Site icon The Stack

Understanding Cyber Essentials’ five core technical controls

what does cyber essentials require?

Some 75,000 Cyber Essentials certificates have been issued since the launch of the security benchmark established by the NCSC, the agency said this week in its annual report. That means just 1.3% of the UK’s 5.6 million* private businesses have been awarded the respected cybersecurity certificate. So what does Cyber Essentials require? The certificate specifies requirements under five technical control schemes:

These are provided to the certifying body via a verified self-assessment that costs just £300+VAT. Better yet, companies with a turnover under £20 million achieves self-assessed certification covering their whole organisation are entitled to free cyber insurance covering data breaches, ransomware and more (up to £25,000).

There’s a host of certification bodies out there that can help you.

Cyber Essentials certification aims to give you “peace of mind that your defences will protect against the vast majority of common cyber attacks” as the NCSC puts it – it will also allow you to bid for central government contracts. What does Cyber Essentials require, specifically? The Stack took a closer look at the requirements – which were updated in April 2021 to reflect changes to wording around VPNs, BYOD, requirements around third-party account access and software firewalls (among a number of other changes detailed by partner IASME here.)

Although it aims to simply help organisations remove low hanging fruit that may draw attacks, as one CIO who works extensively with SMEs told The Stack this week “Things like Cyber Essentials can actually be quite hard to achieve in legacy environments where things have been allowed to get out of date; particularly in industries like manufacturing, where there’s often legacy operational technology to worry about as well.”

What does Cyber Essentials require?

1: Firewalls

The firewall requirements apply to: boundary firewalls; desktops; laptops; routers; servers.

Every device that is in scope must be protected by a correctly configured firewall (or equivalent network device). Applicants wanting to meet the Cyber Essential requirements must routinely:

2: Secure Configuration

The secure configuration requirements apply to: email, web, and application servers; desktop computers; laptop computers; tablets; mobile phones; firewalls; routers and aim to minimise inherent vulnerabilities.

It is designed to reduce the risk from default configurations, as well as brute force attacks.

Cyber Essentials requirements for this category are:

Applicants should also have a password policy that tells users:

3: User Access Control

The user access control Cyber Essential requirements apply to email, web and application servers; desktops, laptops, tablets; and mobile phones and are designed to reduce the risk of hackers accessing admin accounts.

The Applicant must be in control of its user accounts and the access privileges granted to each user account. It must also understand how user accounts authenticate and control the strength of that authentication. This  means the Applicant must:  

4: Malware Protection

Cyber Essentials applicants need to implement a malware protection mechanism on all devices in scope (desktops, laptops, tablets, mobiles) and use at least one of the three mechanisms listed below:

Anti-virus software

Application whitelisting

Application sandboxing

All code of unknown origin must be run within a ‘sandbox’ that prevents access to other  resources unless permission is explicitly granted by the user. This includes:

5: Security Update Management

Applies to web, email and application servers; desktops, laptops; tablets; mobile phones; firewalls; routers.

The Applicant must keep all software up to date (and this is where it can get most problematic for SMEs running hardware on legacy boxes with complex and not always clearly understood dependencies.)

The NCSC says software must be:

*Needless to say, not all of the UK’s 5.6 million private businesses are large enough to want to consider the certificate. Many are sole traders. There are still hundreds of thousands, if not millions of SMEs for whom the low cost and sensible nature of the controls it requires mean it would be a great idea to get certificated.

Exit mobile version