Cyber Essentials is a cybersecurity certification scheme launched by the UK Government in 2014. It is designed to help organisations protect themselves against common cyber threats and improve their overall cybersecurity posture. The scheme is based on a set of five basic technical controls that organisations should implement to achieve a basic level of cybersecurity
Boundary firewalls and internet gateways
Boundary firewalls and internet gateways are crucial elements to protect an organisation’s network from unauthorised access and cyber threats. These components act as barriers between the organisation’s internal network and the external internet, controlling inbound and outbound traffic based on predetermined security rules.
To comply with the Cyber Essentials requirements related to boundary firewalls and internet gateways, organisations must implement the following measures:
Install and enable firewalls
Ensure a firewall is installed at the network’s edge, separating it from the public internet. Firewalls should also be deployed between different internal network segments if they have varying security requirements.
Configure firewalls and gateways securely
Default settings should be changed, and security policies should be defined to permit only necessary traffic. This includes blocking all unauthorised incoming connections and restricting outgoing connections to a minimum required set.
Regularly review and update firewall rules
Firewall rules should be periodically reviewed and updated to maintain the organisation’s security posture. This includes removing any obsolete or overly permissive rules.
Disable unnecessary services and ports
Only services and ports required for business operations should be enabled, while all others should be disabled to reduce the potential attack surface.
Implement a secure remote access solution
If remote access to the organisation’s network is necessary, a secure solution, such as a Virtual Private Network (VPN) with strong encryption, should be used. Access should be granted on a need-to-know basis and monitored regularly.
Regularly test and update firewalls and gateways
Firewalls and internet gateways should be updated with the latest security patches and firmware updates. Regular testing should be conducted to ensure that they continue to provide adequate security.
Secure configuration
Secure configuration is a critical aspect of the Cyber Essentials scheme. It ensures that the systems within an organisation are set up with proper security measures to minimise vulnerabilities and protect against cyber threats. To comply with the Cyber Essentials requirements related to secure configuration, organisations should follow these best practices:
Change default settings
Default usernames, passwords, and other system settings should be changed before deployment to prevent unauthorised access. Default accounts that are not needed should be removed or disabled.
Remove or disable unnecessary software, services, and features
Unneeded software, services, and features can increase an organisation’s attack surface. Removing or disabling these components can reduce potential entry points for attackers.
Implement the principle of least privilege
Users should be granted the minimum access required to perform their job functions. Administrative privileges should be restricted to a limited number of users, and access should be regularly reviewed and updated.
Use strong, unique passwords
Require strong, unique passwords for all user accounts, and enforce periodic password changes. Implement multi-factor authentication (MFA) wherever possible to add an extra layer of security.
Keep systems up to date
Regularly apply security patches and updates to operating systems, software, and firmware. Establish a patch management process to ensure timely updates and minimise the risk of known vulnerabilities being exploited.
Harden systems according to best practices
Follow industry-standard guidelines and best practices for hardening systems, such as the Centre for Internet Security (CIS) Critical Security Controls or vendor-specific hardening guides.
Secure network devices
Configure routers, switches, and other network devices with appropriate security settings and keep their firmware current.
Implement secure backups
Regularly back up important data and store it securely, preferably offsite. Test backup and restore procedures periodically to ensure they function correctly.
Enable logging and monitoring
Configure systems to log security-related events and regularly review these logs to detect potential security incidents. Implement monitoring solutions to provide real-time visibility into system events.
Access control
Access control is an essential component of the Cyber Essentials scheme. It helps organisations manage who has access to their systems and data, thereby reducing the risk of unauthorised access and data breaches. To comply with the Cyber Essentials requirements related to access control, organisations should implement the following best practices:
Implement the principle of least privilege
Ensure that users have the minimum access required to perform their job functions. Limit the number of users with administrative privileges, and restrict access to sensitive systems and data on a need-to-know basis.
Use strong, unique passwords
Enforce strong, unique passwords for all user accounts, and require periodic password changes. Encourage password managers to help users securely store and manage their passwords.
Implement multi-factor authentication (MFA)
Wherever possible, use MFA to add an extra layer of security. This requires users to provide additional verification, such as a fingerprint or one-time code, in addition to their password when logging in.
Manage user accounts
Regularly review and update user accounts, removing or disabling those that are no longer required or have not been used for an extended period. Monitor account activity for signs of unauthorised access or suspicious behaviour.
