Cyber Essentials is now widely recognised as an industry standard and is frequently asked for when bidding for contracts. Because it is designed to be suitable for organisations of all sizes, this means sole traders, micros and large organisations all answer the same assessment questions. Some large businesses may find it a challenge to implement certain controls at scale across their organisation, on the other hand, a single person business may find it difficult to understand how certain requirements apply to them. IASME is developing solutions and guidance for organisations both large and small to help them achieve certification.
This article is for the sole traders or single person practitioners.
How do I know what is the scope of my business?
The scope of the Cyber Essentials assessment includes the IT infrastructure used to perform your business. This will include all internet connected electronic devices that access your company data. That means computers, laptops, tablets and phones that you use to access work emails, your website, customer information, orders etc. The scope also includes all cloud services that your organisation use. E.g. Microsoft 365, Dropbox, GoogleDrive, QuickBooks etc.
As a sole trader, your organisation may simply include yourself, your mobile phone and the tools of your trade. It is a good idea as a starting point to create an asset register that itemises all the internet connected devices, software, and cloud services that your business uses.
Understanding your work network
Your work network is the IT infrastructure used to perform your business; it might be your home office, or just your laptop and cloud services.
You will be asked to provide a list of network equipment that will be in scope for your assessment. This will include devices (including make and model) and firewalls and routers. Please note, your router and its firewall will be out of scope if you are working from home and the router is provided by your internet service provider or the router is not under your control such as in a managed office.
Understanding your work network is vital for identifying the scope of your certification.
Examples of common networks used by single person and micro organisations
Home worker
If you work from your home or have an office at home, the following are included in your assessment:
All devices that access your business information including emails
All laptops and desktop computers (these must have software firewall such as Windows Defender or Mac XProtect enabled)
All cloud services such as Microsoft 365 (must have multi-factor authentication enabled)
Out of scope:
Your home router and boundary firewall within the router if provided by your internet service provider
Office/shop
If you work from an office premises or shop, the following are in scope or included in your assessment:
All devices that access your business information including emails
All laptops and desktop computers (these must have software firewall such as Windows Defender or Mac XProtect enabled)
All cloud services such as Microsoft 365 (must have multi-factor authentication enabled)
Your router and boundary firewall
Serviced office or hot desk
If you work in a serviced office or on a hot desk, the following are included in your assessment:
All devices that access your business information including emails (laptops and desktop computers must have software firewall such as Windows Defender or Mac XProtect enabled)
All cloud services such as Microsoft 365 (must have multi-factor authentication enabled)
Out of scope:
The router and boundary firewall within the router as they are not under your control
I outsource my IT, can I let my provider deal with Cyber Essentials?
Unfortunately, you cannot pass on the Cyber Essentials questionnaire to your IT company and not get involved. The business owner is ultimately responsible and accountable for the answers and must sign their name to acknowledge that.
Yes, the third party who ‘helps’ you with your IT systems is accountable for their actions, but, it is you who pays for the licenses to run your business on those machines and you are responsible for those actions. If you are the business owner, the responsibility for the controls, the passwords, the accounts and the potential data breach is yours alone.
Please note that some IT providers may have good technical knowledge, but they do not always have good understanding about cyber security. You will need to give clear and detailed instructions about what security controls you want them to implement.
Cyber Essentials is generally considered the minimum level of certification for a UK organisation to prove that it is compliant with the basic controls that would prevent the majority of cyber-attacks. It is highly recommended that you look for an IT provider that is Cyber Essentials certified. This demonstrates to you that the provider is serious about cyber security as well as being fully competent and supportive when it comes to implementing the controls to your network.
To help you manage the responsibility of your cyber security, we have created a resource for you to use.
Ask your provider to return the answers and relevant lists to you so that you can check that your organisation meets the Cyber Essentials requirements.
You should also have a Service Level Agreement (SLA) and contract with any third-party IT supplier.
It is only me in the business, why do I need two accounts on my computer?
Every computer has an administrator account which carries ‘administrator privileges’. These accounts allow the user, amongst other things, to install, modify and delete software. This level of access carries security risks as unfortunately, you have the ability to do things that you never really intended to do, some of which can cause major problems with the computer. It’s quite easy for an administrator to accidentally delete an important system file or change a setting that renders the PC unstable or un-bootable. If your account is breached by an attacker, they will have the same privileges as the account you are logged in as and if that is an admin account, they will be able perform actions such as install malicious software, delete files and access sensitive data.
No one, not even home users, should use administrator accounts for everyday computer use, such as web surfing, emailing or office work. Instead, those tasks should be carried out by a standard user account. Even if you are a sole trader or work in a single person company you still need at least two accounts on your computer.
