As a Government-backed initiative launched in June 2014, the term ‘Cyber Essentials’ is only just filtering through to many companies within the
nuclear sector. But what is it all about and why should we be concerned? Michael Douglass, Cyber Essentials Practitioner & Director at Yellowbus
Solutions, provides some useful insights below, helping to ensure we can all adhere to the new legislations.
What is Cyber Essentials?
In a nutshell, Cyber Essentials has been instigated by the Government as a required control measure to ensure organisations are protecting their IT
systems and associated technological and data infrastructures from internet based threats. With the nuclear industry being a common target of
such threats, it is particularly important to ensure we are not left vulnerable.
Who does Cyber Essentials affect?
Although many SMEs across the UK have started to implement Cyber Essentials practices, if you work within or for the nuclear industry, your company
will need to become Cyber Essentials accredited. For all companies bidding for government contracts, compliance with the Cyber Essentials scheme is
a distinct advantage to the tendering process, as your work will involve the handling of sensitive and personal information.
How does Cyber Essentials work?
There are two levels of accreditation: Cyber Essentials and Cyber Essential plus. At the basic level, the Cyber Essentials programme provides a
comprehensive foundation focused on five core areas of IT cleaning measures including:
1.Boundary firewalls and internet gateways
– ensuring these devices have been set up effectively.
2. Secure configuration
– systems should be configured securely.
3. Access control
– only known people should have access to the systems.
4. Malware protection
– installation of the latest virus and malware protection.
5. Patch management
– using only the current supported version of applications.
With Cyber Essentials Plus you are assessed by an external Cyber Essential approved provider on security for enhanced assurance. Once
accredited by the authorised company, you will be able to display a Cyber Essentials logo on your communication platforms, which will demonstrate to
your customers, suppliers, investors and others that you have adhered to government cyber security standards.
How do I implement Cyber Essentials and how long does it take?
The time required to safeguard your company is subject to varying
- How many employees you have;
- The systems you already have in place;
- Your internal resources;
- Whether you opt for Cyber Essentials or Cyber Essential Plus.
If you have a competent in-house IT department with available resource, there is no reason why you cannot complete the assessment internally.
However it is important to bear in mind, the process is time-consuming and requires clear evidence to support each of your answers.
Alternatively, it may be beneficial to appoint an independent accredited company to work with your IT team to help you prepare for the assessment,
guide you through the responses and documentation and become Cyber Essentials accredited.
Whether you implement the Cyber Essentials protocols internally or through a third-party supplier, you will need to find an approved company to
evaluate whether standards are met before they approve your certification.
Cyber Essentials is not bulletproof. Organisations, especially in the nuclear industry, will need to continue monitoring and implementing additional
protection measures against more advanced and targeted attacks. It is therefore important to build on Cyber Essentials once you are accredited,
and maintain regular updates to these basic security controls.
If you would you like any more information regarding Cyber Essentials, what's involved or how it can help your business, please feel free to message me via LinkedIn or you can call me on 01925 838386.