Cyber Essentials Certification Checklist: get ready for your Cyber Essentials self assessment

Cyber Essentials Checklist

The Cyber Essentials certification is a simple process that allows you to assess your business’s cyber security systems and protocols. But how do you get ready for the self-assessment?

An initiative put in place by the National Cyber Security Centre with the UK government, Cyber Essentials aims to make cybersecurity both more accessible and a priority for small to medium size businesses.

Well, you don’t want to go in blind otherwise it’s going to be a waste of time. So we’ve pulled together a checklist for you to make sure you have everything in place. There’s a lot more to think about than you may expect.

But it’s ok. We’re here to make your life that bit easier so you can get one step ahead. Cyber Essentials certification is included in our managed IT services London.

Get ready for Cyber Essentials: our checklist at a glance
These are the key areas and equipment that will be assessed for the Cyber Essentials certification. And we’ll go into a little more detail on each of them below.

  • Hardware or devices used by your organisation
  • Software and firmware used by your organisation
  • Boundary devices
  • Firewalls and protecting your internet gateway
  • Cloud services
  • Secure configurations
  • Use of passwords
  • Protection against malware
  • User accounts

Get ready for Cyber Essentials: our checklist in more detail

1. Hardware or devices used by your organisation

This means you need to make sure you know the full scope of the physical pieces of electronic equipment your organisation owns. Make sure to keep track of the following:

  • Computers
  • Servers
  • Laptops
  • Phones
  • Tablets
  • Printers
  • Thin clients

You should already have an inventory in place, but it’s also important you can access all of these (either in-person or remotely).

Before you move forward, you need to understand which items you own, which you rent, and equipment that may be brought onsite by external contractors.

2. Software and firmware used by your organisation
Where hardware is the physical device and equipment, the software is the operating system, programs, and apps used on the equipment. This is what allows you to interface with the equipment and use it for all of your daily work needs.

Firmware is a specific type of software that allows certain bits of hardware like routers to do what they are designed to do.

So you need to know which software and firmware you have in place and if it is currently supported by the manufacturer. This support means that if a mistake or weakness is found, the manufacturer will update it which fixes the issue before cyber criminals can get to it.

Here are some questions to ask:

  • Do you have a list of all software/firmware used on devices within your organisation?
  • Do you have any virtualisation infrastructure within your organisation?
  • Do you have automatic updates enabled on all your software?
  • Do you use software that is no longer in support?
  • Have devices that are using unsupported software been moved to a segregated sub-set and internet access removed?

3. Boundary devices
These are the devices found at the edge of your network. For example, the office firewall or a broadband router. Most routers supplied by your Internet Service Provider (ISP) have a firewall built in. Your organisation may also have a separate hardware firewall device, so it’s important to check for this too as it is critical that they’re correctly configured.

Here are some questions to ask:

  • Smartphones do not come with firewalls as default. A firewall is not necessary on your mobile phone as long as you only allow trusted apps from reputable sources.
  • Do you have a firewall (or router with a firewall) between your business network and the internet?
  • On your firewalls and internet gateways – have you changed all the passwords away from the default passwords and are they difficult to guess and more than 8 characters?
  • If you thought the passwords were known (someone left and knew the password or something happened like the same password used elsewhere was discovered) would you know when and how to change it?

4. Firewalls and protecting your internet gateway
These days, most if not all of your devices will connect to the internet in some way. And this requires a connection to the outside world through a gateway. Similar to a gate in a field, it keeps some things in and other things out, and allows specific things to pass through.

You need to protect your gateway to the wider internet through a firewall. This is going to be one of the most important mechanisms to assess and upkeep to maintain your cybersecurity.

Here are some technical questions to ask about your firewall and internet gateway:

  • Do you have services enabled that are accessible externally?
  • Can you configure your internet routers or hardware firewalls over the internet? This might be in place if you have a third-party IT Support company managing those devices on your behalf.
  • Have you configured your internet routers or your hardware firewalls to block all other services being advertised to the internet?

