Category Archives: Cyber Essentials

NCSC announces major change to the Cyber Essentials scheme

Over the past five years, the Cyber Essentials scheme has been vital in helping protect organisations from some of the most common causes of data breaches.

However, the NCSC (National Cyber Security Centre) has announced a change to the way the scheme is run. From April 2020, the five Cyber Essentials accreditation bodies will be replaced by one, the IASME Consortium.

There will be a transition period, with the current scheme operating as normal until 31 March 2020.

After that date, new applications will be handled under the revised Cyber Essentials scheme through the IASME Consortium. Organisations still in the process of seeking certification will have until 30 June 2020 to complete their application.

Does this affect IT Governance?

In support of this change, IT Governance will become an IASME-accredited certification body from April next year.

We will continue to provide the high level of cost-effective ongoing service our clients expect from us and will ensure the transition to the new arrangements is seamless.

In the meantime, and in line with current arrangements supported by the NCSC, our clients will continue to be certified under CREST, and all existing and new certifications will continue to be valid and in line with current requirements.

You can find out more about Cyber Essentials and the ways IT Governance can help you certify on our website.

The post NCSC announces major change to the Cyber Essentials scheme appeared first on IT Governance Blog.

NCSC Cyber Essentials Scheme to be Streamlined

The UK National Cyber Security Centre (NCSCCyberEssentials Scheme is to be streamlined from 1stApril 2020, with IASME named as sole partner.

It will become easier for UK businesses to protect themselves from the most common cyber-attacks as the UK government-backed cybersecurity scheme is streamlined.
  • The Cyber Essentials Scheme is supported by the UK government to help businesses guard against the most common cyber threats.
  • Over 30,000 UK businesses have gained Cyber Essentials certification since its launch in 2014 and this number is growing year on year.
  • Naming IASME as the sole Cyber Essentials partner will streamline and grow the Scheme and ensure it keeps pace with the changing nature of the cybersecurity threat.
Cyber Essentials Scheme launched in 2014

Since its launch in 2014 the Cyber Essentials Scheme has helped to protect over 30,000 UK businesses from the most common cyber-threats. NCSC and IASME are committed to growing the Scheme, recognising its role in helping to make the UK one of the safest places to live and do business online.

The Cyber Essentials Scheme was developed to protect organisations against low-level “commodity threats”. It focuses on the five most important technical security controls that businesses should have in place to prevent malicious attacks. These controls were identified by the government as those that, if they had been in place, would have stopped the majority of the successful cyber-attacks over the last few years.

The success of Cyber Essentials Scheme means that it remains at the heart of the UK Government’s National Cyber Security Strategy, but an extensive consultation process highlighted the need to evolve the Scheme.

Since its launch, Cyber Essentials has been delivered through multiple Accreditation Bodies and their respective Certification Bodies. In order to simplify the customer experience and improve consistency, the NCSC have appointed a single Cyber Essentials partner to take over running the Scheme from 1stApril 2020. This will make the Scheme easier to run on a day to day basis and streamline the development process to ensure Cyber Essentials remains relevant. From now until 1st April 2020 the Scheme will be  very much business as usual with organisations able to gain accreditation from all five Accreditation Bodies.

The current Certification Bodies have been instrumental in the success of the Cyber Essentials Scheme. Existing Certification Bodies will be encouraged to apply to the new Cyber Essentials Partner to continue to provide Cyber Essentials as part of the revised scheme. The Scheme also welcomes new Certification Bodies or anyone from the cyber security industry interested in promoting the Scheme.

IASME Chief Executive, Dr Emma Philpott, MBE, said: We are extremely excited about the prospect of working in partnership with the NCSC to develop and grow the Cyber Essentials scheme. We have seen such a positive effect already over the last 5 years where Cyber Essentials has increased the basic levels of security across all sectors. We are so pleased that we can be part of the future developments, working closely with the excellent Certification Bodies, trade bodies, police and other key stakeholders, to ensure further growth of the scheme.”

Anne W, NCSC Head of Commercial Assurance Services, added: “The NCSC is looking forward to working in partnership with the IASME team to ensure that the scheme continues to evolve and meet the cyber security challenges of tomorrow; a scheme that puts cyber security within reach of the vast majority of UK organisations.”

Essential security: Cyber Essentials and its 5 controls

Most criminal hackers aren’t state-sponsored agencies or activists looking for high-profile targets, and they don’t spend countless hours staking out and researching their targets.

Instead, they tend to be opportunistic, looking for any available target. In that regard, you can think of them like a burglar; sure, they’re aware of high-value marks, but it’s more effective to go after easier targets.

