All content in this post provided by GFI Software
What You Need to Know about Cyber Essentials and How It Can Help Your Business
Cyber Essentials is a UK government-backed initiative designed to help organisations guard against common cyberattacks and demonstrate their commitment to cybersecurity.
The scheme includes an action plan and a simple set of security controls to protect information from internet-based threats such as hacking, phishing and password guessing. Being fully compliant can reduce the vast majority of the cybersecurity risks organisations face.
According to the National Cyber Security Centre (NCSC): “Cyberattacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. Our advice is designed to prevent these attacks.”
How it works
To meet certification requirements, organisations must demonstrate that they have implemented five basic security controls:
- Firewall: Use personal or boundary firewalls to secure the internet connection. Requires that organisations configure and use a firewall to protect their devices, especially those that connect to public or other untrusted Wi-Fi networks.
- Secure configuration: Choose the most secure settings for devices and software. This includes changing default settings to increase security. Requires that only necessary accounts, applications and software be used.
- User access control: Control who has access to data and services. Users should have only the required access to software, settings, online services and device connectivity to perform their roles. Administration privileges are only given to those who need them.
- Malware protection: Protect the business from viruses and other malware. Requires that organisations use at least one of the following: anti-malware measures, whitelisting or sandboxing.
- Patch management: Keep devices, applications and software up to date (patching). Operating systems, programs, devices and apps should be set to automatically update when possible.
There are two types of certifications. Both require organisations to declare or prove that they have the five controls in place.
With basic Cyber Essentials certification, the organisation completes a self-assessment questionnaire. A certification body evaluates the answers and performs an external vulnerability scan. This level is suitable for companies looking to demonstrate that they have adopted the five controls.
Cyber Essentials Plus includes the baseline assessments as well as an internal audit by a technical expert. The audit identifies security vulnerabilities (such as out-of-date software) that require remedial action to meet requirements. This level of certification is harder to achieve, but it demonstrates a higher level of security assurance.
Why is Cyber Essentials important for smaller businesses?
Small-to-medium-sized businesses (SMB) are increasingly being targeted by hackers and cybercriminals. From 2019 to 2020, two thirds of SMBs in the UK experienced a cyberattack.
A cybersecurity breach can seriously damage a company’s financial health and reputation, and the recovery process may be long and expensive. Some organisations may even go out of business. It is estimated that cyberattacks cost the small business community in the UK approximately £4.5 billion annually.
In spite of the risks, many SMBs are ill-prepared for a cyber breach. According to a recent Small Business Trends survey, 68% have no formal cybersecurity policies in place and 26% don’t have any measures at all. Limited budgets, insufficient staff training and lack of time were cited as the main obstacles.
Cyber Essentials understands the needs of smaller organizations , which are defined as being up to 250 employees (commonly without an in-house security team). The scheme offers a simple, low-cost cybersecurity framework to help SMBs secure their IT environments. Being fully compliant can significantly reduce the cybersecurity risks they face.
What are the benefits of Cyber Essentials certification?
While the central benefit is protection against cyberattacks, Cyber Essentials offers business advantages too. Certification is an easy way to show that the organisation meets an industry standard and is committed to cybersecurity. Accreditation can be displayed on company websites and other media.
Suppliers, clients and partners may be more inclined to share their data with certified companies. What’s more, an organisation could attract new business with the promise that it has sanctioned cybersecurity measures in place.
Cyber Essentials is also mandatory for government contracts. The UK Government requires all suppliers bidding for contracts that involve the handling of sensitive and personal information to have certification.
GFI Software and Cyber Essentials controls
Cyber Essentials certification requires organisations to adopt the five controls to prevent common cyberattacks. But maintaining these controls manually may not be feasible in terms of time and resources. Cybersecurity software can help.
GFI Software provides an array of solutions from firewalls to patch management, antivirus software and more to help protect your business against common cyber threats and attacks. More specifically, their solutions help you address 80% of your Cyber Essentials compliance requirements. The following shows you how GFI products line up with four of the five required controls.
GFI Kerio Control provides boundary firewall protection to block incoming threats and malware from the internet. The solution includes a next-generation firewall and router, gateway antivirus, and web content and application filtering.
Intrusion detection and prevention (IPS) capabilities monitor inbound and outbound network communications for suspicious activity. As well, you can create inbound and outbound traffic policies to restrict communications by URL, application, traffic type, content category and even time of day.
GFI LanGuard automatically scans your IT environment for vulnerabilities to keep your network and applications safe. It provides a complete view of the elements in your network including devices, installed software and new hardware.
Remediation capabilities allow you to deploy software patches, remove obsolete users and take other corrective action. With GFI LanGuard, you can run scans as often as needed, over the entire network or just in specific areas. Dashboards and reports keep you up to date on vulnerabilities and security issues.
GFI MailEssentials is email protection software that can meet the anti-spam and anti-malware needs of your business. It provides 14 anti-spam filters, 4 antivirus engines, malware scanning and content filtering to protect against email threats.
The software includes four anti-malware scanning engines, each with its own detection protocols. These integrated features enhance protection of your email environment to block email-borne viruses and other malware more effectively.
Other GFI Software products provide additional protection. GFI Kerio Control includes an optionally integrated Kerio Antivirus service (Bitdefender), which helps prevent viruses, worms and spyware from entering your network. Network auditing with GFI LanGuard identifies unauthorised devices, applications and programs, which could be potential sources of malware.
GFI LanGuard automates patch management to keep your software up-to-date. It scans your network for updates that are missing in applications and operating systems. The software also identifies missing patches in web browsers and third-party software such as Adobe, Java and other major vendors.
With GFI LanGuard, you no longer have to manage updates manually. You can deploy patches automatically across the system, or deploy agents on specific machines for regular updates. If required, you can control which patches to install or roll-back if you find problems.
Beyond cybersecurity, there is an added benefit to regular patch management: many patches also fix software bugs, which can help your applications run better.