5. Cloud services
Many SMBs will use cloud services like Microsoft 365, Dropbox, Google Workspace, AWS, and Citrix Workspace. While they enable access to servers and file sharing remotely, which is extremely convenient to business functioning, they can also leave you vulnerable to cyber-attacks.

If workers can access organisation information over the internet from any location, so can criminals, and this has resulted in an increasing number of attacks on cloud services, using techniques to steal users’ passwords to access their accounts.

It is crucial that organisations understand their role and responsibilities in the security of the cloud services they use. The five core controls of Cyber Essentials apply to all cloud services.

Here are some things to check regarding your cloud services before you begin your Cyber Essentials self-assessment:

  • Do you have a list of all the cloud services you use in your organisation?
  • Have you enabled MFA on all accounts to access all the cloud services that you use?
  • Have you located and understood the ‘shared responsibility’ security arrangement for each of the cloud services you use?

6. Secure configurations
The process of setting up a computer is designed for ease of use above all else. Which, on one hand, is absolutely ideal. On the other, it means that security considerations aren’t built in.

A standard ‘out-of-the-box’ set-up may enable an admin account with a standard, publicly known default password. Often, there are additional user accounts enabled and pre-installed. Sometimes, even a default file share.

From unnecessary applications to low-security defaults, a lot needs to be done before someone receives their tech to enable secure set-up, especially for remote employee onboarding.

  • Here are some questions you can ask to improve the set-up configuration:
  • Have you been through the devices that you have and disabled the software that you don’t use?
  • Have you ensured that all the accounts on your devices and cloud services are only those that are used as part of your day-to-day business?
  • Is “AutoRun” or “AutoPlay” disabled on all of your systems?
  • For mobile devices, do you set a locking mechanism on your devices to access the software and services installed? This might be a pin number, a password, a face scan or a fingerprint.

7. Use of passwords
Passwords need to be secure and complex so that people can’t guess them to get into your systems. More than that, it’s important to ensure they’re regularly updated (many systems have a requirement to update every 90 days) and it’s important to encourage employees to not use the same passwords for everything they use in your network.

Here are some things to look out for to improve password security:

  • Do you ensure that all default passwords on all devices are changed?
  • Do you have something written down to advise all users how important it is to use different passwords for different systems?
  • Do you make sure that each user requires their own username and password and that there are no shared usernames/passwords?
  • Do you have something written down to advise all users about creating good passwords? Does your policy specify the technical controls to manage the quality of passwords used within your organisation? Does the policy include a process for when you believe that a password or an account has been compromised?
  • Is there support in place to help employees choose unique passwords for their work accounts?
  • Have you put measures in place to protect accounts against brute-force password guessing?

8. Protection against malware
What is malware? Well, it’s malicious software designed to steal and corrupt information. Or prevent you from delivering it to where it needs to go.

One way to protect your devices and network against malware is to keep your software up to date with the latest software patches. So enabling automatic updates across your systems is ideal. Antivirus software (which you also need to keep regularly updated) is another important way of keeping your data and systems protected.

Three key things to ask when protecting against malware:

  1. Are all of your computers, your laptops, and your mobile phones enrolled for automatic updates?
  2. Is antivirus software installed on all of your devices?
  3. Where you use an app store, are users prevented from installing unsigned applications?

9. User accounts
The final part of your Cyber Essentials certification self-assessment is all about how you set up and manage user and admin accounts. You need to consider processes for creating accounts, tracking new arrivals and departures, changes in account status, and how employees use admin accounts.

The questions you need to ask are as follows:

  • Is there a process you follow in order to create a new user account?
  • Have you a process for tracking user accounts of people who join or leave?
  • Is there a process that is followed before a member of staff is given an administrator account?
  • Do you have a process for ensuring that employees do not use administrator accounts for day to day activities such as browsing the internet and checking emails?

Now you know the ins and outs of what to expect in your Cyber Essentials Certification self-assessment, let us know if you need any help. We can also help with the vulnerability testing needed for the Cyber Essentials Plus certification.