4 top tips to pass your Cyber Essentials accreditation
Designed to help protect your organisation from cyber-based threats, the Cyber Essentials scheme confirms that your company’s IT systems comply with essential Cyber Security controls. This gives you and your clients the assurance that your company is protected against the most common forms of cyber-attack, and that any data you handle is secure.
As an approved Cyber Essentials Certification Body, Sota is highly experienced in the Cyber Essentials Self-Certification Programme. We’ve helped customers of all sizes and experience levels achieve certifications, so here are a few tips from us on how to pass…
What is the Cyber Essentials accreditation?
Cyber Essentials is a government-backed scheme that aims to protect organisations against the most common and pernicious forms of cyber attack. It lays out a series of criteria that businesses have to meet to demonstrate their resilience against cyber attacks, and thus prove to clients and customers that their IT infrastructure is secure, and their data is safe.
The main tenets of the Cyber Essentials accreditation are:
- Secure configuration
- User access control
- Malware protection
- Security update management
The certification comes in two forms: Cyber Essentials and Cyber Essentials Plus. While both of these cover the same topics, and both involve a self-assessment, Cyber Essentials Plus applicants must also complete a hands-on technical accreditation by an approved assessor. As a recognised Cyber Essentials assessment centre, Sota can help you to both achieve the requirements for Cyber Essentials and carry out this assessment.
How to pass your Cyber Essentials accreditation
While the bulk of the Cyber Essentials accreditation can be achieved through a self-assessment process, fulfilling the requirements for that self-assessment can be trickier.
Meeting them requires not just a fundamental understanding of key cybersecurity principles, but also buy-in from everyone in the organisation. Here are some tips on how to implement the key elements of Cyber Essentials, and pass your accreditation.
1. Understand the threat
Even in today’s modern era, many companies still don’t fully understand what cybersecurity is. As a result, they don’t know how to keep hackers out, and make elementary mistakes that make things easier for cybercriminals. To protect against them, it isn’t enough to hire someone to sort it out for you – you also need to help yourself.
With no cyber security software, your people can still fall victim to sophisticated cyber crime when they are online, something that can translate into financial loss. Sometimes this loss is insignificant, but occasionally it is devastating. Equally, individuals can disrupt the best laid plans by acting unsafely, such as downloading files from untrustworthy sources, or plugging dodgy USB drives into office computers.
There is even evidence suggesting cybercrimes are on a rise since the pandemic due to the shift to remote working, placing people outside of the protections of the workplace. The new Cyber Essentials 3.0 standard covers home working and the unique threats this poses. Ensuring that everyone understands the need to protect all devices – at home and at work – is vital to ensure a successful Cyber Essentials application.
2. Make use of technical controls
Technical controls are the many safeguards that exist in computer hardware or software to help resist cyber attacks. Because these technical controls are often not enabled by default, and must be configured first, understanding and utilising them is of the utmost importance when it comes to making sure your company is secure.
Technical controls can vary significantly, and range from firewalls, to passwords, to account permissions. Each of the five tenets of the Cyber Essentials listed above will include a range of technical controls that can be used to protect your IT infrastructure. Examples of commonly applied technical controls are:
- Revoking account access. Ensure that when a staff member leaves, they are no longer able to access important accounts.
- Limit account permissions. Make a well-thought-out decision as to who will have account admin rights. Don’t just give everyone admin access ‘because it’s easier’.
- Secure passwords. No devices should be given access without a username or password, and these passwords should be complex, with a mix of numbers, letters and symbols.
- Treat IT access like physical access. Seek approval from owners or directors when deciding who holds the ‘skeleton key’ to your IT with access to an administrator account.
- Update management. Designated personnel should be given administrator permissions for the purpose of installing and regularly updating software.
You should review the list of employees with administrator accounts regularly, as some may have changed roles within the business, and no longer need access to certain software or software features. If somebody doesn’t need access, they generally shouldn’t have it.
3. Conduct regular security checks
Meeting the Cyber Essentials standards isn’t just a ‘one and done’ job. As well as putting the controls and processes in place to ensure compliance, you also need to make sure that those standards are maintained. A central aspect of this is conducting regular checks to see if there have been any lapses, and to ensure that the latest updates are being applied.
One or more dedicated IT professionals should be enlisted to ensure that your devices and software stay updated and secure. While it’s often tempting to put off updates, doing so can seriously compromise safety, as it allows hackers to take advantage of unpatched security flaws. This applies not just to computers, but also to devices such as printers and routers, which you may not even have known can be updated.
Frequently reassessing the effectiveness of your cybersecurity measures is vital to ensure that you stay accredited. The risks of cyber attacks change with every new update and version of every bit of software or hardware, akin to a digital game of whack-a-mole. If you don’t stay on top of this and patch these security holes, they will quickly get ahead of you.
4. Protect against malware
Malware is the main form of cyber attack you are likely to face as a business. Malware is malicious code which runs on a computer, and often spreads to other devices over a network. This could occur because you have accessed an unsafe website, downloaded a file from an untrusted source, or plugged in an infected device such as a USB drive.
Malware can take many forms, ranging from keyloggers (which record what you type, including passwords) to ransomware (which locks all or part of your computer and its files, extorting you for payment to unlock them. While some may just slow down your system, most pose a serious risk to the privacy and integrity of your data.
A variety of anti-malware solutions exist for businesses, from simple pre-installed software such as Windows Defender to dedicated enterprise solutions. Whichever software you use, it’s important to run regular scans to detect any malware (most software allows you to schedule them to run automatically) and keep your anti-malware program up-to-date.
Some simple malware protection tips include:
- Ensure auto updates are turned on to allow your anti-malware software to update its ‘definitions’, a database of known threats.
- Ensure that it is set up to scan files that are downloaded and opened, including any files accessed from a network folder.
- Make sure software scans web pages automatically through a web browser.
- Ensure software warns about and prevents connections to malicious websites.
If you are interested in obtaining Cyber Essentials certification, Sota can help you complete the Cyber Essentials Self-Certification Programme. This can be completed at relatively low cost, and will give you and your customer’s reassurance that your organisation meets the security standards recommended by this government affiliated scheme. Get in touch today!