In this video from Cyber Scotland Week, speakers Keith McDevitt, Cary Hardrick, Harry McLaren and Neil Furminger provide an overview of the Cyber Essentials scheme.
Before summarizing the video, Let’s talk about what is Cyber Essentials and what does it cover?
What are Cyber Essentials?
Cyber Essentials is a Government-backed, industry-supported scheme to help organizations protect themselves against common online threats.
The Cyber Essentials scheme addresses the most common internet-based attacks that use widely available tools and that need very little skill for the attacker to use. The scheme helps organizations to protect the confidentiality, integrity and availability of data stored on devices which connect to the internet.
The five key security controls covered by Cyber Essentials are:
- Patch management
- Malware protection
- Access control
- Secure configuration
In this video Graham Bye, the current cyber security coordinator aligned to the Scottish Business Resilience Centre talks about the cyber essentials.
He has been working closely with Scottish government police and Scotland national cyber security center in London and he is working with others to raise awareness regarding cyber security and promote cyber security to businesses and organizations across all sectors in Scotland with a real focus on the private sector.
Cyber criminals throughout the world are continuously looking for opportunities to attack the vulnerable people and to exploit them financially. There are many organizations of cyber criminals who mainly work for internet-born attacks and normally they target elderly people who are technically not so updated.
Keith Mc Devitt is a cyber resilience integrator at the Scottish government for the cyber resilience unit for a number of years now. He has been the forefront of implementing strategy and policy around about Scottish government cyber and the first cyber resolving strategy in Scotland Action Plans. He will talk about his perspective in respect of cyber essentials.
At the beginning of the video Neil Furminger gives a brief 15 minutes overview of cyber essentials. Cyber essentials are available now since 2014. IASME was involved in setting up of Cyber essentials. Up until April 2020 there were five accreditation bodies. It has been the sole partner with the NCSC since April 2020. There are five technical controls of cyber essentials namely, Firewalls, Secure Configuration, User Access Control, Malware Protection and Patch Management.
Firewalls’ object is to ensure that only safe and network services can be accessed from the internet. The secure configuration’s object is to reduce the level of inherent vulnerabilities and to provide only the services required to fulfill their role. The purpose of user control access is to ensure that user accounts are assigned to authorized individuals only and to provide access only to those applications, computers and networks actually required for the user to perform their roles.
The object of malware protection is to restrict execution of known malware and untrusted software, to prevent harmful code from causing damage or accessing sensitive data. The object of Security Update Management is to ensure that devices and software are not vulnerable to known security issues for which fixes are available.
CE evolutions updates are coming soon. The new requirements document to follow includes clarification on BYOD, organizational data, clarification for requirements on software firewall usage etc. The Security update management requires that the applicant must keep all its software up to date. Software needs to be licensed and supported. The cyber essentials evolution has two new aspects. Firstly, cyber essentials will now remain under review and Secondly the audience can expect a major update to the scheme in Q4 2021.
Next speaker is Cary Hendricks, a technical investigator and adviser for Cyber Solutions. According to him to find a solution regarding cyber essentials, they need to defect all the problems then divide them according to network segmentation.
If someone is being targeted by cyber criminals they will try and make the reconnaissance of their network and their internal structure. They will make it very difficult to do it instantly so, a long time to be able to see exactly what is on the network and that activity that they will conduct to see where are their servers should be able to pick that up in the log files from the scanning and probing and everything.
According to Keith, criminals are exploiting opportunities that the digital age gives them in a way that they can’t be as effective in the real world. It’s just they can commit crime for their underpants in their house anywhere in the world and Scotland particularly though is a nation of small and medium-sized businesses and they don’t have the wherewithal often to have the levels of support and technical knowledge that larger organizations have so it’s really important for Scotland.
Harry McLaren talks about cyber essentials from an insurance perspective that if someone is going to the insurer and they ensure the business assets whether the person is in a factory a warehouse or anywhere else they’re going to ask for an asset list they’re going to want to know what are they are actually protecting or insuring against and it’s the same in cyber security if a person can’t tell them what computer what server is used for then they can’t appropriately tell that person how he/she should be protecting it.
To eradicate the cyber-attacks and to ensure cyber security everyone must be conscious about the cyber essentials and how they work in different situations.
6:20 Neil Furminger’s Overview on Cyber Essentials
8:10 Cyber essentials five technical controls
14:05 CE Scoping
30:00 Cary Hendrick’s Overview on Cyber Essentials
36:00 Kieth Mcdevitt’s Overview on Cyver Essentials
42:00 Harry McLaren’s Overview on Cyber Essentials