What is Cyber Essentials?
Cyber Essentials is a government backed scheme and is an important part of the NCSC’s mission to “make the UK one of the safest places to live and do business on-line.” It is designed to be a first step to help organisations to protect themselves from 80% of the most common internet threats with the secure implementation of five important controls areas which are summarised below:
What are the most common internet threats?
Let’s look at who may be trying to attack you and why! Many Companies, especially SMEs may consider themselves to be at low risk from cyber-attacks. We need to understand that many common threats come from opportunists who can be located anywhere in the world. These include:
- Cyber criminals – motivated by money through selling information (such as personal data or intellectual property) they have stolen or fraudulently obtained;
- Hackers & Hacktivists – people who try to access your systems for the fun or challenge;
- Employees – who have legitimate access to your IT systems and could be a threat either accidentally or through deliberate misuse.
How are the most common attacks carried out?
There are readily available tools on the internet which allow you to scan for vulnerabilities which can be exploited. This is similar to a thief doing a survey of a neighbourhood to look for the best opportunities, unlocked doors, open windows, empty properties, no alarm systems etc. Most attacks start with a survey to look for weaknesses.
Other surveys could be the sending of phishing emails to see who bites, or looking at social media accounts such as Facebook and LinkedIn to pick up clues such as easily guessed user names and passwords.
The five areas that Cyber Essentials helps to protect:
Cyber Essentials covers the following 5 key security control areas:
These are effectively how you protect your perimeter. So for the thief carrying out his survey, they will be the locked doors and closed windows requiring more effort to get around to gain access. Boundary firewalls and internet gateways determine who has permission to access your system from the internet and allows you to control where your users can go.
This reduces the functionality of each computer or device to the minimum required for that user to operate. This will help prevent unauthorised actions being carried out. It also ensures each device discloses only the minimum information about themselves to internet. A scan can reveal opportunities for exploitation through insecure configuration.
It is important to restrict access to a minimum. This is to prevent a hacker being presented with a series of unlocked doors allowing him access to all the information he is looking for.
Administrator rights are the Holy Grail for a hacker. Once he has possession of these he can effectively go everywhere and has full control. Administrator rights should be restricted for only administrator actions. Convenience sometimes results in many users having administrator rights and therefore creates opportunities for exploitation.
It is important to protect your business from malicious software which will seek to access files on your system. Once their software can access and steal confidential information, damage files or even lock them and prevent you accessing them unless you pay a ransom. Malware protection helps to identify and prevent/remove any potential threats from malicious software.
Cyber criminals often exploit widely known vulnerabilities in software or operating systems to gain access. These could be through poorly designed software which have known weaknesses. Updating software and operating systems will help to fix any of these known weaknesses. It is crucial to do this as quickly as possible to close down any opportunities which could be used to gain access.
Who is Cyber Essentials for?
The National Cyber Security Centre (NCSC) identify Cyber Essentials as a good first step all businesses can take to protect themselves against these common threats and to help to reduce cybercrime.
Cyber Essentials is for all organisations, of all sizes, and in all sectors – this is not limited to companies in the private sector, but is also applicable to universities, charities, and public sector organisations.
We are an accredited Cyber Essentials Certification Body and have a 100% record of successfully certifying Companies for Cyber Essentials & Cyber Essentials Plus.
For more information please contact us on 0161 706 0244 or email firstname.lastname@example.org to speak with a member of the team.