Cyber Essentials Compliance

Cyber Essentials is defensive and cannot cater for targeted cyber attacks that have identified vulnerabilities that are unique to the employees and infrastructure of your organisation. 
Cyber Essentials very much looks to prevent cyber attacks, it does not tackle other best practice security procedures that deal with recovery such as backing up data to multiple formats and to different locations including an offline, off site option.

Risk assessment and security posture evaluation, and incident response and disaster planning are also areas that are not covered in the scheme. 
Security awareness and staff training, although considered vital for preventing common cyber attacks, do not involve technical controls and are therefore not formally evaluated in the Cyber Essentials scheme. Security monitoring, detecting and analysing are also practices that are beyond the scope of Cyber Essentials. 
The avenues for attack have never been greater with mobile devices, cloud computing and the internet of things throwing up security challenges that a basic scheme like Cyber Essentials currently does not address.

Most cyber attacks are untargeted and use commodity tools to attack large amounts of devices, services and users at the same time in an indiscriminate way. Most cyber attacks are made up of repeated stages that are probing for further information or leads that can lead to a more targeted attack. These untargeted attacks exploit basic weaknesses that can be found in many organisations such as poorly configured firewalls, software that hasn’t been patched and legacy computer systems that are no longer supported. 
Cyber Essentials will help an organisation defend against this type of attack. The process of putting in place the five core controls will eliminate all the common security gaps that up to 90% of cyber attacks rely on.

These are the technical controls that will protect businesses of all sizes from most cyber attacks.

Access Control

Control who uses your computer and what they’re allowed to do when they’re using it. 
Learn the difference between an administrator account and a regular user account. What are the privileges that an administrator can access and who should use this kind of account and when? Every user should have their own account with its individual secure password and no guest accounts.

Secure Configuration

Set up your computer securely to minimize the ways a cyber criminal can find a way in. 
Learn how to create unique strong passwords and enable two factor authentication if available. Explore the settings on your devices and on the software that you use, disable functions that you do not use and delete unused accounts.

Patch Management

Prevent cyber criminals using the mistakes they find in software as a way to get into your system. All software contains many lines of code which often contains errors. A ‘patch’ is an update released by the software manufacturer to fix these errors. 
Set your operating system and other software to automatically update or apply the software patches. Check that your software is still supported by the manufacturers i.e. is continuing to receive patches. 

Malware Protection

Identify and immobilise viruses or other malicious software before it has a chance to cause harm. 
Install anti-virus software on all of your devices and test for viruses. Disable auto-run features and learn about whitelisting and sandboxing. Only buy apps from approved secure stores.

Firewalls and Routers

Create a security filter between the internet and your network and on your device. 
Locate the firewall that comes with your operating system on your device and turn it on. Locate the firewall at the border of your network which may be in the router. Turn it on and change the default password. Check who has access to your router. 

Cyber Essentials helps organisations effectively establish the five core controls that have been shown to prevent most cyber attacks.