By default, the first account that you install on a Mac or Windows computer has administrator privileges. If you work for a small business or for yourself, you might not realise that you are permanently logged on with an administrator account.
After you have got set up on your Windows or Mac machine, you should create an additional administrator account, and then downgrade your regular account to a standard-user account even when you’re the only person who uses the computer. You can still perform administrative tasks by typing in the password to the admin account.
Why do I need a process to create and track user accounts and admin accounts?
Keeping track of who has access to your online accounts
As a single person business, you might think you are the only one who has access to your online accounts, but the occasional, casual and guest user on your account can add substantial risk to the security of your information.
Most single person businesses use IT support. It makes sense to outsource something that is potentially complicated and not your field of expertise . Do you know how many consultants access your account? Do they each have a separate admin account, or do they share one? If your friend has made a website for you on your laptop, do you know what accounts she has and what she is doing? If there is an incident and your computer has a problem, who instigated that problem? Unfortunately, this is still your problem.
Account creation and tracking is a very important part of understanding and controlling who has access to your network and your data; this is part of supply chain security. You need to maintain control of this and be able to demonstrate that you take this seriously.
Third party contractors aside, many sole traders truly believe they will never employ anyone else, so why would they have a process for creating user accounts? Yet work gets busy and things are hectic, next thing you know, there are 10 employees. It’s really about understanding how to run an efficient and secure business that is ready for change and growth. Cyber Essentials will help you implement controls to be better protected, you will also know what to consider if your business gets bigger -which happens a lot.
If you're a micro company and that's up to 10 people, you should definitely have a process for creating and tracking user accounts and ensuring account separation. This is best practise and essential cyber security.
Single person organisations and micros needs to demonstrate that they understand the essence of good security and how processes will change if they grow bigger, so when they answer a question like A 7.1 ‘Are users only provided with user account after the process has been followed to approve their creation?’ they may clarify that they are currently the only one in the business but are aware of supply chain security and how things would change if employees came on board.
Have you a process for tracking user accounts of people who join or leave ? Please note that you need to be able to show that you have considered this process for potential new staff even if you are a one person organisation.
What does a process look like for a single person org?
We can not provide any policy templates for Cyber Essentials and the exact process is not specified in the requirements document because there are many different ways to achieve the same outcome.
One example would be using a spread sheet or a document to register:
who has been given a user account and/or an admin account
what date each account was created and allocated
who authorised the account
what privileges/access it allows
if/when it is closed or deleted
It is also good practice to track and document when the accounts are reviewed which should be done every six months.
Even if this register only includes the business owner, it will be up and running and available should another account need to be authorised.
Use technical measures to enforce the password requirements
For the Cyber Essentials Password requirements, these can be achieved through policies, procedures, training or technical controls. Although there are many different ways to achieve compliance through combining these methods, you cannot rely on policies alone and must put technical control settings into the platforms that your organisation uses. Cyber Essentials works through applying technical measures that prevent cyber incidents.
Examples of technical controls:
Using the admin account on your platform or service, it is possible to configure the technical controls that manage the quality of acceptable passwords, prevent brute force attacks and require multi-factor authentication. This might mean that passwords have to be over a minimum character length and that common, easily guessable passwords are disallowed via an automatic deny list. Accounts can be set to lock after so many unsuccessful login attempts or the user made to wait between failed attempts. This is known as 'throttling' the rate of attempts and prevents attackers using tools to try different combinations of characters until the correct combination is found to crack the password. The administrator can also enable multi-factor authentication and set the predefined circumstances when the user will be automatically asked for another form of authentication in addition to their password. This might be when they perform a sensitive action or when they log into their account for the first time or from an unknown device or IP address.
Account compromise
It is important to have an established process that details how to change passwords promptly if you believe or suspect a password or account has been compromised.
What is a compromised account?
A compromised account refers to any account that is accessed by an unauthorised user with login details (username and password).
This can happen for a variety of reasons that include:
using a weak password that can be guessed or brute forced
failure to enable multi-factor authentication (MFA) on online accounts
a public data breach
falling for a phishing scam
having malware unknowingly installed on your device
How will I know?
You may be notified by the manufacturer or a supplier that there is a security weakness in their product or you may notice irregular things on your account such as your email account is sending messages that you did not create or your passwords have been changed and files, applications or services may have been deleted, changed or cannot be accessed.
Far from always being obvious, according to IBM, it can take a company 197 days to discover a breach.
What should I do?
As soon as you suspect something is not right, you will need to immediately change your password to something unique and over 12 characters long and if possible, enable multi-factor authentication. Then, notify your contacts and if serious, Action Fraud.
Account compromise also raises the important issue about who controls your accounts and passwords.
Many organisations put their faith in their IT service provider who manage their firewall router and the admin password to their accounts. It must be noted, however, that one of the possible places your passwords can be compromised is at your IT provider.
