The Cyber Essentials Scheme looks to reduce cyber security threats faced by businesses such as yourselves and your customers. It covers a range of different threats, and recognises that businesses must take action in order to mitigate these risks.
Threats assessed by Cyber Essentials
Threats assessed by the Cyber Essentials Scheme include phishing scams and hacking, as well as password guessing techniques. It helps businesses to protect against vulnerabilities and teaches employees not to be tricked into giving away details or clicking suspicious links. Cyber Essentials doesn’t cover security aspects of DoS (Denial of Service) attacks, insider attacks, and attacks requiring access to a physical device, or using stolen credentials.
Essential steps covered
Cyber Essentials, as indicated by the name, covers the absolute essential steps that must be taken to mitigate the risks previously stated. This doesn’t include disaster recovery planning (DRP) or monitoring to detect issues, but it recognises only preventative technical controls that businesses can put in place.
Specified requirements for organisations
Under the Cyber Essentials Scheme, organisations must have certain measures in place, including firewalls and malware protection. Your customers must also have patch management, user access control and a secure configuration to become Cyber Essentials approved. This includes specific areas such as a Bring your own device (BYOD) policy.
Changes to the Cyber Essentials Scheme
Some major changes have occurred recently, which will affect the way businesses operate in terms of their cyber security. These changes include clarification about how the scope is determined, and which devices count as being within the scope.
There has also been a requirement added for authentication within any Internet-based services that could allow users to access private data; however the necessity of regular updates to passwords has been removed for Internet-based services. Instead a choice of responses can be made depending on whether there have been a number of failed attempts at authentication.
Other significant changes include new content which has been added in order to cover whitelisting of certificate-based applications, as well as sandboxing to defeat malware. Patching requirements have been refined to give clearer guidance, particularly in relation to devices and whether they count as being in scope.
For more details and to get up to date with the latest Cyber Essentials requirements for your clients, give Marathon a call today on 020 8329 1000.