In 2012, HM Government launched the 10 Steps to Cyber Security in an effort to make clear that risks to information should be taken as seriously as financial, regulatory, legal or operational risk. The 10 steps to Cyber Security programme provided guidance on how an organisation might approach the task of making security an integral part of their business.
There are some limitations with the 10 Steps to Cyber Security. They are guidelines that companies should follow but contain no method, or guidance, for asserting that the controls are being implemented appropriately. Organisations had no requirement to implement the recommended controls, and it didn’t change the mentality that some organisations had towards security. After all, it is easy to assume it is a problem other organisations face and unlikely to affect you – until it is too late.
Cyber Essentials takes the idea behind the 10 Steps to Cyber Security and outlines a baseline set of security controls that organisations can be audited against.
Whilst NCSC have mandated Cyber Essentials certification as a requirement for those organisations tendering for government contracts, the scheme is designed for a much wider audience. Cyber Essentials was created by looking at four years’ worth of successful cyber-attack data, and extrapolating the primary control failures. The findings indicated that 80% of successful attacks were a result of basic control failures and not, as most people thought, specialised attacks.
NCSC, through the use of Cyber Essentials, aims to help all businesses, large and small, improve their baseline security by assessing against five basic controls, these are:
- Boundary firewalls and internet gateways – these are devices designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software form is important for them to be fully effective.
- Secure configuration – ensuring that systems are configured in the most secure way for the needs of the organisation.
- Access control – ensuring only those who should have access to systems to have access and at the appropriate level.
- Malware protection – ensuring that virus and malware protection is installed and up to date.
- Patch management – ensuring the latest supported version of applications is used and all the necessary patches supplied by the vendor have been applied.
If the controls in place are suitable then the organisation receives Cyber Essentials certification, along with branding guidelines that allow them to market themselves as having passed Cyber Essentials. This gives a clear competitive edge when applying for non-government work as potential customers can quickly identify companies that have implemented basic cyber security controls.
While Cyber Essentials is encouraging companies to review the controls they implement at a basic level, it does not mean companies are devoid of all risk. Cyber Essentials will not protect your organisation against targeted attacks, but it is a first step in the right direction and NCSC hope it will provide a good foundation for organisations to build upon.