What would you do if your password is compromised or lost by your IT provider?
Consider what would happen if your IT provider became indisposed, or got a rogue employee who changed all your passwords. Would you know how to access your own accounts? Your own firewall? Would you know how to change the password?
Business owners should not rely solely on their IT providers with sensitive information like passwords, as there is a risk of compromise through insider attacks, lost passwords or if the IT provider suffered a cyber breach. The IT provider is a third party consultant who assists a business, but they do not own the accounts or the business responsibility. The accounts and the passwords are the property and responsibility of the business owner.
Likewise, IT providers must respect their client’s ownership of their accounts and not claim ownership or control over account administration, as it can lead to security risks and disputes.
Unfortunately, although your IT provider may be able to help you complete the Cyber Essentials questionnaire, you cannot pass on the full responsibility of this to them. The business owner is ultimately responsible and accountable for the answers and must digitally sign the submission to acknowledge that.
Cyber Essentials is generally considered the minimum level of certification for a UK organisation to prove that it is compliant with the basic controls that would prevent the majority of cyber-attacks. It is highly recommended that you look for an IT provider that is Cyber Essentials certified themselves. This demonstrates to you that the provider is serious about cyber security as well as being supportive when it comes to implementing the controls to your network.
Managing your ports
What is a port and how do I know if they are open?
Your organisation’s devices will connect to the outside, wider internet through a gateway. A gateway in a network has the same job as a gateway in a field. It is there to keep some things in, keep some things out and allow specific things to pass through.
It is important that your gateway doesn’t have holes which could allow things to pass through that you don’t want. Your firewall protects this gateway.
At times your firewall may be configured to open a hole and allow a system on the inside of your network to become accessible from the wider internet (such as a Virtual Private Network server, a mail server or a service that is accessed by your customers). This is sometimes referred to as "opening a port". There are many reasons why you would want to do this and it is possible to do in a secure way, however, there needs to be a valid business requirement to open a port. If this has not been a considered and deliberate decision, it could present a risk to your organisation and the safety of its information.
A ’bot’ is a software application that runs automated tasks over the internet. Criminals use this tool to scan the internet for open ports and services that are available for use and could be exploited. If there was a vulnerability or misconfiguration, they would know before you.
It is crucial to understand the importance of managing ports for security reasons. Always review what services from within your network you expose to the outside world, and how many people you are allowing to use that service. For a sole trader using a laptop for email, most or all ports should be closed.
Please note that although many modern devices such as routers come with security settings switched on by default, you cannot take that for granted. Other devices arrive ‘out of the box’ with security settings notably absent and it is important to know for sure if your network is exposed to the internet. For example, some home workers do not use the router that their internet service provider sent them, instead, they use a router that they have bought. Some such routers have a default setting where all of their ports are open which exposes your network to attackers on the internet. It is vital that you know if this is the case.
I am not technical but know I need to learn about cyber security, where do I start?
The Cyber Essentials Readiness Tool is a great starting point. This free online tool is a series of interactive questions that have been developed to lead you through the different aspects of your organisation’s cyber security. Based on your answers to the questions, you will be signposted towards the appropriate guidance written in a non-technical, easy to understand style. Upon completion, you will understand your level of preparedness for undertaking Cyber Essentials and be presented with a tailored action plan and detailed guidance for the additional requirements or steps there are still to achieve.
Another resource is the Cyber Essentials Knowledge Hub which is a central, up-to-date source of reliable information. With content being added all the time, you can find approved information about: tech and cyber basics, the five controls, scope, guidance that is size and sector specific, device and software support periods, a Cyber Essentials glossary and the latest updates to Cyber Essentials.
The Cyber Advisor (Cyber Essentials) scheme was designed to offer small and medium sized organisations in the UK and Crown Dependencies a choice of qualified cyber security experts assured by the National Cyber Security Centre (NCSC). Cyber Advisors are able to apply their technical knowledge and provide hands-on support to help an organisation put basic cyber security measures in place and to achieve Cyber Essentials certification.
To help organisations certify to Cyber Essentials and Cyber Essentials Plus, there is a network of specially trained and licensed cyber security companies called Certification Bodies located around the UK and Crown Dependencies. These cyber security experts assess applications, conduct audits and issue certification as well as offering help and advice in preparation for the assessment.
The Cyber Essentials assessment looks rather complicated, is there something more simple I could do to cover the basics?
When it comes to cyber security, everyone would love a short cut. However, as a minimum baseline scheme, Cyber Essentials is already the most direct and effective route.
Read the NCSC blog that debates whether an equivalent cyber security standard can deliver the same outcomes as the NCSC’s Cyber Essentials scheme?
Download PDF