Filed Under:

Your Cyber Essentials Checklist: How to review your cyber security

After the question, ‘Do we have the cyber security we need?’, often comes the next question, ‘How do we know?’ 

If you’re reviewing your cyber security, but you don’t know what you’re aiming for, then you can find yourself 

You need a yardstick to measure your cyber security, so that when you’re building your protection, you know what the foundations are and how you lay them. 

The National Cyber Security Centre (NCSC) created the Cyber Essentials scheme so that organisations can assess and certify their cyber security fundamentals. It is the perfect way to establish how secure your business is, and to set a target for improvement. 

cyber essentials checklist image

What is Cyber Essentials?

The NCSC describes most cyber crime as “the digital equivalent of a thief trying your front door to see if it’s unlocked”. Essentially, Cyber Essentials certifies that a business has its digital doors locked. 

If it sounds basic, that’s because it is. However, a surprising number of businesses aren’t compliant with the Cyber Essentials criteria. Only 14% of businesses know about the scheme, and only 6% have the certification. 

It’s a surprisingly low uptake, considering that having the certification gives you automatic cyber liability insurance (if your turnover is under £20 million), and that Cyber Essentials is one of the minimum requirements for a business hoping to bid for a lot of government contracts. 

So, what is on the Cyber Essentials checklist? 

  1. Firewalls 
  2. Secure configuration 
  3. User access control 
  4. Malware protection 
  5. Security update management

For each of those areas, there is a range of conditions your business will need to meet to get the Cyber Essentials certification. 

The first step though, will be to establish what is in ‘scope’, so that you focus your efforts on protecting the areas that need attention, and you don’t spend excess time on things that don’t. 

What is in scope for a Cyber Essentials checklist?

The short answer is that most systems and devices for business use are in scope, so the cyber essentials checklist will apply to them. However, some things are more complex than ‘yes’ or ‘no’, or aren’t assessed as part of a basic Cyber Essentials assessment. 

cyber essentials image

For example, if your team members use personal devices at work, those devices are in scope if they use operational data or use the same services as the business’s own devices, but they’re not in scope if they’re only used for Multifactor Authentication (MFA) or the apps that are native to the device. 

The routers that your hybrid employees own are not in scope, even if they use them for remote work. However, the device they work on (almost certainly a laptop) will be in scope, and it will need suitable protection. 

Having established where to apply the cyber essentials checklist, here are the five areas that you need to assess.


  1. Firewalls

The old-fashioned approach to a firewall was to place on around all internet-facing systems and devices so that malware would find it difficult to enter. That’s still part of a modern firewall strategy, but the current approach is to include firewalls between systems, not just facing outward. Then, if malware does manage to penetrate one layer of defence, it doesn’t have the freedom of your whole IT system. 

Here are the Cyber Essentials requirements for your firewalls. 


  1. Secure configurations

You could think of the Secure Configurations element of Cyber Essentials as the ‘housekeeping’ of your IT security. 

You need to assess and maintain the hygiene of your IT system. Over time, if you don’t keep on top of the software, accounts, permissions, and privileges that you have set up, then you can have a system full of obsolete profiles and applications that represent a risk to your security. 


  1. User access control

Make sure that you’re following basic best practice for logins, passwords, and system access. 

The more people who have access to systems, the greater the risk. Be deliberate and controlled with who has a login to what — only have as many users as essential, and be sure to remove the accounts and credentials that are no longer relevant. 


  1. Malware protection

Keeping malware out of your systems is more thorough and proactive than installing some antivirus software. It involves a series of principles and protocols that you need to apply and practise. 


  1. Security update management

Out-of-date software is a very easy target for cyber criminals. Software updates address weaknesses in the system which cyber threats have discovered or learned to exploit. If you don’t update your software, it’s like not replacing a broken door to your house — it’s not hard for anyone to get in. 

Some businesses do diligently update their software, but don’t realise when their supplier stops providing updates. That ‘end-of-life’ software is no longer supported, so it’s no longer secure. 


The next steps to getting the Cyber Essentials Certification

The Cyber Essentials certification involves a self-assessment to declare that you meet the criteria. Having read all of the above, you may be aware of areas where your processes or your systems aren’t up to scratch. 

At Arc, we run cyber securities reviews based on the Cyber Essentials checklist you read here. We can assess where you might need to tighten up your cyber security, and advise you on how to do it. Then, you can confidently pursue your Cyber Essentials certification. 

Book your review here.