

User Access Control applies to: servers, desktop computers, laptops, tablets, mobile phones, Infrastructure as a Service (IaaS), Platforms as a Service (PaaS), Software as a Service (SaaS).

User accounts should be:

  • Assigned to a single authorised individual only.
  • Provide access to only applications, systems or networks that the user needs to carry out their role.

All users in the organisation should only have the minimum permissions to systems required for them to carry out their roles effectively. This idea of least privilege ensures that if an employee is to go rogue, or their account is breached, then the attacker has minimum privilege and access.

Accounts with special privileges should also not be used as daily use accounts. These accounts should only be given to authorised individuals and should be separate from the account the user uses day to day. This day-to-day account should be a low-privilege user.

Administrator accounts, or accounts with special privileges, typically allow the user to:

  • Install or execute software that can make changes to the system.
  • Make changes to the operating system for some, or all, users.
  • Create new accounts and grant or remove privileges.

Most built-in administrator accounts have these privileges. For example, local administrators or domain administrator accounts within Windows environments and the root user within Linux environments.

These administrator accounts must not be used day to day as if the user were to open a malicious URL or file, it could lead to downloading and executing software with permission to install or run as the admin user/system. This is also the reason that general users should not have rights to install software on their machines and are required to go through a specific installation process.

The following is an example of the above from the NCSC.

NCSC Example

Jody is logged in with an administrative account. If Jody opens a malicious URL or email attachment, any associated malware is likely to acquire administrative privileges. Unfortunately, this is exactly what happens. Using Jody’s administrative privileges, a type of malware known as ransomware encrypts all of the data on the network and then demands a ransom. The ransomware was able to encrypt far more data than would have been possible with standard user privileges, making the problem that much more serious.

User Access Control Requirements: The organisation must have user access controls in place to restrict access to data and services. It’s important that this also includes third-party accounts. For example, third-party IT services or external contractors. It is also important to understand how user accounts authenticate and manage the authentication accordingly.

The organisation should have:

  • A process in place for creating and approving user accounts.
  • Have users authenticate with unique credentials before gaining access to applications or devices.
  • Remove or disable user accounts when no longer needed.
  • Implement multifactor authentication where possible.
  • Don’t use accounts with special privileges as daily drivers. Admin accounts should be used to perform administrative tasks only.
  • Remove special access user rights if no longer needed. For example, if a user changes roles.

Password-based Authentication:

The following should be put in place to ensure user accounts using password authentication are secure. This will also form the basis of the organisation’s password policy.

Passwords should be protected against brute-force attacks by implementing at least one of:

  • Multi-factor authentication.
  • Throttling, or rate limiting, so there is a wait period after a number of unsuccessful login attempts this should increase with each unsuccessful attempt. You shouldn’t allow more than 10 login attempts in 5 minutes.
  • Locking accounts after no more than 10 attempts.

Technical controls should be in place to manage the quality of passwords, this must include one of the following:

  • Using multi-factor authentication.
  • A minimum password length of 12 characters, with no maximum length restrictions.
  • A minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list.

There is a lot of benefit gained by training users on good password practices, users should be supported on this by:

  • Educating them about avoiding common passwords such as a pet’s name, common keyboard patterns or passwords that have been used elsewhere. This could include teaching people to use the password generator feature built into some password managers.
  • Encouraging users to choose longer passwords by promoting the use of multiple words (a minimum of three) to create a password (such as the NCSC’s guidance on using three random words).
  • Providing users with a suitable password manager as well as adequate training on how to use it.
  • Not enforcing regular password expiry. (As this can lead to weak or similar passwords, the NCSC did research on this here.)

You should also ensure a policy on how to change a password promptly if a user suspects their account might be compromised.

Multifactor Authentication:

Multifactor authentication should be used on all accounts where available, especially accounts with administrator permissions. This should also be enabled on all internet-facing accounts, including services that are not managed by the organisation.

Even with multi-factor authentication enabled, accounts should still have a password with a minimum length of 8 characters and no maximum length restriction. However, the best practice would be to follow the organisation’s password policy by enforcing passwords to be 12 characters or above.

There are four types of additional factors to consider:

  • A managed/enterprise device.
  • An app on a trusted device.
  • A physically separate security token.
  • A known or trusted device.

