Ransomware payments last year exceeded $1 billion, a trend projected to persist this year as a significant cybersecurity threat for all types of businesses, with reports that 69% of SMBs are unprepared to deal with the next cyberattack. However, many seek to meet global standards that assist them in strengthening their cybersecurity posture, defending against ransomware and other cybersecurity threats, and opening up new business opportunities. One such standard is the Cyber Essentials.
The 5 Security Controls of Cyber Essentials
Cyber Essentials, launched in 2014 as a UK-based standard for cybersecurity controls and practices, was initiated by the National Cyber Security Centre (NCSC). Similar to many other cybersecurity standards, it helps businesses identify which clients are using effective cybersecurity practices and implementing proper data security. This, in turn, facilitates new business relationships, including those with the UK government. The Cyber Essentials includes five different security controls that are meant to defend against 80% of cybersecurity attacks.
They include:
- Firewalls and routers. Check anti-virus software and internet gateways routinely to prevent the use of default passwords and unauthenticated access. Remove permissions once they are no longer needed. Approve and document all rules for firewalls together with both an approved individual and the organization.
- Patch management. Ensure all software is licensed, supported, and patched within 14 days of an update release. Routinely fix vulnerabilities scored as “high” or “critical.” All vulnerabilities with a CVSS v3 score of “7” should also list the fixes.
- Malware protection. Keep software up-to-date and configured to scan files when accessed. Web pages should also be scanned automatically when accessed through a web server, and connections to malicious software sites should be prevented.
- Access control. Protect against malicious attackers gaining access to systems and networks by only allowing authorized individuals to access accounts. Use a combination of authorization and authentication methods to accomplish this.
- Secure configuration. Misconfigurations are one of the most common sources of data breaches. Ensure your services and networks are properly configured to reduce the number of vulnerabilities malicious threat actors can potentially exploit.
5 Alternative Cybersecurity Frameworks and Standards
While there may be some overlap between the Cyber Essentials and other cybersecurity standards, each
- ISO 27001. An international standard was formally adopted in 2005 by the International Organization for Standardization (ISO). Its goal is to facilitate the effective implementation, use, and improvement of information security management systems (ISMS) within a business and its third parties.
- NIST Cybersecurity Framework (CSF). Initiated by Obama in 2014 to improve the cyber resilience of critical infrastructure, it is now the most common set of voluntary standards adopted by businesses. It provides all businesses with a simple set of steps to execute to strengthen their cyber resilience.
- PCI DSS. A cybersecurity standard for businesses who transmit, store or generate data related to credit and debit card payments. Its goal is to protect consumers against fraud and data theft.
- GDPR. A regulation focusing on the data privacy of customers in the European Union or businesses who process customers’ data in the European Union.
- HIPAA. Developed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is a U.S. regulation aimed at protecting patient health information (PHI).
Evaluating the Effectiveness of Alternative Cybersecurity Frameworks
The Cyber Essentials were developed with a specific use case in mind, one in which an attacker uses publicly available tools and techniques to launch security attacks. Although it broadly covers the five security controls mentioned, it may not be comprehensive enough for businesses in specific industries with specific compliance requirements and complex IT environments that encounter evolving cybersecurity risks. On the other hand, its broad scope makes it easier to implement for businesses of all sizes across industries.
Alternative cybersecurity standards and frameworks such as ISO 27001, PCI DSS, NIST CSF, and HIPAA have detailed guidelines for improving cybersecurity posture and protecting sensitive information according to their industries. While they are comprehensive and effective, they are limited in scope and can be harder to implement in larger organizations that have detailed requirements. Noted exceptions are the NIST CSF, which is adaptable and flexible for businesses in different industries but also consumes resources when implemented in larger organizations. The GDPR is also an effective regulation but can be difficult to implement due to its broad scope. It also focuses on legal aspects of data privacy rather than data protection.
The Perfect Combination of Cybersecurity Standards
Businesses that seek to replace the Cyber Essentials with an alternative cybersecurity framework must first evaluate whether or not it also covers these five security controls and has UK accreditation. Any additional framework should also require evidence that it tests against these controls or assesses the overall outcome (e.g., to manage the risk of an internet attack).
Implementing alternative standards that complement the Cyber Essentials rather than replacing it can give your business additional recognition as a company that has a strong cybersecurity posture and implements best practices. However, implementing multiple regulations can also drain resources and be challenging depending on the requirements. Before adopting an additional cybersecurity framework, a business should ask itself which security threat it is trying to defend against. They should then explore which combination of standards might be the most relevant in defending against those threats.
How Guardz Protects MSP Client Data
As ransomware and other looming cybersecurity attacks increase against businesses, governments may develop stricter cybersecurity regulations and standards. Although businesses should continue staying informed of different types of compliance, they need a multi-layered approach and solution to these evolving threats in parallel. Guardz enables MSPs to streamline cybersecurity by automating detection and response across user data, devices, emails, and cloud directories from a single pane of glass.
