10 Things You Might Not Know About Cyber Essentials

 

IASME delivers Cyber Essentials on behalf of UK NCSC

By Sam Jones | Cyber Tec Security and Dave Whitelegg

What is Cyber Essentials? If you are just hearing about the Cyber Essentials scheme, read on as we unpack 10 things you might not know about Cyber Essentials.

1. UK Gov Launched Cyber Essentials in 2014
The UK Government National Cyber Security Centre (NCSC) published its ‘10 Steps to Cyber Security in 2012', after the UK Government agencies recognised small-medium sized UK businesses require further cybersecurity guidance and support in order to protect the British digital dependant economy. 

This led to the development of five critical 'cyber essentials' technical security controls which provides a minimum level of cybersecurity protection. Assurance of the adoption of these five security controls by an organisation provides a good degree of confidence an organisation is protected against the most common cyber threats, thus the UK Cyber Essentials certification scheme was born.

2. IASME is the Sole Partner of the NCSC in delivering the Cyber Essentials Scheme
As of April 2020, Information Assurance for Small and Medium Enterprises Consortium (IASME) won the contract to become the sole partner of the Cyber Essentials scheme on behalf of the NCSC. Prior to this, there were five different accreditation bodies operating under different methodologies. So to reduce confusion around the scheme and to streamlined the certification process, the NCSC decided to go with a single accreditation body - IASME.

IASME now oversees a large number of Certification Bodies based around the UK, all of which have qualified assessors able to certify businesses looking to achieve the certification.

3. Cyber Essentials is the only UK Government Cybersecurity Standard
Although there are other cyber certifications available, Cyber Essentials is the only scheme designed and backed by the UK Government. Holding the certification is a mandatory requirement for any business bidding on UK Central and Local Government, and Ministry of Defence (MOD) contracts. 

Although a UK standard, business outside of the UK can and are Cyber Essentials certified.

4. There are Two Levels to the Cyber Essentials Scheme
The scheme is designed with small-medium sized businesses in mind, offering a low cost and straightforward way to start their cybersecurity journey, protecting UK businesses from the most common cyber threats. 

To make the scheme more flexible, the are two levels, Cyber Essentials and Cyber Essentials Plus. 

• Cyber Essentials requires the five basic security controls to be assessed and recorded on an IASME provided secure web portal, with a qualified assessor verifies the information provided. This simple self-certification costs around £300. 
• Cyber Essential Plus (CE+) provides a higher level of assurance than the regular Cyber Essentials, so suites business striving to further demonstrate their cybersecurity posture to clients. Some clients may even require CE+ certification for their security assurance via a contractual clause.  The CE+ assessment process requires an external assessor to evidence and verify the five Cyber Essentials controls and requirements. The cost of a CE+ assessment will depend on the size and complexity of your business' IT network.

5. Cyber Essentials has to be Renewed every 12 months
Cyber Essentials certifications must be renewed every year, to demonstrate the business is still aligned with the standard requirements. However, despite certification requiring passing a point-in-time security assessment, it is important that the cyber essentials security requirements are continually met. This is comparable to taking in your car for an MOT, your car may be deemed road-safe on the day it passed all the MOT checks, but if the car becomes no longer road worthy a couple of weeks later, then the MOT certificate provides no protection for your car being both safe and legal to use on UK roads. Therefore, with Cyber Essentials, you must constantly verify compliance with the security requirements outside of the annual certification process, else your business will not benefit from the protection the security controls provides.

6. Achieving Cyber Essentials is Often Quick
Too many businesses put cybersecurity on the backburner because they lack the understanding and the time to properly assess their cyber controls and risks.  Achieving Cyber Essentials certification does not take weeks to complete. The Cyber Essentials assessment approach provides guidance to help identify and remediate any security shortcomings found, so you can ultimately obtain a Cyber Essentials state of operation and certification which can be used to prove your business compliance with the scheme to others parties.

Of course, the time to complete a Cyber Essentials certification will depend on the extent of the remediation work required, however, you do not need to be a security expert to fix the typical issues, as expert security guidance is provided through the online assessment process. Some businesses without security issues have managed to complete a Cyber Essentials assessment and then receive their IASME Cyber Essentials certification within 24 hours.

