Cyber Essentials is a UK government-backed initiative designed to help organisations guard against common cyberattacks and demonstrate their commitment to cybersecurity.
The scheme includes an action plan and a simple set of security controls to protect information from internet-based threats such as hacking, phishing and password guessing. Being fully compliant can reduce the vast majority of the cybersecurity risks organisations face.
According to the National Cyber Security Centre (NCSC): “Cyberattacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. Our advice is designed to prevent these attacks.”
To meet certification requirements, organisations must demonstrate that they have implemented five basic security controls:
Firewall: Use personal or boundary firewalls to secure the internet connection. Requires that organisations configure and use a firewall to protect their devices, especially those that connect to public or other untrusted Wi-Fi networks.
Secure configuration: Choose the most secure settings for devices and software. This includes changing default settings to increase security. Requires that only necessary accounts, applications and software be used.
User access control: Control who has access to data and services. Users should have only the required access to software, settings, online services and device connectivity to perform their roles. Administration privileges are only given to those who need them.
Malware protection: Protect the business from viruses and other malware. Requires that organisations use at least one of the following: anti-malware measures, whitelisting or sandboxing.
Patch management: Keep devices, applications and software up to date (patching). Operating systems, programs, devices and apps should be set to automatically update when possible.
There are two types of certifications. Both require organisations to declare or prove that they have the five controls in place.
With basic Cyber Essentials certification, the organisation completes a self-assessment questionnaire. A certification body evaluates the answers and performs an external vulnerability scan. This level is suitable for companies looking to demonstrate that they have adopted the five controls.
Cyber Essentials Plus includes the baseline assessments as well as an internal audit by a technical expert. The audit identifies security vulnerabilities (such as out-of-date software) that require remedial action to meet requirements. This level of certification is harder to achieve, but it demonstrates a higher level of security assurance.
Small-to-medium-sized businesses (SMB) are increasingly being targeted by hackers and cybercriminals. From 2019 to 2020, two thirds of SMBs in the UK experienced a cyberattack.
A cybersecurity breach can seriously damage a company’s financial health and reputation, and the recovery process may be long and expensive. Some organisations may even go out of business. It is estimated that cyberattacks cost the small business community in the UK approximately £4.5 billion annually.
In spite of the risks, many SMBs are ill-prepared for a cyber breach. According to a recent Small Business Trends survey, 68% have no formal cybersecurity policies in place and 26% don’t have any measures at all. Limited budgets, insufficient staff training and lack of time were cited as the main obstacles.
Cyber Essentials understands the needs of smaller organizations , which are defined as being up to 250 employees (commonly without an in-house security team). The scheme offers a simple, low-cost cybersecurity framework to help SMBs secure their IT environments. Being fully compliant can significantly reduce the cybersecurity risks they face.
While the central benefit is protection against cyberattacks, Cyber Essentials offers business advantages too. Certification is an easy way to show that the organisation meets an industry standard and is committed to cybersecurity. Accreditation can be displayed on company websites and other media.
Suppliers, clients and partners may be more inclined to share their data with certified companies. What’s more, an organisation could attract new business with the promise that it has sanctioned cybersecurity measures in place.
Cyber Essentials is also mandatory for government contracts. The UK Government requires all suppliers bidding for contracts that involve the handling of sensitive and personal information to have certification.
Cyber Essentials certification requires organisations to adopt the five controls to prevent common cyberattacks. But maintaining these controls manually may not be feasible in terms of time and resources. Cybersecurity software can help.
GFI Software provides an array of solutions from firewalls to patch management, antivirus software and more to help protect your business against common cyber threats and attacks. More specifically, our solutions help you address 80% of your Cyber Essentials compliance requirements. The following shows you how our GFI products line up with four of the five required controls.
Secure configuration
“Ensure that computers and network devices are properly configured to reduce the level of vulnerabilities and provide only the services required to fulfil their role.”
Among the requirements for this control:
Remove and disable unnecessary user accounts
Change any default or guessable account passwords
Remove or disable unnecessary software (including applications)
GFI LanGuard automatically scans your IT environment for vulnerabilities to keep your network and applications safe. It provides a complete view of the elements in your network including devices, installed software and new hardware.
