1. What is Cyber Essentials?

2. How it works

3. Why is Cyber Essentials important for smaller businesses?

4. What are the benefits of Cyber Essentials certification?

5. GFI Software and Cyber Essentials controls

6. Resources

What is Cyber Essentials?

Cyber Essentials is a UK government-backed initiative designed to help organisations guard against common cyberattacks and demonstrate their commitment to cybersecurity.

The scheme includes an action plan and a simple set of security controls to protect information from internet-based threats such as hacking, phishing and password guessing. Being fully compliant can reduce the vast majority of the cybersecurity risks organisations face.

According to the National Cyber Security Centre (NCSC): “Cyberattacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. Our advice is designed to prevent these attacks.”

How it works

To meet certification requirements, organisations must demonstrate that they have implemented five basic security controls:

• Firewall: Use personal or boundary firewalls to secure the internet connection. Requires that organisations configure and use a firewall to protect their devices, especially those that connect to public or other untrusted Wi-Fi networks.

• Secure configuration: Choose the most secure settings for devices and software. This includes changing default settings to increase security. Requires that only necessary accounts, applications and software be used.

• User access control: Control who has access to data and services. Users should have only the required access to software, settings, online services and device connectivity to perform their roles. Administration privileges are only given to those who need them.

• Malware protection: Protect the business from viruses and other malware. Requires that organisations use at least one of the following: anti-malware measures, whitelisting or sandboxing.

• Patch management: Keep devices, applications and software up to date (patching). Operating systems, programs, devices and apps should be set to automatically update when possible.

There are two types of certifications. Both require organisations to declare or prove that they have the five controls in place.

With basic Cyber Essentials certification, the organisation completes a self-assessment questionnaire. A certification body evaluates the answers and performs an external vulnerability scan. This level is suitable for companies looking to demonstrate that they have adopted the five controls.

Cyber Essentials Plus includes the baseline assessments as well as an internal audit by a technical expert. The audit identifies security vulnerabilities (such as out-of-date software) that require remedial action to meet requirements. This level of certification is harder to achieve, but it demonstrates a higher level of security assurance.

Why is Cyber Essentials important for smaller businesses?

Small-to-medium-sized businesses (SMB) are increasingly being targeted by hackers and cybercriminals. From 2019 to 2020, two thirds of SMBs in the UK experienced a cyberattack.

A cybersecurity breach can seriously damage a company’s financial health and reputation, and the recovery process may be long and expensive. Some organisations may even go out of business. It is estimated that cyberattacks cost the small business community in the UK approximately £4.5 billion annually.

In spite of the risks, many SMBs are ill-prepared for a cyber breach. According to a recent Small Business Trends survey, 68% have no formal cybersecurity policies in place and 26% don’t have any measures at all. Limited budgets, insufficient staff training and lack of time were cited as the main obstacles.

Cyber Essentials understands the needs of smaller organizations , which are defined as being up to 250 employees (commonly without an in-house security team). The scheme offers a simple, low-cost cybersecurity framework to help SMBs secure their IT environments. Being fully compliant can significantly reduce the cybersecurity risks they face.

What are the benefits of Cyber Essentials certification?

While the central benefit is protection against cyberattacks, Cyber Essentials offers business advantages too. Certification is an easy way to show that the organisation meets an industry standard and is committed to cybersecurity. Accreditation can be displayed on company websites and other media.

Suppliers, clients and partners may be more inclined to share their data with certified companies. What’s more, an organisation could attract new business with the promise that it has sanctioned cybersecurity measures in place.

Cyber Essentials is also mandatory for government contracts. The UK Government requires all suppliers bidding for contracts that involve the handling of sensitive and personal information to have certification.

GFI Software and Cyber Essentials controls

Cyber Essentials certification requires organisations to adopt the five controls to prevent common cyberattacks. But maintaining these controls manually may not be feasible in terms of time and resources. Cybersecurity software can help.