7. Cyber Essentials reduces the risk of ICO Financial Penalties
The UK Information Commissioner’s Office (ICO) regulates privacy rights and data protection compliance with the UK Data Protection Act (DPA\GDPR), for any organisation which processes and/or stores UK citizen personal information.  Failure to safeguard UK personal data from cyber-attacks can result in the ICO issuing of eye-water monetary penalties. The maximum amount is the higher value between £17.5 million and 4% of your annual turnover (based on the previous financial year). Recent penalties have involved Ticketmaster UK, Marriott International, and British Airways, the latter of which was fined £20m.

Adopting the Cyber Essentials controls helps to protect personal data. The ICO works closely with the NCSC and is said to look favourably on organisations that have obtained Cyber Essentials certification and are breached, which may reduce the chance of higher regulatory fines being imposed.

8. Cyber Essentials is for Big and Small UK Organisations
The Cyber Essentials certification has been adopted by many big names, including the likes of Vodafone, Deloitte, Accenture, BP and Barclays Bank. However, the scheme was very much developed with UK SME cybersecurity in mind. Adopting Cyber Essentials is a crucial first step for SMEs in taking their cybersecurity obligations more seriously, with a certification demonstrating security assurance both to customers and suppliers.

Small businesses are highly prone and are the hardest hit by cyber-attacks, although it doesn't seem that way given it's the large bluechip companies that tend to dominate the media headlines when comes to cyberattacks and data breach reporting. While larger companies can afford to incur the often heavy cost of a cyberattack, it tends to be a different story for small businesses, where a serious cyberattack can lead to the business permanently closing.

SMEs are commonly in the supply chain of larger organisations, as such are targetted by cybercriminals seeking to gain access to those organisations, given IT security is often a lot weaker at SMEs than the attacker's target. Once SME systems are compromised by an attacker, it can be a simple process to hop through the supply chain network to the target organisation.

9. Cyber Essentials is still needed if other Security Certifications like ISO27001 are in place
ISO27001 is a popular internationally recognised information security business management certification. Holding ISO27001 certification does not mean Cyber Essentials is an unnecessary additional certification, although the two standards complement each other well.

Cyber Essential provides a prescriptive set of security requirements which in turn provides confidence of a fundamental and a standard set of industry recognised good practice technical controls are in place and effective. This one of the reasons why Cyber Essentials is increasingly used to assure the security of supply chains through due diligence.

10. USA are Big Supporters of the Cyber Essentials scheme
Thanks to the Cyber Essentials scheme’s early success, the United States of America Cybersecurity and Infrastructure Security Agency (CISA) introduced Cyber Essentials and the culture of cyber readiness to small businesses and government agencies to guide them on their cybersecurity journey.

In line with other international security standards like the NIST framework, Cyber Essentials is a fantastic approach for those wanting to better understand their organisation’s cybersecurity defenses and the best practices for improving it.

A UK Small Business is hacked every 19 seconds

Small UK businesses bear the brunt of cyberattacks according to the latest industry reports. SecureTeam have crunched the numbers and put together an InfoGraphic which depicts how cybercrime is impacting UK small business. They have concluded UK small businesses are targeted with 65,000 cyberattacks per day, with one small business hacked every 19 seconds!

As expected, email is by far the most commonly used attack vector, and the security posture of small businesses is not sufficiently robust enough to withstand cyberattacks, knowledge which the cybercriminals clearly understand.

NCSC Cyber Essentials Scheme to be Streamlined

The UK National Cyber Security Centre (NCSC) CyberEssentials Scheme is to be streamlined from 1^st April 2020, with IASME named as sole partner.

It will become easier for UK businesses to protect themselves from the most common cyber-attacks as the UK government-backed cybersecurity scheme is streamlined.

• The Cyber Essentials Scheme is supported by the UK government to help businesses guard against the most common cyber threats.
• Over 30,000 UK businesses have gained Cyber Essentials certification since its launch in 2014 and this number is growing year on year.
• Naming IASME as the sole Cyber Essentials partner will streamline and grow the Scheme and ensure it keeps pace with the changing nature of the cybersecurity threat.

