The U.K. Cyber Essentials Security Scheme – a useful framework for small businesses in other countries!

In October 2014 the UK government created a low-cost, light-touch scheme called Cyber Essentials. It doesn’t introduce new concepts, controls or processes. It takes items from existing standards such as the ISO 27000 and NIST SP 800-53 publications and re-purposes them. 

To “encourage” use of the new Cyber Essentials scheme, all suppliers to the UK government must have a Cyber Essentials certification. Details of the scheme can be downloaded from the UK government’s home office website. The documents at this site provide full details on the Cyber Essentials scheme certification requirements. The assurance framework for the scheme has two stages, with a recognized certification awarded at both stages.

The first stage involves submitting a self-assessment for external review in order to achieve the Cyber Essentials certification.  This first business questionnaire is a good step for anyone to complete.  I completed one on my business and it gave me a clean bill of health, but also gave me a link to a “requirements.pdf” that lists out what a small business needs to do.  Keep in mind that this is the bare minimum of security that should be performed for any business.  Most large business will have a dedicated employee or group of employees performing this role.

The second stage is to pass a fully-independent external assessment in order to achieve the Cyber Essentials PLUS certification. The scheme requires evidence of security across five areas of cyber security. Boundary devices. Secure configuration. User access control. Malware protection. And patch management. The scheme is designed to ensure protection from internet-born attacks, where the adversaries have a low level of technical capability.  This part of the assessment needs to be performed if you do business in the UK, but for businesses outside of the UK do not need to take this step.

Its scope for the Cyber Essentials scheme includes desktop PCs, laptops, tablets, and smartphones. As well as internet connected services such as email and web applications.

There are five required areas which I will briefly summarize and explain.

The first requirement area for the scheme relates to boundary firewalls and internet gateways, which form the outer defenses against external attack. The password on these systems must be changed from the default password shipped with the system to something different and more secure. The firewall rules must be documented and authorized (reviewed), any obsolete rules should be removed.

The second area of cyber security covers the activity required to lock down IT equipment into a secure state. It includes activities to remove unnecessary default accounts, change default passwords, and removal or disabling of any unnecessary applications and services.  This area also requires that a personal firewall is installed on all PCs.

The third area is user access control. This has always been difficult to get right, with often too many people having legacy access still enabled and privileges that are higher than necessary. While this isn’t normally a problem, it becomes one when a hacker gets access to their account. As a result, the scheme looks for users to have the minimum privileges necessary to carry out their business requirements, a user ID and strong password used to control access, ensuring privileged accounts are not used for Internet activity, such as web browsing or email, as these are vectors for malware, and all accounts when no longer required, are disabled or removed.

The fourth area is malware protection.  The way software is developed and maintained means that all systems are vulnerable to malware, particularly when they’re connected to the Internet. This should be mitigated by installing antivirus software that includes Malware protection (or adding a separate malware software) and keeping its signatures up to date, using real-time protection.

The fifth and final area is patch management. Most software contains technical vulnerabilities, and when discovered they are exploited.  Keeping computers patched and current software running will mitigate risks associated with older versions of software.

Security is a very complex problem

I applaud the UK government for trying to simplify this complex issue as much as it did.  I also think that it did what it could to get more UK based small businesses to be aware of their role in securing the Internet.  Now if only all small businesses in the world could have some minimum base of security.

2021 Update

Having helped a company achieve this certification in 2019 and again in 2020, the process has changed significantly. There is a new automated website to enter data and the certification body is much more rigorous in validating the answers to questions it requires. Both of these mean that the certification is harder to obtain, but it is helpful in getting suppliers to the UK government much more secure.

If you do not have a security framework in place, please check out our blog post about how to start writing policies for your first ISMS.  CubedCorps has extensive experience in assisting in creating cyber security ISMS frameworks.  We have also developed various security frameworks processes and audit preparation.  Please reach out to us for more information