Security Awareness Training for Cyber Essentials
Security awareness training for Cyber Essentials: There are many forms of certification for organisations looking to improve their information and cyber security. One of the most common and easily recognisable is the UK’s Cyber Essentials.
Requiring an applicant to fulfil certain cyber security controls, Cyber Essentials is not only a way of improving and helping to ensure that an organisation is better protected against information and cyber threats, but also operates as an indication to others of this commitment.
If you or your organisation are thinking about applying for Cyber Essentials certification, there is plenty that can be done in preparation, specifically, information security awareness training; but before we discuss preparing for Cyber Essentials with information security awareness training, let’s first take a look at the basics of this certification.
What is Cyber Essentials?
Working with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF), the UK government helped to develop Cyber Essentials as a set of controls to assist organisations in protecting themselves against some of the most common online security threats.
Launched back in 2014, the scheme is a form of certification, allowing organisations to gain one of two Cyber Essential ‘badges’, and is considered to be suitable for organisations of all sizes and any sector.
The first level of certification is simply ‘Cyber Essentials’. A self-assessed option designed to help protecting against a variety of common cyber security threats, and according to the UK’s National Cyber Security Centre (NCSC), acts as a deterrent in and of itself to would-be attackers seeking an ‘easy target’.
The second certification is ‘Cyber Essentials Plus’. This form of certification requires the same protections as the first level, though Cyber Essentials Plus additionally needs a “hands-on” technical verification to ensure these controls are in place.
As well as providing a set of cyber security controls, Cyber Essentials is also promoted as a certification which helps to reassure customers, attract new businesses and act as a public demonstration of your organisation’s commitment to cyber security.
Certified by the IASME, it is also worth noting that there are some government contracts that require an organisation to have Cyber Essentials certification, particular those which involve the handling of sensitive and personal information.
Cyber Essentials Five Control Themes
Below is a brief overview of the ‘five technical control themes’ of Cyber Essentials requirements for IT infrastructure.
Appling to boundary firewalls, desktops and laptop computers, routers and servers; the objective to establishing firewall controls is to ensure that only safe and necessary network services can be accessed from an organisation’s internet.
As part of Cyber Essentials, all firewalls (or equivalent network devices) must, amongst other things, have a robust password management process in place, block unauthenticated inbound connections as a default, document firewall related rules and prevent access to the administrative interface.
Effectively applying to all equipment, the object of secure configuration is to reduce the level of inherent vulnerabilities as well as providing computers and network devices only the services required to fulfil their role.
As many devices are not always secure in default configurations, applicants of Cyber Essentials are required to change these default, or ‘guessable’ passwords, as well as removing and disabling unnecessary user accounts or software, disabling auto-run file execution (without user authorisation), and to authenticate users before allowing internet-based access to commercially or personal sensitive data.
User Access Control
With the objective of ensuring user accounts are assigned to authorised individuals online and to provide access to only the applications, networks and computers needed for a user to perform their role, ‘user access control’ again applied to all devices.
Under Cyber Essentials, applicants are required to have, amongst other things, a specific user accounts creation and approval process, must authenticate users before granting access to apps, devices, etc., where available implement two-factor authentication, and to remove or disable special access privileges when no longer required.
Preventing harmful code from causing damage or from accessing sensitive data, for Cyber Essentials, applicants must keep software up to date, software needs to be configured to automatically scan files, must automatically scam web pages which are being accessed, as well as preventing connections to malicious websites.
Again, applying to essentially all devices, ‘patch management’ is to ensure that vulnerabilities to known issues, for which fixes are available, are mitigated by keeping software up to date and secure.
With product vendors providing patches for vulnerabilities, applicants must ensure software is not only up to date, but licensed and supported, that software is removed from devices when no longer supported, and patched within 14 days of an update becoming available.
Preparing for Cyber Essentials with Information Security Awareness Training
While many of these requirements are technical controls, one of the most important steps that an organisation can take in helping to mitigate information and cyber security risks is educating their staff and preparing for Cyber Essentials with security awareness training
While there are many companies which provide some level of in-house training, led by internal information security professionals or experts, specialised online information security training offers a variety of options for training, testing, and tracking your employees.
From detailed tutorials imparting the foundations of information security practices, interactive tutorials in which users put their education into practice, to simulated phishing campaigns, online information security training is increasingly the choice for organisations wanting to get serious about their security.
All of these specialised online information security training features allow an employer to not only provide their staff with necessary training, but to also monitor users’ progress and demonstrate compliance. Giving an organisation the tools to quantify and understand where weaknesses may lie.
Having robust information security awareness training tools such as these, will both set you on your way to becoming Cyber Essentials certified, but also contribute significantly to mitigating risks to your organisation.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Information Security Awareness Training in 2021 blog by information security awareness training platform Hut Six Security
What are the best VPNs for work? - VPN review blog by security awareness training provider Hut Six Security.
Information Security Awareness Training and ISO 27001 blog by information security awareness training provider Hut Six Security
Information Security Resolutions for the New Year: Part Two. Information security for 2021 blog post by Hut Six Security.
Information security in 2021: blog by Information security awareness training and phishing simulation provider Hut Six Security.
ISO 27001 vs SOC 2 Certifications - what's the difference? SOC 2 is a type of audit report focusing on security controls. ISO27001 is a compliance standard focused on high level information security.
The Five Biggest Breaches and Hacks of 2020. Information Security blog by Information Security Awareness provider Hut Six Security.
Preparing for SOC 2 Compliance. What are the 5 Trust Service Principles? Security · Availability · Processing Integrity · Confidentiality · Privacy
Top 10 Security Tips for Remote Work. Securing Work from Home blog image by Information Security Awareness Training provider Hut Six Security.
Building a Business Case for Information Security Awareness Training blog by Information Security Awareness Training provider Hut Six.