Cyber Essentials Scheme launched in 2014

Since its launch in 2014 the Cyber Essentials Scheme has helped to protect over 30,000 UK businesses from the most common cyber-threats. NCSC and IASME are committed to growing the Scheme, recognising its role in helping to make the UK one of the safest places to live and do business online.

The Cyber Essentials Scheme was developed to protect organisations against low-level “commodity threats”. It focuses on the five most important technical security controls that businesses should have in place to prevent malicious attacks. These controls were identified by the government as those that, if they had been in place, would have stopped the majority of the successful cyber-attacks over the last few years.

The success of Cyber Essentials Scheme means that it remains at the heart of the UK Government’s National Cyber Security Strategy, but an extensive consultation process highlighted the need to evolve the Scheme.

Since its launch, Cyber Essentials has been delivered through multiple Accreditation Bodies and their respective Certification Bodies. In order to simplify the customer experience and improve consistency, the NCSC have appointed a single Cyber Essentials partner to take over running the Scheme from 1^st April 2020. This will make the Scheme easier to run on a day to day basis and streamline the development process to ensure Cyber Essentials remains relevant. From now until 1^st April 2020 the Scheme will be  very much business as usual with organisations able to gain accreditation from all five Accreditation Bodies.

The current Certification Bodies have been instrumental in the success of the Cyber Essentials Scheme. Existing Certification Bodies will be encouraged to apply to the new Cyber Essentials Partner to continue to provide Cyber Essentials as part of the revised scheme. The Scheme also welcomes new Certification Bodies or anyone from the cyber security industry interested in promoting the Scheme.

IASME Chief Executive, Dr Emma Philpott, MBE, said: “We are extremely excited about the prospect of working in partnership with the NCSC to develop and grow the Cyber Essentials scheme. We have seen such a positive effect already over the last 5 years where Cyber Essentials has increased the basic levels of security across all sectors. We are so pleased that we can be part of the future developments, working closely with the excellent Certification Bodies, trade bodies, police and other key stakeholders, to ensure further growth of the scheme.”

Anne W, NCSC Head of Commercial Assurance Services, added: “The NCSC is looking forward to working in partnership with the IASME team to ensure that the scheme continues to evolve and meet the cyber security challenges of tomorrow; a scheme that puts cyber security within reach of the vast majority of UK organisations.”

43% of Cybercrimes Target Small Businesses - Are You Next?

Cybercrimes cost UK small companies an average of £894 in the year ending February of 2018. Small businesses are an easy target for cybercrooks, so its little surprise that around about 43% of cybercrime is committed against small businesses. According to research conducted by EveryCloud, there is much more at stake than a £900 annual loss, with six out of ten small businesses closing within six months of a data breach.

Damage to a small company’s reputation can be difficult to repair and recover from following a data breach. Since the GDPR data privacy law came in force in May 2018, companies face significant financial sanctions from regulators if found negligent in safeguarding personal information. Add in the potential for civil suits the potential costs start mounting up fast, which could even turn into a business killer.  Case in point is political consulting and data-mining firm Cambridge Analytica, which went under in May 2018 after being implicated with data privacy issues related to its use of personal data held on Facebook. However, most small businesses taken out by cyber attacks don't have the public profile to make the deadly headlines.

Most big companies have contingency plans and resources to take the hit from a major cyber attack, although major cyber attacks prove highly costly to big business, the vast majority are able to recover and continue trading. Working on a tight budget, small businesses just doesn't the deep pockets of big business. Cyber resilience is not a high priority within most small businesses strategies, as you might image business plans are typically very business growth-focused.

Cyber resilience within small businesses need not be difficult, but it does involve going beyond installing antivirus. A great starting point is the UK National Cyber Security Centre's Cyber Essentials Scheme, a simple but effective approach to help businesses protect themselves from the most common cyber attacks. You’ll also need to pay attention to staff security awareness training in the workplace.

Every employee must ensure that the company is protected from attacks as much as possible. It’s your responsibility to make sure that everyone understands this and knows what preventative measures to put in place.

It may cost a few bob, but getting an expert in to check for holes in your cybersecurity is a good place to start. They can check for potential risk areas and also educate you and your staff about security awareness.