GFI Software provides an array of solutions from firewalls to patch management, antivirus software and more to help protect your business against common cyber threats and attacks. More specifically, our solutions help you address 80% of your Cyber Essentials compliance requirements. The following shows you how our GFI products line up with four of the five required controls.

• Firewall
  “Ensure that only safe and necessary network services can be accessed from the internet.…Every device must be protected by a correctly configured boundary firewall (or equivalent network device).”
  
  According to the NCSC: “A boundary firewall is a network device that can restrict the inbound and outbound network traffic to services on its network of computers and mobile devices. It can help protect against cyberattacks by implementing restrictions, known as ‘firewall rules’, which can allow or block traffic according to its source, destination and type of communication protocol.”
  
  GFI Kerio Control provides boundary firewall protection to block incoming threats and malware from the internet. The solution includes a next-generation firewall and router, gateway antivirus, and web content and application filtering.
  
  Intrusion detection and prevention (IPS) capabilities monitor inbound and outbound network communications for suspicious activity. As well, you can create inbound and outbound traffic policies to restrict communications by URL, application, traffic type, content category and even time of day.

• Secure configuration
  “Ensure that computers and network devices are properly configured to reduce the level of vulnerabilities and provide only the services required to fulfil their role.”
  
  Among the requirements for this control:

  • ​​​​​Remove and disable unnecessary user accounts

  • Change any default or guessable account passwords

  • Remove or disable unnecessary software (including applications)

  GFI LanGuard automatically scans your IT environment for vulnerabilities to keep your network and applications safe. It provides a complete view of the elements in your network including devices, installed software and new hardware.
  
  Remediation capabilities allow you to deploy software patches, remove obsolete users and take other corrective action. With GFI LanGuard, you can run scans as often as needed, over the entire network or just in specific areas. Dashboards and reports keep you up to date on vulnerabilities and security issues.

• Malware protection
  “Restrict execution of known malware and untrusted software to prevent harmful code from causing damage or accessing sensitive data.”
  
  “Malware, such as computer viruses, worms and spyware, is software that has been written and distributed deliberately to perform malicious actions,” says the NCSC. “Potential sources of malware infection include malicious email attachments, downloads and direct installation of unauthorised software.”
  
  GFI MailEssentials is email protection software that can meet the anti-spam and anti-malware needs of your business. It provides 14 anti-spam filters, 4 antivirus engines, malware scanning and content filtering to protect against email threats.
  
  The software includes four anti-malware scanning engines, each with its own detection protocols. These integrated features enhance protection of your email environment to block email-borne viruses and other malware more effectively.
  
  Other GFI Software products provide additional protection. GFI Kerio Control includes an optionally integrated Kerio Antivirus service (Bitdefender), which helps prevent viruses, worms and spyware from entering your network. Network auditing with GFI LanGuard identifies unauthorised devices, applications and programs, which could be potential sources of malware.

• Patch management
  “Ensure that devices and software are not vulnerable to known security issues for which fixes are available.”
  
  This control requires that software and applications are:

  • Licensed and supported

  • Removed when they are no longer unsupported

  • Updated automatically where possible

  • Updated within 14 days of a software update being released

  GFI LanGuard automates patch management to keep your software up-to-date. It scans your network for updates that are missing in applications and operating systems. The software also identifies missing patches in web browsers and third-party software such as Adobe, Java and other major vendors.

  With GFI LanGuard, you no longer have to manage updates manually. You can deploy patches automatically across the system, or deploy agents on specific machines for regular updates. If required, you can control which patches to install or roll-back if you find problems.

  Beyond cybersecurity, there is an added benefit to regular patch management: many patches also fix software bugs, which can help your applications run better.

Resources

Footnotes

1. https://www.ncsc.gov.uk/cyberessentials/overview

2. https://www.towergateinsurance.co.uk/liability-insurance/smes-and-cyber-attacks

3. Ibid

4. https://smallbiztrends.com/2017/07/prepared-for-a-cyber-attack-small-business.html

5. https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-0-January-2022.pdf

6. https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-0-January-2022.pdf

7. https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-0-January-2022.pdf