With business leaders relying more and more on digital platforms to run their operations, it's important for them to have a clear understanding of their company's cyber security to reduce the risks of cyber attacks and suffering impacts, like reputational damage and financial loss.
Cyber Essentials is a government-backed scheme that can help keep companies safe against the most common cyber attacks – and SoGlos hears how it can protect businesses across Gloucestershire from the head of cyber security at one of the county's leading firms, CDS Defence and Security.
About the expert - Martin Nash, head of cyber security at CDS Defence and Security
After a career as a communications and intelligence specialist, Martin Nash left the Royal Navy in 2006 and pursued a second career as a cyber security and information assurance professional. He has experience in lead technical security roles across the government, defence and civil nuclear sectors in the UK and spent a period of three years working in the USA as the director of information security for a bank, while his wife was posted there by the civil service.
Prior to moving to the US, he was a co-director and owner of a small specialist consultancy company based in Gloucester.
What is Cyber Essentials?
Cyber Essentials is a standard developed and overseen by the National Cyber Security Centre (NCSC) who use a company called IASME to run it on their behalf. IASME have created a network of appropriately experienced cyber security companies who are authorized to conduct Cyber Essentials assessment and award certifications where companies meet the required criteria. We at CDS DS are one of those companies.
By gaining Cyber Essentials certification, organisations will reduce their security risk and protect themselves from many of the most common cyber attacks. There are two levels of certification: Cyber Essentials Basic (CE) and Cyber Essentials Plus (CE+). It is important to note that more and more government departments require contracted companies to be either CE or CE+ certified. For ministry of defence contracts, at least CE and often CE+ are expected by default.
What does this scheme cover?
CE and CE+ concentrate on assessing organisations against five basic security controls. CE requires a self-assessment which is marked and verified by an approved and qualified independent assessor. CE+ is the advanced certification where independent technical verification/testing is carried out, again by an approved and qualified independent assessor. CDS DS can conduct assessments and, if the criteria of CE or CE+ are met, award certification.
The five security controls expected and assessed are:
- Firewalls, to ensure that only safe and necessary network services can be accessed from the internet.
- Secure configuration, to ensure that computers and network devices are properly configured to reduce the level of inherent vulnerabilities.
- User access control, to ensure that user accounts are assigned to authorised individuals only and provide access to only those applications, computers and networks actually required for the user to perform their role.
- Malware protection, to restrict execution of known malware and untrusted software, to protect against harmful code that could cause damage or have unauthorized access to sensitive data.
- Security update management, to ensure that devices and software are not vulnerable to known security issues for which fixes are available.
How much does it cost and how long does it take to complete?
The pricing for CE assessments is largely driven by IASME. Typically, smaller organisations will pay less than larger organisations. For a simple CE assessment, costs range from £300 + VAT for micro organisations, to £500 + VAT for large organisations.
A straightforward CE Basic assessment can be completed within 24 hours! CDS DS is often asked to provide ‘assisted’ assessments where we help organisations with the response to assessments. This is an additional cost to the straight assessment fee provided and is usually based on an hourly or daily consultant rate – your CE assessor will provide an estimated time and cost on a case-by-case basis.
CE+ costs vary based on the size and complexity of the organization being assessed. Time and cost will be quoted on a case-by-case basis and can include an assisted assessment as described above – the average cost for CE+ is probably between £1,500 and £2,000, but it can be significantly higher for larger, more complex organisations. There are standard IASME fees involved, and a CE Basic assessment is conducted as part of the CE+ assessment. If you have gained CE Basic within a couple of months of a CE+ assessment, this can be used; but if you it has been longer than a couple of months since your CE Basic assessment, a new assessment will need to be conducted and charged for as part of the CE + assessment.
The time to prepare for either a CE or CE+ assessment can take days, weeks or even months depending on the maturity of your organisation’s security controls. Organisations such as CDS DS can help to prepare for, as well as conduct, assessments.
Why should an organisation look at becoming Cyber Essentials certified?