SMS is not the most secure type of MFA, but still offers a huge advantage over not using any MFA at all. Any multi-factor authentication is better than not having it at all. However, if there are alternatives available, such as an authenticator app, that will work for your situation then we recommend you use these instead of SMS.

More information on password management and two-factor authentication can be found in a previous post here, as well as the NCSC’s guidance on MFA here.

Malware Protection

Malware protection applies to: Servers, desktop computers, laptops, tablets, mobile phones, Infrastructure as a Service (IaaS), Platforms as a Service (PaaS), Software as a Service (SaaS).

Malware is software that has been written to be malicious towards systems or data. Sources of malware can include internet downloads (including app stores), email attachments and direct installation of unauthorised software. If a system gets infected you may suffer system downtime or data loss. In addition, infections can spread and infect other machines on the network.

You can largely avoid potential harm by:

  • Preventing malware from being delivered to devices. (e.g. Antivirus software.)
  • Preventing malware from running on devices. (e.g. Not allowing users to perform software installation or give execution rights over obtained files.)

NCSC Example

Acme Corporation implements code signing alongside a rule that allows only vetted applications from the device application store to execute on devices. Unsigned and unapproved applications will not run on devices. The fact that users can only install trusted (allow-listed) applications leads to a reduced risk of malware infection.

Requirements:

You must make sure that malware protection is in place and is active on all devices in scope. This can be built-in or third-party security products but in all cases, it must be kept up to date and be configured to work as detailed below:

Anti-malware software must be configured to:

  • Be updated in line with vendor recommendations.
  • Prevent malware from running.
  • Prevent the execution of malicious code.
  • Prevent connections to malicious websites over the internet.

Microsoft provides some files for testing antivirus software, these can be found here, as well as the defender ATP demos here.

If using an application allow list, only approved applications restricted by code signing should be allowed to execute on devices. You must:

  • Actively approve such applications before deploying them to devices.
  • Maintain a current list of approved software applications. Users must not be able to install any application that is unsigned or has an invalid signature.

Asset/Device Management & Scope for Assessment

Asset management isn’t a specific Cyber Essentials control, but effective asset management can help meet all five controls, so it should be considered a core security function.

It is important to keep an up-to-date asset list of all IT devices. This should also include servers and networking equipment. This can help with keeping track of all devices as well as keeping track of warranty periods as well as support of the hardware and operating system. It is good IT practice to keep up-to-date documentation of assets, as well as network diagrams, describing how the systems work together.

The NCSC has guidance for asset management here.

Bring your own device (BYOD)

In addition to devices owned by the organisation, user-owned devices that have access to organisational data are also in scope for Cyber Essentials assessments. However, remote and mobile devices that are only used for:

  • Native voice applications
  • Native text applications
  • Multi-factor authentication applications

are considered out of scope.

More NCSC guidance can be found on BYOD devices here.

Home Working

The default stance within Cyber Essentials is that all corporate, or BYOD, devices used for business are in scope. This includes if the business provides a user with a method for working from home.

If users are using personal devices for business work, then the business should take steps to protect its data on these devices. It might be worth looking into solutions such as Microsoft Intune to help secure business data on non-organisation-owned devices.

Wireless Devices

Wireless devices, including wireless access points, are:

  • In scope if they can communicate with other devices via the internet.
  • Out of scope if an attacker can’t attack directly via the internet.
  • Out of scope if they are part of an ISP router situated at a home location.

Cloud Services

If the business uses cloud services for applications or data storage these must be in scope for assessment. For cloud services, the applicant organisation is always responsible for ensuring all controls are implemented. The scheme recognises three different types of cloud service:

  • Infrastructure as a Service (IaaS) – the cloud provider delivers virtual servers and network equipment that, much like physical equipment, your organisation configures and manages. Examples of IaaS include Rackspace, Google Compute Engine, or Amazon EC2.
  • Platform as a Service (PaaS) – the cloud provider delivers and manages the underlying infrastructure, and your organisation provides and manages the applications. Examples of PaaS include Azure Web Apps and Amazon Web Services Lambda.
  • Software as a Service (SaaS) – the cloud provider delivers applications, and your organisation then configures the services. You must still make sure that the service is configured securely. Examples of SaaS include Microsoft 365, Dropbox and Gmail.

