What is Cyber Essentials?
Achieving certification Cyber Essentials to is the most effective way that your organisation can demonstrate it is taking cyber security seriously and is mitigating some of the most common Internet-related risks.
What are the 3 Most Common Mistakes to Avoid?
As a leading accredited Cyber Essentials certification body (CB), URM handles a significant number of applications every year from a wide variety of organisations and business sectors.
For many organisations looking to achieve cyber essentials certification, completing a self-assessment questionnaire (SAQ) can be a challenging exercise, particularly if they have not previously had to verify their IT infrastructure or meet the requirements of a security standard.
As a result, there are a number of recurring errors we encounter in applications which, in the worst case, can culminate in an assessment being ‘failed’ and the organisation having to resubmit.
Following feedback from our team of assessors, here are the 3 most common mistakes made by organisations submitting their Cyber Essentials SAQs.
1) Not Explicitly Recording the Operating System Version Numbers
Cyber Essentials, like many other security standards, requires that you keep your operating systems patched and up to date to ensure that any known exploits or vulnerabilities are not left exposed to attack.
For the assessor to determine if you are patching within the accepted time frame, they need to know what version of the operating system(s) you are using on your devices.
So, the questionnaire requires that you detail this, however, a large number of organisations will simply submit a ‘Windows 10’ or Windows 10 Pro’ description.
However, given that Windows 10 has been around for over 5 years, some of the earlier versions are now end of life and out of support.
Since Microsoft release feature updates twice per year ensuring you are on the latest version (and recording this on your SAQ) is essential. https://support.microsoft.com/en-gb/help/13853/windows-lifecycle-fact-sheet
2) Two-Factor Authentication for Administrator Accounts
Cyber Essentials requires that two-factor authentication (2FA) is used for administrator accounts whenever possible. However, we come across a number of organisations which do not seem to misunderstand what 2FA is and list applications or systems that are clearly not suitable.
There are three factors that can be used with 2FA and they are:
- Something you know – password, PIN, passphrase
- Something you have – token, smartcard, digital certificate
- Something you are – fingerprint, face recognition
It is important to remember that 2FA requires that a user enters two different factors to authenticate with the system, using the same factor twice is not a valid 2FA implementation.
3) Patch Management
This follows on from the first point above, but is more general. The Cyber Essentials standard requires that all high risk and critical patches are applied within 14 days of release.
However, we find that a number of organisations are attempting to apply all patches (including lower risk and less critical ones) within the 2 week timeframe.
Yes, all patches should be applied within a timely manner, but organisations need to be prioritising the high risk and critical patches.
When reviewing the Cyber Essentials SAQs, we often find the comment ‘we don’t patch all systems in 14 days because of our internal testing.’
This often indicates that critical and high risk patches may be missed due to the organisation getting bogged down testing low-risk patches.
The lesson is to ensure you have an effective patch management programme in place that prioritises the higher risk patches.
Let us Help You
URM has been providing certification to the Cyber Essentials scheme for a number of years and has a large team of experienced, pragmatic assessors who are here to support you and guide you through the process.
Not only do we bring a wealth of cyber security knowledge, but also a wide and varied experience of all the leading cyber and information security standards, including ISO 27001.
As such, you can be assured that you are getting advice that is appropriate and tailored for your organisation, taking into account your industry sector, size of organisation and the information you are looking to protect.
In addition, our large team of assessors enables us to guarantee the fastest turnaround time for applications.
More about Cyber Essentials
Our office is open 08:00 – 17:30 Monday to Friday.