Cyber Essentials – What is it and can it benefit your business?
We have gone through the process of getting the Cyber Essentials accreditation and thought it would be useful to pass on the thoughts of the IT Manager, Darren Cope.
To start off, I’ll answer both questions in this blog post title:
What is it?
“Cyber Essentials is a Government-backed and industry-supported scheme that helps businesses protect themselves against the growing threat of cyber attacks and provides a clear statement of the basic controls organisations should have in place to protect them.” Source: https://www.cyberessentialsonline.co.uk/about-cyber-essentials/
Can it benefit your business?
Short answer – YES
Now we have the basic question answered, I can dig a bit deeper into our journey for getting the Cyber Essentials accreditation. For clarity, there are 2 levels: Cyber Essentials & Cyber Essentials Plus. WSX Enterprise has achieved accreditation in Cyber Essentials. We will look at the ‘Plus’ in due course.
Let’s start with why we have got this:
Cyber Security is more important than ever. The Internet has made it easier for hackers/disruptors/etc. to target businesses from a position of anonymity. We are all handling large amounts of data; including our customers’ info and for that we need to be confident in our own system security, as well as showing others that we are a secure partner who takes data security seriously.
The Cyber Essentials accreditation helps achieve this; it is a Government-backed and industry-supported scheme.
How did we go about getting accreditation?
As this is a Government-backed scheme, they have a host of suppliers that they have verified, to perform the tests for you. The list can be found here – Pick one you are happy with, they should all offer the same approach and fee:
Once you have signed up to a Certifying Body, you will be asked to complete an online questionnaire.
It’s a good idea to take a look at this beforehand, so you can perform an initial review of your network configuration and policies therein. This will ensure you are best placed to pass the first time. Some bodies offer a free retest, should you fail the first time. This gives you an opportunity to make any required changes without having to pay for the re-scan on your network. It’s a good idea to ask about this before the initial payment, as we found some deals could be done.
What are the questions asked?
It is quite an exhaustive list (as you would expect to get a nationally recognised accreditation on network security), but there is nothing in there that is out of the ordinary.
Main headings include:
List your Public IP Addresses to scan and what they do. This will include the Internet presence of the entire organisation and may include multiple connections for some organisations. Things like your Firewall, Webmail, Remote Access, etc.
Shared services that you use should be listed.
List firewall devices you maintain, security questions on how they have been configured, policies in place, etc.
Questions on Active Directory (if you have it) policies, password policies, personal firewalls enabled, backups, mobile devices etc.
How access is granted to your network, permissions set as default, password policies for users, shares on the network (access), etc.
How your organisation is protected and kept up to date, etc.
How to ensure patches are applied and up to date, vulnerability scans implemented, etc.
The questionnaire is then submitted to the chosen authority (they will have set you up with an online, secure account or similar) and they mark it to see if you are required to make changes before the actual scanning of your IP addresses (provided in the first step Remote Vulnerability).
We passed this initial stage, so can’t comment on what changes are required. However, it’s a great first step for any business to take as it does force you to do some simple checks on how you manage your network.
If you have a network domain and do not currently use Group Policy management, this is definitely something I would highly recommend. It gives you control over a vast array of security settings that can then be applied to PCs &/or Staff, segmented on your network. Because of this, one rule does not necessarily have to apply to everyone. And as it is centrally managed, it makes life a lot easier for an IT Manager.
The Security Scan…
Having passed the questionnaire, we were ready for the security ‘port scanning’ on the IP addresses we had submitted. I would advise being onsite for this, just to be on the safe side. There is no downtime but, as with most things in IT, curve-balls can occur.
A tool I find useful to check our public IP security is IIS Crypto. This is a free tool to use and can scan a public URL, attached to your public IP, for IIS insecurities and give you an initial rating. You can also use it to change the SSL/TLS cipher suites (enable/disable) which can be a factor in failing the security scan. It has built-in templates, one of which is ‘Best Practise’, which disables SSL 2.0 + 3.0 which were found to have security holes in them.
I only recommend this, as it is what I have used in the past and has always worked well for me. I have no ties to the manufacturer of the plugin, nor can I say it will work as well for you. There are plenty of reviews out there for you to make your own judgement on.
As with making any changes to your network, I would always advise having a backup or taking a virtual snapshot of the servers beforehand.
So, once the security scan is complete you get a pass or a fail. Depending on what you signed up for at the start, you may get a free retest. And that is it – We now get a nice certification to display that shows we have passed the initial Cyber Security Essentials test and are now certified! On top of this, we received a report that can be downloaded showing each step of the testing and any other recommendations that could be implemented.
This was a worthwhile process for us to go through and I can highly recommend other businesses to do the same. If you are looking to work with government agencies, then this will be a mandatory requirement. From the Cyber Essentials website:
“Being Cyber Essentials certified is mandatory for all organisations bidding for all central government and MOD contracts that deal with the handling of personal information and the provision of certain ICT products and services. Therefore, if you’re looking to bid for these contracts, you must hold Cyber Essentials certification.”
If you’d like to get a more in-depth accreditation (Cyber Essentials PLUS), you can apply for that at the same place https://www.cyberessentialsonline.co.uk/products/ or direct with an accredited vendor. It is more expensive but does involve a site visit and an internal vulnerability scan.
One final thing to say is that once complete, this is only the start. It will likely have made you tweak a couple of things on your own system or policies and these will then need to be constantly reviewed internally to ensure everything is still up to date.
The world of IT is always evolving and so are the systems we use to keep us all secure.
Blog post was written by the IT Manager for WSX Enterprise (Darren Cope).