Who implements the controls will vary, depending on how the cloud service is designed. The table below explains who might typically be expected to implement each control:

[2] Cloud service responsibilities (Ref: https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-1-April-2023.pdf page 6)

In cases where the cloud provider implements one of the controls on your behalf, you must make sure that the cloud provider has committed to implementing this via contractual clauses or documentation provided by the provider. Cloud providers will often provide security documentation like this publicly.

Accounts Used By Third Parties

All accounts your organisation owns are in scope for assessment. This includes those used by a third party, such as a supplier or Managed Service Provider (MSP). If you are using externally managed services you must be able to demonstrate that Cyber Essentials technical controls are being met.

All end-user devices your organisation owns that are loaned out to third parties are included in the assessment scope.

The chart below explains the device scope for devices not owned by the organisation:

[3] Third-party devices scope (Ref: https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-1-April-2023.pdf page 7)

For devices out of scope, it is still up to the organisation to ensure these devices are secured and accessing business data securely, however, this is out of scope for Cyber Essentials.

Web Applications

Commercial web applications that are publicly available (as opposed to those developed in-house) are automatically in scope by default. Bespoke and custom web applications are out of scope, the best way to ensure these are secure is by third-party penetration tests and following best practices such as the OWASP application security standard.

Backing Up Business Data

Backing up ultimately means creating a copy of your information and saving it to another device or cloud storage (online). Backing up data regularly means you will always have a recent version of your information saved. This will help you recover quicker if your data is lost or stolen. You can also turn on automatic backup. This will regularly save your information in cloud storage, without you having to remember and manually perform this. If you back up your information to a USB stick or an external hard drive, disconnect it from your computer when a backup isn’t being done. Backing up your data is not a technical requirement of Cyber Essentials; however, we highly recommend implementing an appropriate backup solution. You should also try to follow the 3-2-1 rule where possible:

  • 3 Copies of your data. (This often includes your live/production copy of data.)
  • On two different storage mediums. (For example disk and tape.)
  • With at least one being off-site. (For protection from events such as fire.)

It is also of vital importance that backups are monitored and tested regularly to ensure they are working as expected. There is nothing worse the having to fall back on a backup only to discover it hasn’t run in a while or that the data you thought was included isn’t there.

Tools to Assist Readiness

When getting ready for a Cyber Essentials assessment it can be a good idea to run automated scans to catch issues before the assessor does. These can then be further assessed and patched before the real assessment. It could ultimately save your business from having to have a second assessment if the findings cause the first to fail. The NCSC has some advice on scanning tools here. One of the industry standard tools for vulnerability and compliance scanning is Nessus. Nessus as a professional tool can be expensive, but they do offer a free version. One of the benefits of using a third party for readiness and assessment of Cyber Essentials is they likely already have access to these tools and could save you expensive licensing costs.

After Obtaining Cyber Essentials

After your business has obtained Cyber Essentials you’ll be in a great place to be protecting the organisation from threats, and be presented with a Cyber Essentials badge to prove it (and give your clients and partners confidence in your security posture). However, this is just the start, once you have Cyber Essentials everything we’ve been through should continue to happen in the business. Cyber Essentials is not a “set and forget” exercise, it should be a continued effort. Good management of cyber security will also make it easier when it comes to renewing your Cyber Essentials certificate and being reassessed which is needed once per year.

Need Help or Guidance?

We aren’t certified Cyber Essentials assessors but we are security professionals. We’re happy to answer any questions you might have on the Cyber Essentials scheme or questions on getting your environment assessment ready. Feel free to reach out and we’ll try our best to help if we can. Contact us.

Further Reading

Another good practice to get your head around is zero trust. The NCSC give good guidance on this here.

NCSC - Cyber Essentials Overview https://www.ncsc.gov.uk/cyberessentials/overview

NCSC - Cyber Essentials Requirements for Infrastructure https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-1-April-2023.pdf

NCSC - Cyber Essentials Readiness Tool https://getreadyforcyberessentials.iasme.co.uk/

IASME - Cyber Essentials Assessors https://iasme.co.uk/certification-bodies/