Remediation capabilities allow you to deploy software patches, remove obsolete users and take other corrective action. With GFI LanGuard, you can run scans as often as needed, over the entire network or just in specific areas. Dashboards and reports keep you up to date on vulnerabilities and security issues.
Malware protection
“Restrict execution of known malware and untrusted software to prevent harmful code from causing damage or accessing sensitive data.”
“Malware, such as computer viruses, worms and spyware, is software that has been written and distributed deliberately to perform malicious actions,” says the NCSC. “Potential sources of malware infection include malicious email attachments, downloads and direct installation of unauthorised software.”
GFI MailEssentials is email protection software that can meet the anti-spam and anti-malware needs of your business. It provides 14 anti-spam filters, 4 antivirus engines, malware scanning and content filtering to protect against email threats.
The software includes four anti-malware scanning engines, each with its own detection protocols. These integrated features enhance protection of your email environment to block email-borne viruses and other malware more effectively.
Other GFI Software products provide additional protection. GFI Kerio Control includes an optionally integrated Kerio Antivirus service (Bitdefender), which helps prevent viruses, worms and spyware from entering your network. Network auditing with GFI LanGuard identifies unauthorised devices, applications and programs, which could be potential sources of malware.
Patch management
“Ensure that devices and software are not vulnerable to known security issues for which fixes are available.”
This control requires that software and applications are:
Licensed and supported
Removed when they are no longer unsupported
Updated automatically where possible
Updated within 14 days of a software update being released
GFI LanGuard automates patch management to keep your software up-to-date. It scans your network for updates that are missing in applications and operating systems. The software also identifies missing patches in web browsers and third-party software such as Adobe, Java and other major vendors.
With GFI LanGuard, you no longer have to manage updates manually. You can deploy patches automatically across the system, or deploy agents on specific machines for regular updates. If required, you can control which patches to install or roll-back if you find problems.
Beyond cybersecurity, there is an added benefit to regular patch management: many patches also fix software bugs, which can help your applications run better.
Kerio Control - Essential security for SMBs
In this video, explore the main benefits and key features of GFI Kerio Control.
Discover why businesses depend on Kerio Control to protect their vital networks against threats
Watch this “deep dive” webinar and discover the value and simplicity of GFI Kerio Control.
https://www.towergateinsurance.co.uk/liability-insurance/smes-and-cyber-attacks
Ibid
https://smallbiztrends.com/2017/07/prepared-for-a-cyber-attack-small-business.html
https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-0-January-2022.pdf
https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-0-January-2022.pdf
https://www.ncsc.gov.uk/files/Cyber-Essentials-Requirements-for-Infrastructure-v3-0-January-2022.pdf
Sep 19, 2023
Step into this year's Managed Services Summit London. This blog gives you a front-row seat to the transformative partnership between GFI Software and QBS, and the unveiling of GFI AppManager, our game-changing cloud platform designed to revolutionize the MSP landscape. From our CEO Eric Vaughan’s compelling keynote to product highlights, discover how we're reshaping the future of managed services.
Jul 20, 2023
The new EU NIS2 directive impacts several sectors and digital services, marking a new chapter in how we manage cybersecurity risks. Come along with us as we unravel the intricacies of NIS2, examine its implications on your IT infrastructure, and highlight how GFI Software's solutions can streamline your journey into this new frontier of cybersecurity
Jun 19, 2023
The European Union recently introduced the NI2 Directive, a comprehensive framework to strengthen the region’s defenses against digital threats. In this blog post, we’ll look at the essentials of NIS2, discuss key impacts, and requirements, and how GFI can help businesses navigate this new cybersecurity landscape.
May 25, 2023
Dive into the Zebra Systems Be MSP! 2023 Conference. From our VP of Sales Engineering's talk to engaging conversations with the team, see what made GFI Software stand out in Vetovo, Croatia.
Mar 6, 2023
GFI AppManager was the star of the show at the 2023 MSP Expo in Fort Lauderdale, where the GFI team announced its latest offering for MSPs looking to streamline their operations.
Aug 12, 2021
Streamline business processes by incorporating fax with email