We all know the basics, but how many times do we let convenience trump good common sense? For example, how many times have you used the same password when registering for different sites?

How strong is the password that you chose? If it’s easy for you to remember, then there’s a good chance that it’s not as secure as you’d like. If you’d like more tips on keeping your information secure, then check out the infographic below.

Cyber Security Roundup for September 2017

A massive data breach at Equifax dominated the UK media finance headlines this month, after 143 million customer records were compromised by a cyber-attack, 400,000 of which were UK customer accounts. Hackers took advantage of Equifax’s negligence in not applying security updates to servers. The data breach has already cost the CEO, CIO and CISO their jobs. In the UK Equifax faces investigations and the prospect of significant fines by both the Financial Conduct Authority and the Information Commissioner's Office over the loss of UK customer financial and personal data respectively.

Hackers stole a quarter of a million Deloitte client emails, follow the breach Deloitte was criticised by security professional for not adopting two-factor authentication to protect the email data which they hosted in Microsoft’s Azure cloud service.

September was an extremely busy month for security updates, with major patches releases by Microsoft, Adobe, Apache, Cisco and Apple to fix an array of serious security vulnerabilities including BlueBorne, a Bluetooth bug which exposes billions of devices to man-in-the-middle attacks.

UK government suppliers using Kaspersky to secure their servers and endpoints may well be feeling a bit nervous about the security software after Kaspersky was banned by US Government agencies. The US Senate accused the 20-year-old Russian based security company as being a pawn of the Kremlin and posing a national risk to security. Given the US and UK intelligence agency close ties, there are real fears it could lead to a similar ban in the UK as well. A UK ban could, in theory, be quickly extended to UK government suppliers through the Cyber Essentials scheme, given the Cyber Essentials accreditation is required at all UK government suppliers.

While on the subject of the Russia, the English FA has increased its cybersecurity posture ahead of next year's World Cup, likely due to concerns about the Russian Bears hacking group. The hacking group has already targeted a number of sports agencies in recent months, including hacking and releasing football player's world cup doping reports last month. 

In the last couple of weeks, I was Interviewed for Science of Security, and I updated my IBM Developer Works article on Combating IoT Cyber Threats.

NEWS

• Equifax Data Breach: 143 Million Records Stolen, including 400,000 UK Customers
• Deloitte hit by Cyber Attack Revealing clients’ Secret Emails
• Kaspersky software banned from US Government Agencies
• Avast CCleaner used to Spread Backdoor to over Two Million Users
• NSA Cryptography Proposal Rejected by Allies
• Thousands of Amazon AWS Instances Host C&C Servers for POS Malware
• FA increases Cyber Security over World Cup 2018 Hacking Concerns
• Lenovo fined over Superfish Adware-Ridden Laptops
• 20% of Manchester Police computers at Risk of Ransomware - using XP
• BlueBorne: Billions of Bluetooth devices Vulnerable to MITM Attacks
• Apache Struts alters API code, Patch Critical Remote Code Execution Flaw
• Microsoft release Critical Security Updates for IE/Edge, Office, .NET, Skype & Windows
• Adobe Releases Fixes for 43 Critical Security Vulnerabilities in Acrobat and Reader
• Cisco patches remote code execution flaws in IOS and IOS XE
• Bashware Vulnerability could put 400 million Windows systems at Risk
• Joomla 3.8 Patches eight-year-old Credential Stealing Flaw
• Apple Patches a potentially Critical Vulnerability with iOS 11.0.01 Update
• Apple iOS 11 makes it harder for Law Enforcement to Access Data

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

• Dragonfly APT Group Targeting Power Facilities
• SynAck Ransomware Attacks on the Rise - Active £325k Bitcoin Wallet
• Locky Ransomware back in Huge Spam Campaign; New Variant Escapes Sandbox
• Phishers Target LinkedIn users via Hijacked Accounts
• NIST Guidelines for Ransomware Recovery: Situational Awareness Vital
• Dolphin Attack could allow Hackers to take over AI Voice Assistants

REPORTS

• 2017 Global Internet Report: Catastrophic Worldwide Attack Feared by Experts