You may be contractually required to be CE or CE+ certified. Regardless, all organisations should have a clear picture of their cyber security maturity. Becoming Cyber Essentials certified and maintaining it will significantly reduce the risk of your organisation succumbing to a cyber attack and suffering impacts such as reputational damage, financial loss and regulatory or legal penalties. You can also use your certification to attract new business with the promise you take cyber security and data protection seriously.
More and more local and national government contracts require CE or CE+ certification – the Ministry of Defence expects it for all contracts. Organisations can also benefit from up to £25,000 worth of cyber insurance which you can opt in for ‘free’ upon successful CE certification – this is particularly attractive for smaller organisations.
What kind of businesses should look at Cyber Essentials?
There is no business or organisation that doesn’t rely on safe and secure technology and information to ensure its success. The consequences of doing nothing to reduce your cyber security risks are too significant to ignore. Organisations and businesses often struggle to understand where they need to start with cyber security controls – CE provides that answer and is particularly a good option for smaller organisations that lack the time and resources to achieve more complex certifications.
As already stated, government and defence contracts involving the handling of sensitive and personal information either already require it or will require it in the very near future. It is also worth noting that organisations do not need to be based in the UK to gain the Cyber Essentials accreditation.
How is the scope of CE certification determined?
As outlined above, CE assessments look at five technical security control themes: firewalls, secure configuration, user access control, malware protection and security update management. A CE assessment’s boundary of scope applies to all the devices, hardware, firmware and software that meet the any of the following conditions:
- Can accept incoming network connections from untrusted internet-connected hosts; or
- Can establish user-initiated outbound connections to devices via the internet; or
- Control the flow of data between any of the above devices and the internet.
Examples of ‘in scope’ assets include PCs, laptops, tablets, smartphones, routers, operating systems, servers and some cloud services. Conversely, standalone devices that are not network connected or mobile phones used only for voice and SMS are deemed ‘not in scope’.
What steps should a business take to prepare and pass Cyber Essentials?
This very much depends on the size and complexity of your business or organisation. These can and do range from sole traders up to global institutions. It also depends on the technical ‘know how’ your business or organisation has available to it. A common mistake is that cyber security is a responsibility of IT. While it is true that IT will often have the ‘know how’ to implement and understand the technical controls expected by CE, the responsibility for managing the risk to sensitive information and personal data is always a business one – ultimately at board level.
In simple terms, organisations should prepare for CE by obtaining a freely available CE assessment questionnaire and accompanying guidance for review. It is important for this to be a thorough exercise – the expected criteria are provided in some detail and any claims against it will be validated by the independent CE assessor for a pass or fail decision.
Questionnaires can either be completed and submitted for assessment and certification decision without independent assistance. Here at CDS DS, we find that many organisations prefer to engage with us to both assist in completion of the questionnaire as well as conduct the assessment itself – this is a perfectly legitimate approach under the scheme. We also find that many organisations fail their initial assessment as they do not take the proper time and effort to both understand and accurately complete the assessment questionnaire.
CE+ will require additional assessor rigour. A sample of assets will need to be made available to CE+ assessors who will conduct a technical vulnerability analysis to assure that claims made under the organisation’s CE Basic assessment can be evidenced through testing. Organisations may wish to de-risk the chance of failure by conducting their own vulnerability assessments against in-scope devices and assets.
Top tip: The most common reason we see CE assessments fail is because organisations are still responding that they are using unsupported operating systems, including those used by mobile devices – make sure you are not doing the same thing!
Does Cyber Essentials need to be renewed after a certain period of time?
CE and CE+ needs to be renewed every 12 months.
What else can businesses do in addition to Cyber Essentials?
CE and CE+ are excellent start-point certifications that provide good assurance against five of the basic technical security controls that all organisations should have in place at a very minimum. If you are struggling to know where to start, CE gives you this! Managing security risk more strategically however requires a much more wholistic approach to improve security maturity.
Aligning your organisation to a recognised framework such as ISO 27001, NIST Cyber Security Framework or NCSC’s Cyber Assessment Framework will help ensure that your strategic approach to managing security risk includes the more complete personnel, physical and technical controls required to ensure you have a robust cyber security strategy that helps to minimise security risk and maximise your digital resilience.