And just as a burglar will look for those marks by scouting neighbourhoods and looking for empty houses and easy access, cyber criminals will look for poor security practices by sending phishing emails or conducting network scans.

In a single day, cyber criminals can assess millions of potential targets. Attacks often target as many devices, services or users as possible using the ‘openness’ of the Internet.

Basic security controls prevent about 80% of cyber attacks

Cyber Essentials is a government-backed scheme that outlines basic steps that organisations can take to secure their systems. Implementing the five controls effectively will help you prevent about 80% of cyber attacks.

The Assurance Framework, leading to the awarding of Cyber Essentials and Cyber Essentials Plus certificates for organisations, has been designed in consultation with SMEs (small and medium-sized enterprises) to be light-touch and achievable at low cost.

Whether or not you achieve certification to the scheme, these controls provide the basic level of protection that you need to implement in your organisation to protect it from the vast majority of cyber attacks, allowing you to focus on your core business objectives.

What are the five controls?

  1. Firewalls

These are designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software is important for them to be fully effective.

Boundary firewalls and Internet gateways determine who has permission to access your system from the Internet and allow you to control where your users can go.

Although antivirus software helps to protect the system against unwanted programs, a firewall helps to keep attackers or external threats from getting access to your system in the first place.

The security provided by the firewall can be adjusted like any other control function (in other words, the firewall ‘rules’).

  1. Secure configuration

Web server and application server configurations play a key role in cyber security. Failure to manage the proper configuration of your servers can lead to a wide variety of security problems.

Computers and network devices should be configured to minimise the number of inherent vulnerabilities and provide only the services required to fulfil their intended function.

This will help prevent unauthorised actions being carried out and will also ensure that each device discloses only the minimum information about itself to the Internet. A scan can reveal opportunities for exploitation through insecure configuration.

  1. User access control

It is important to keep access to your data and services to a minimum. This should prevent a criminal hacker being presented with open access to your information.

Obtaining administrator rights is a key objective for criminal hackers, allowing them to gain unauthorised access to applications and other sensitive data. Convenience sometimes results in many users having administrator rights, which can create opportunities for exploitation.

User accounts, particularly those with special access privileges, should be assigned only to authorised individuals, managed effectively, and provide the minimum level of access to applications, computers and networks.

  1. Malware protection

It is important to protect your business from malicious software, which will seek to access files on your system.

Software can wreak havoc by gaining access and stealing confidential information, damaging files and even locking them and preventing access unless you pay a ransom.

Protecting against a broad range of malware (including computer viruses, worms, spyware, botnet software and ransomware) and including options for virus removal will protect your computer, your privacy and your important documents from attack.

  1. Patch management

Cyber criminals often exploit widely known vulnerabilities. Any software is prone to technical vulnerabilities.

Once discovered and shared publicly, vulnerabilities can rapidly be exploited by cyber criminals.

Criminal hackers take advantage of known vulnerabilities in operating systems and third-party applications if they are not properly patched or updated.

Updating software and operating systems will help to fix these known weaknesses. It is crucial to do this as quickly as possible to close any opportunities that could be used to gain access.

The ‘sixth control’

The five controls outlined in Cyber Essentials are fundamental technical measures for security, but you must remember that technology is only as effective as the people using it.

Employees are always liable to make mistakes, and organisations must mitigate the risk by conducting staff awareness training.

What you cover in these sessions depends on your employees’ job roles. For example, if they’re involved in data processing, you should provide training on the GDPR (General Data Protection Regulation). Likewise, if they handle payment card data, they should be taught about their responsibilities under the PCI DSS (Payment Card Industry Data Security Standard).

Meanwhile, there are topics that almost every employee should study, like information securityphishing and the security risks associated with social media.

Teaching your employees about all of these issues might sound onerous, but it’s actually quite simple if you use an e-learning provider.

This enables employees to study at a time and place that suits them, and means you don’t have to worry about finding a trainer or halting productivity to haul your workforce into a classroom.

Free download: ‘Cyber Essentials: A guide to the scheme’  

Cyber Essentials offers the right balance between providing additional assurance of an organisation’s commitment to implementing cyber security to third parties, and retaining a simple and low-cost mechanism for doing so.

Download our free guide for more information about Cyber Essentials and how it can help you guard against the most common cyber threats.

Download now >>

A version of this blog was originally published on 29 August 2018.

The post Essential security: Cyber Essentials and its 5 controls appeared first on IT Governance Blog.