Control remote access
If remote access to the organisation’s network is necessary, implement a secure solution, such as a Virtual Private Network (VPN) with strong encryption. Grant remote access on a need-to-know basis, and monitor usage regularly.
Separate user and administrative accounts
Users with administrative privileges should have separate accounts for their regular and administrative tasks. This helps to prevent accidental changes or unauthorised access to sensitive systems.
Train employees on security awareness
Provide regular training on access control best practices, password management, and other security topics. Educate employees about the risks of phishing attacks and how to identify and report them.
Monitor and log access
Configure systems to log access events and regularly review these logs to detect potential security incidents. Implement monitoring solutions to provide real-time visibility into access events.
Malware protection
Malware protection is a key component of the Cyber Essentials scheme. It helps organisations defend against various types of malicious software, including viruses, worms, ransomware, and other threats that can compromise systems, steal data, or disrupt operations. To comply with the Cyber Essentials requirements related to malware protection, organisations should implement the following best practices:
Install antivirus and antimalware software
Ensure that all systems, including servers, desktops, and laptops, have antivirus and antimalware software installed. Choose reputable and trusted security solutions that provide comprehensive protection.
Keep security software up to date
Regularly update antivirus and antimalware software with the latest virus definitions and signatures to ensure protection against newly discovered threats. Configure the software to update automatically, if possible.
Enable real-time scanning
Configure the antivirus and antimalware software to perform real-time scanning, continuously monitoring systems for signs of malware activity and blocking threats before they can cause damage.
Regularly scan systems for malware
In addition to real-time scanning, schedule regular full system scans to detect and remove any malware that may have slipped through the real-time protection.
Implement email security measures
Use email security solutions to filter out spam, phishing emails, and messages containing malicious attachments or links. Train employees on how to recognise and report phishing attempts.
Control the use of removable media
Limit the use of removable media, such as USB drives, to reduce the risk of malware being introduced to the network. Implement policies and technical controls to manage removable media, and scan all media for malware before allowing it to be used on organisational systems.
Keep operating systems and applications up to date
Regularly apply security patches and updates to operating systems, software, and firmware to close known vulnerabilities that malware could exploit.
Restrict software installation
Limit the ability of users to install new software on their devices and maintain a whitelist of approved applications to prevent unauthorised or potentially malicious software from being installed.
Educate employees about malware risks
Provide regular training on malware risks, safe internet browsing practices, and identifying and reporting suspicious files or activity.
Patch management
Patch management is a vital component of the Cyber Essentials scheme. It helps organisations keep their systems, software, and devices up to date, reducing the risk of exploitation by cyber threats that target known vulnerabilities. To comply with the Cyber Essentials requirements related to patch management, organisations should implement the following best practices:
Establish a patch management policy
Develop a comprehensive policy outlining the organisation’s approach to patch management, including roles and responsibilities, procedures, and timelines for applying patches and updates.
Inventory and prioritise systems
Maintain an up-to-date inventory of all hardware and software assets within the organisation. Identify and prioritise critical systems, applications, and devices that require more immediate attention when patches are available.
Monitor for updates and vulnerabilities
Regularly monitor vendor websites, security bulletins, and other trusted sources for information on new patches, updates, and vulnerabilities that affect your organisation’s systems and software.
Assess and test patches
Before deploying patches, assess their relevance to your environment and test them in a controlled environment, if possible, to ensure they do not introduce new issues or incompatibilities.
Schedule and deploy patches
Establish a schedule for applying patches based on their criticality and the organisation’s risk tolerance. Deploy patches in a timely manner, adhering to the schedule and prioritising critical updates that address high-risk vulnerabilities.
Automate patch management when possible
Use patch management tools and software to automate the process of monitoring, testing, and deploying patches, streamlining the process, and reducing the risk of human error.
Manage exceptions
Develop a process for managing exceptions when patches cannot be applied immediately, such as when they are incompatible with existing systems or require extensive testing. Implement compensating controls or workarounds to mitigate the risks associated with the unpatched vulnerability.
Track and report on patch management activities
Keep records of all patch management activities, including identifying, assessing, testing, and deploying patches. Regularly report on the organisation’s patch management performance and compliance with the established policy.
Educate employees and raise awareness
Provide training and awareness programs to educate employees on the importance of patch management and their role in maintaining up-to-date systems.