Cyber Essentials Plus FAQs

Do I need to use two-factor authentication for my administrator accounts?

1st June 2019 in Cyber Essentials Plus FAQs

Two-factor authentication is a second method of confirming that a user of a system is who they claim to be. It is usually used alongside a password and could involve a fingerprint scanner, a text message with a unique code or a token that generates unique codes. Most Mac, Linux and Windows systems do not have two-factor authentication available by default.

Cyber Essentials Plus does not require you to pay for additional hardware or software to enable two factor authentication. So, in most cases, two-factor authentication for administrator accounts will not be available on your system. Some laptops have built-in fingerprint scanners or other bio metric devices that can be enabled to allow two-factor authentication. If these are available on your devices, they must be enabled for administrator accounts.

What is a software firewall? How can I change its password?

1st June 2019 in Cyber Essentials Plus FAQs

The questions about software firewalls refer, on a basic level, to the built-in firewall within your computer operating system (such as Windows Firewall and Mac OSX Firewall). Often it’s a case of just turning this on using Control Panel or System Preferences.

The password for a software firewall is the password of the Windows or Mac user account of the device (ie your login password to Windows or Mac). If you already change this regularly, great! Just let us know in the notes.

Our home users use a VPN to connect to the office network. Does this exempt them from the requirement to check their home router firewall settings?

1st June 2019 in Cyber Essentials Plus FAQs

In some cases, if home users are set up with a (Virtual Private Network) VPN which is set to force all internet traffic to route via the VPN to your office network and they are suitably trained, this may be accepted as a “compensating control” which would reduce the need for users to check their home router firewall settings. However, it is up to you to prove to our satisfaction that your setup offers an equivalent level of protection and that this protection will continue to exist going forward.

Our home users don’t want us to check their home router firewall settings. Why is this necessary?

1st June 2019 in Cyber Essentials Plus FAQs

Wherever they are present, firewalls offer a line of defence between your devices and the wider internet. Home router firewalls are an important layer of protection and can help prevent hackers and malware entering the home network. In the majority of situations, most routers provided by the home users broadband provider will have their firewall already
configured securely but this does need to be checked, as well as any default passwords used to access the router changed.

Do I need anti-malware software on my mobile devices (smartphones and tablets)?

1st June 2019 in Cyber Essentials Plus FAQs
You have multiple options to prevent malware infection on mobile devices:
  1. You can choose to install anti-malware software – this is only available for Android mobile devices and some Blackberry devices. Many other devices, in particular iPhone and iPad and devices using Windows Phone operating systems, do not have anti-malware software available.
  2. Alternatively, you can stop malware by restricting the installation of software only to applications available in the devices App Store. If you choose this option you must create a list of approved applications that users are allowed to install on their device. You can use tools such as mobile device management software to assist with this but it is not a requirement to achieve compliance

Does the “scope” need to be my whole company?

1st June 2019 in Cyber Essentials Plus FAQs

The scope should cover your whole organisation and doing so makes it much easier to answer the questions. However, we recognise that some organisations are complex and so you can describe a scope that relates to a particular subsidiary or business area of an organisation if necessary. It is important that it is a coherent entity that is logically separate from the wider organisation. It must also be technically isolated from the wider organisation, normally by using separate servers, applications and networks with boundary firewalls. If you choose a scope that is not the whole organisation, it is up to you to provide a clear scope description that is acceptable to the assessor. The scope description will appear on the certificate you receive.

How much detail do I need to provide on each answer of my assessment?

1st June 2019 in Cyber Essentials Plus FAQs

There is a notes field for each question. You must provide a couple of sentences of information in the notes field for all of the questions to support your yes/no answer.

Your assessment is marked by an assessor who is an information security professional and has to make a judgement on  your situation. The more relevant information you can provide, the more likely it is that the assessor will understand your particular situation and will be able to mark accordingly.

How does my business become Cyber Essentials Accredited?

1st June 2019 in Cyber Essentials Plus FAQs

The process is simple and is completed in four easy steps.

Firstly, to get started our expert team will guide you through the process by sending documentation which you can use to prepare yourself for the online assessment.

Secondly, you’ll log on to an online portal where you’ll be asked to fill in your assessment. This isn’t meant to be daunting, and if you need any advice or help are experts are on hand to guide you through.

Thirdly, one of our experts will come and visit your office to complete an audit of your self-assessment questionnaire. Whilst they’re there they will conduct a vulnerability scan of your network and externally facing services.

Finally, your assessment will be looked at and marked. If you pass, you will be officially Cyber Essentials Plus Accredited and you can publish a badge on your website showing clients and suppliers you take cyber security seriously.

If you fail the assessment, our experts will talk you through the next steps.

Budgets are tight. Is this service value for money?

1st June 2019 in Cyber Essentials Plus FAQs

In 2018, 32% of UK businesses had reported that they had experienced a cyber security breach. It is estimated that £190,000 a day is lost to cyber criminals. Having robust policies and procedures in place will prevent your business falling foul to online criminals. The small outlay at the beginning is worth it when you look at what could potentially be lost without it.

Why do I need Cyber Essentials Plus?

1st June 2019 in Cyber Essentials Plus FAQs

Cyber criminals can target any business at any time exploiting weaknesses in online security often for financial gain.

Cyber Essentials Plus shows that your business has established strict guidelines and processes to keep sensitive data secure, for example, financial records and personally identifiable information. You can demonstrate to clients and other businesses that you take cyber security seriously.