Cyber Essentials Compliance
// CASE STUDY
Cyber Essentials Compliance
July 10, 2022
Facilities Management in Essex
A client needs to comply with Cyber Essentials certification to ensure they win a large contract.
A facilities management and installer with over 10 years’ experience and a project team of 15 staff. The company had grown rapidly to cope with multiple projects for their client installations.
Reason for change
To ensure the client would meet the requirements of the initial tender process they needed to provide a valid Cyber Essentials Certificate.
The client has an experienced team with multiple ISO certifications including ISO 9001, 14001, 45001 and CHAS, Construction line and Safe Contractor. The Cyber Essentials certification would allow them to tender for government contracts over the year.
We already provided the client with our bronze level support which provided us with a good understanding of the clients infrastructure and the steps they would need to take in order to comply with the cyber essentials requirements. The National Cyber Security Centre (NCSC) have released an update to the certification in January 2022 so we would need to ensure the client would comply with the changes. https://www.ncsc.gov.uk/cyberessentials/overview
Cyber Essentials Requirements
The Certification is aimed at small businesses to help them protect themselves against the threat of a cyber attack.
Cyber Essentials has five technical control themes:
- secure configuration
- user access control
- malware protection
- security update management
The standards scope has been improved to cover threats where staff are working from home or using their own devices including mobiles and external services such as Microsoft 365 or Dropbox.
The more complex the IT infrastructure would dictate how the business can control its systems within the 5 technical control themes defined in the standard.
Audit & Process
We met with the client and explain the certification process and discuss each of the requirements. We agreed the scope of the boundary and advised where the business may need some work to meet or exceed the standard.
Meeting & Exceeding the standard
From the meeting we were able to establish a list of the areas where we would need to apply policies that the business must comply with. Some of these were processes that the clients staff would need to adhere to, such as minimum password policies. Where possible the policies can be enforced with IT system policies, while others could be a manual processes enforced by the clients compliance manager.
We also recommended exceeding the current standard as this would help comply with the changes due to 2023.
The perimeter of the network is a critical part of any businesses protection. We regularly update the firmware for the clients devices and maintain a list of authorised VPN users and open ports. In this case the client did not have any open ports but it is key to check the devices in case the settings have been changed or a service is no longer used.
Removing unused software from devices, setting long complex passwords. Preventing the users from installing software with entering an admin user details can prevent malicious software being installed without the users knowledge.
User Access Controls
Applying a Least privilege policy to ensure that staff only have access to the applications and data they need is critical. In the event that a zero day attack occurs then only data they have access to may be affected. For example; A member of the Sales team may not need access to HR or management files.
Installing good antivirus software that scans devices is key to protecting the business. Some antivirus software also includes a sandbox feature that allows the opening of a file in a secure environment. This is part of the new requirements.
Secure Update management
As the standard requires IT equipment and mobile devices to be maintained. Any security fixes should be applied within 14 days of their release by the developer. Our remote management software is able to install the updates for the clients device operating system and majority of applications that the client uses. As mobile phones are within the scope of the certification, if they have company data on such as email. These would also require updates are applied and minimum password policies would be enforced. We used MDM (Mobile Device Management) managed engine software to manage the devices. As the number of devices was under 25 a free version of the software is used.
We regularly update the router, network equipment, printer & server firmware when we receive release information from the manufactures.
Completing the certification
The cost of certification will depend upon the size of the business. The Cyber Essentials Certification is completed via a form completed over the internet. The content is then verified by the company directors and submitted for evaluation.
The form is evaluated by IASME – https://iasme.co.uk/iasme-governance/ and the fee paid by the client depending upon the number of employees. This usually takes a couple of days and the results will either advise if there is any non compliance where measures need to be updated or evidence needs to be provided before they can agree compliance.
In our clients case with our expertise and assistance, we were able to fully comply with the requirements and the Cyber Essentials certificate was issued.
The Cyber Essentials requirements change as the cyber threats and technology changes. The compliance therefore is an ongoing process of continual improvement.
The Server Software used at the client becomes older and more vulnerabilities are found hence the need for regular maintenance and processes to verify devices are updated and replaced as required.
Password policies and Multi-Factor requirements for cloud services are also changing in 2023 so this will be implemented when the client is able to.
We will also be able to provide assistance to the client if they wish to take the next level: Cyber Essentials Plus, which involves a 3rd party who visits and verifies the policies that are implemented to ensure they comply with the requirements.
More companies are requiring the Cyber Essentials certification from suppliers to protect against supplier attacks. If you would like to know more or need assistance to achieve Cyber Essentials (Plus) please contact us.
// Drop us a line! We are here to answer your questions