Cyber Essentials has been the national standard for UK organizations to evaluate themselves against since 2014, helping over 30,000 organizations ensure they follow basic cybersecurity hygiene practices.
For some organizations, it may also help secure new relationships. For those companies that work for the UK Government, Cyber Essentials certification is a prerequisite to take on digital projects.
January 2022 saw significant changes to the certification. Here’s a brief guide on what the accreditation covers and how you should consider protecting your organization.
Firewalls in Abundance
The certification requires all devices to be covered by a firewall, but the recent changes now see home working devices included in its scope. This means that home workers’ devices should be protected with appropriate firewalls. According to the new regulations, any devices supplied are in scope, but this doesn’t include employees’ own devices.
The most common is a boundary firewall, which applies blanket coverage to every device on its network and restricts inbound and outbound network traffic based on a predetermined set of rules. A host-based firewall enables configuration on individual devices, which is valuable when employees are likely to be connecting their devices to untrusted networks such as public WiFi.
Avoid Out-of-the-Box Configuration
An abundance of new devices was purchased and connected to the corporate network following the shift to remote working. To enable them to get up and running quickly, those devices may still have standard ‘out-of-the-box’ configurations. For example, administrative accounts with insecure passwords or pre-installed applications come as standard with a new laptop or mobile; they can become easy attack routes if left untouched.
An additional item now in scope is cloud services, such as those delivered via platform as a service (PaaS) or software as a service (SaaS). Many assume that it’s the provider’s responsibility to maintain security while using these services. However, Cyber Essentials want to see evidence of how you’ve taken responsibility for user access control and general configuration to maintain security across cloud services.
Each new asset should also be registered on the internal asset inventory, which will be invaluable for the fifth control in the certification.
Controlling User Access
IT and security teams should take the approach of ‘least privilege’ wherever possible. Every account that a user can access that may contain sensitive information should be tightly controlled. Administrative accounts that need access to everything must therefore obtain the highest levels of security.
Multi-factor authentication (MFA) and password requirements are now included in the certification. This means organizations can no longer rely on a single password, regardless of strength. MFA should be used and/or accounts automatically locked after 10 unsuccessful attempts. Technical controls should be implemented to ensure users create strong passwords with a minimum of 12 characters and any attempt to use common passwords is blocked.
Protection Against the Threat of Malware
Malware is a rising concern – if devices get infected, bad actors can cause significant damage and get access to sensitive information.
To avoid malware infection, disable the employee’s ability to download software from the internet. Malware can also be hidden within malicious links or files shared via email, so further protection is required. Anti-malware software can detect and disable malicious software before it causes damage, setting rules on each device to ensure only trusted software can be launched. Sandboxing also allows software to be run in a safe environment separate from the corporate network to check trustworthiness.
Managing Security Updates
Having an up-to-date and accurate asset inventory is invaluable. Organizations need visibility of all assets to promptly fix any vulnerabilities across devices and software where fixes are available. The new changes stipulate that high and critical updates must be applied within 14 days of issue.
It’s common to see separate processes and monitoring tools across the various operating systems and devices organizations run. This means that when a patch is made available, different teams need to test and run different patches. If the equipment is mission-critical, downtime is often required weeks in advance to allow time to deploy the patch. A malicious actor could exploit the time this takes. If asset visibility is initially poor, you can’t protect what you can’t see.
Web applications like Google Chrome could be set to automated patch deployment since it’s not mission-critical software. This will stop any security gaps lingering and reduce workload.
The certification will need to see detailed, up-to-date evidence of your adherence to each of the five security controls, and you’ll need to consider the best approach for your organization.
As with many other security or quality control frameworks, the key thing to remember is that achieving compliance doesn’t mean blanket security forever. Security should be a continuous process, but Cyber Essentials will provide the foundation.