Security awareness training for Cyber Essentials: There are many forms of certification for organisations looking to improve their information and cyber security. One of the most common and easily recognisable is the UK’s Cyber Essentials.

Requiring an applicant to fulfil certain cyber security controls, Cyber Essentials is not only a way of improving and helping to ensure that an organisation is better protected against information and cyber threats, but also operates as an indication to others of this commitment.

If you or your organisation are thinking about applying for Cyber Essentials certification, there is plenty that can be done in preparation, specifically, information security awareness training; but before we discuss preparing for Cyber Essentials with information security awareness training, let’s first take a look at the basics of this certification.

What is Cyber Essentials?

Working with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF), the UK government helped to develop Cyber Essentials as a set of controls to assist organisations in protecting themselves against some of the most common online security threats.

Launched back in 2014, the scheme is a form of certification, allowing organisations to gain one of two Cyber Essential ‘badges’, and is considered to be suitable for organisations of all sizes and any sector.

The first level of certification is simply ‘Cyber Essentials’. A self-assessed option designed to help protecting against a variety of common cyber security threats, and according to the UK’s National Cyber Security Centre (NCSC), acts as a deterrent in and of itself to would-be attackers seeking an ‘easy target’.

The second certification is ‘Cyber Essentials Plus’. This form of certification requires the same protections as the first level, though Cyber Essentials Plus additionally needs a “hands-on” technical verification to ensure these controls are in place.

As well as providing a set of cyber security controls, Cyber Essentials is also promoted as a certification which helps to reassure customers, attract new businesses and act as a public demonstration of your organisation’s commitment to cyber security.

Certified by the IASME, it is also worth noting that there are some government contracts that require an organisation to have Cyber Essentials certification, particular those which involve the handling of sensitive and personal information.

Cyber Essentials Five Control Themes

Below is a brief overview of the ‘five technical control themes’ of Cyber Essentials requirements for IT infrastructure.

Firewalls

Appling to boundary firewalls, desktops and laptop computers, routers and servers; the objective to establishing firewall controls is to ensure that only safe and necessary network services can be accessed from an organisation’s internet.

As part of Cyber Essentials, all firewalls (or equivalent network devices) must, amongst other things, have a robust password management process in place, block unauthenticated inbound connections as a default, document firewall related rules and prevent access to the administrative interface.

Secure Configuration

Effectively applying to all equipment, the object of secure configuration is to reduce the level of inherent vulnerabilities as well as providing computers and network devices only the services required to fulfil their role.

As many devices are not always secure in default configurations, applicants of Cyber Essentials are required to change these default, or ‘guessable’ passwords, as well as removing and disabling unnecessary user accounts or software, disabling auto-run file execution (without user authorisation), and to authenticate users before allowing internet-based access to commercially or personal sensitive data.

User Access Control

With the objective of ensuring user accounts are assigned to authorised individuals online and to provide access to only the applications, networks and computers needed for a user to perform their role, ‘user access control’ again applied to all devices.

Under Cyber Essentials, applicants are required to have, amongst other things, a specific user accounts creation and approval process, must authenticate users before granting access to apps, devices, etc., where available implement two-factor authentication, and to remove or disable special access privileges when no longer required.

Malware Protection

Preventing harmful code from causing damage or from accessing sensitive data, for Cyber Essentials, applicants must keep software up to date, software needs to be configured to automatically scan files, must automatically scam web pages which are being accessed, as well as preventing connections to malicious websites.

Patch Management

Again, applying to essentially all devices, ‘patch management’ is to ensure that vulnerabilities to known issues, for which fixes are available, are mitigated by keeping software up to date and secure.

With product vendors providing patches for vulnerabilities, applicants must ensure software is not only up to date, but licensed and supported, that software is removed from devices when no longer supported, and patched within 14 days of an update becoming available.

Preparing for Cyber Essentials with Information Security Awareness Training

While many of these requirements are technical controls, one of the most important steps that an organisation can take in helping to mitigate information and cyber security risks is educating their staff and preparing for Cyber Essentials with Information Security Awareness Training

While there are many companies which provide some level of in-house training, led by internal information security professionals or experts, specialised online information security training offers a variety of options for training, testing, and tracking your employees.

From detailed tutorials imparting the foundations of information security practices, interactive tutorials in which users put their education into practice, to simulated phishing campaigns, online information security training is increasingly the choice for organisations wanting to get serious about their security.

All of these specialised online information security training features allow an employer to not only provide their staff with necessary training, but to also monitor users’ progress and demonstrate compliance. Giving an organisation the tools to quantify and understand where weaknesses may lie.

Having robust information security awareness training tools such as these, will both set you on your way to becoming Cyber Essentials certified, but also contribute significantly to mitigating risks to your organisation.