FREQUENTLY ASKED QUESTIONS

Cyber Essentials

  • Cyber Essentials is a UK government-backed scheme that helps organisations start to think about cyber security. You might be asking yourself, is there a Cyber Essentials in Wales? In fact, this simple certification can be attained by any organisation in Wales, N.Ireland, Scotland or England, regardless of size, and helps them to adopt good practices in information security.

    At a low-cost the Cyber Essentials scheme is a quick and easy process that can help organisations understand the basic controls that they should have in place to try to mitigate against common cyber threats.

  • Cyber Essentials pricing is based on the size of your business/organisation.

    Currently, pricing is based on the tiers below.

    • Micro organisations (0-9 employees) £300 + VAT

    • Small organisations (10-49 employees) £400 + VAT

    • Medium organisations (50-249 employees) £450 + VAT

    • Large organisations (250+ employees) £500 + VAT

    • Pricing for Cyber Essentials Plus is calculated based on the size and complexity of your infrastructure.

  • To pass Cyber Essentials all phones and tablets must be running a supported operating system. As not running the latest version of OS can result in non-compliances throughout CE and CEP, PureCyber recommend running the latest version of both iOS and Android. Whilst this also gives you the most up-to-date mobile features, it means that you will be running and up-to-date OS that is receiving security updates.. Personal devices which are used to access company data (e.g., accessing emails etc) should be included in the scope of the assessment. Whilst you may find an MDM solution useful if you have a lot of devices to manage, it is not a requirement to achieve Cyber Essentials.

  • Cyber Essentials is based on 5 controls.

    • Firewalls

    • Secure Configuration

    • Access Control

    • Malware Protection

    • Security Update Management

  • Cyber Essentials is a self-assessment, meaning that to pass you will have to complete a questionnaire covering the 5 basic controls. PureCyber will provide you with access to the question set, and then will act as the assessor/certification body. The scope of the assessment can cover the whole of your organisation or just specified locations/areas. Should you have any questions or need additional support throughout the process, our Cyber Ops team is on hand to offer guidance and advice. Cyber Essentials expires after 12 months, meaning you have to annually renew to maintain the certification. If you would like to obtain Cyber Essentials Plus (a technical verification carried out by PureCyber), you have three months from achieving Cyber Essentials to pass Cyber Essentials Plus.

  • To be compliant with Cyber Essentials password requirements you should have one of the following controls in place.

    • Have multi-factor authentication (MFA) enabled

    • Set a minimum length of 12 characters with no maximum.

    • Set a minimum length of 8 characters, supported by a deny list that blocks the use of common passwords (such as Password123!).

  • Cyber Essentials (CE)

    Cyber Essentials standard is a self-assessment questionnaire certification and it’s a great starting point to show you’re starting to take security seriously. As a self-assessment it has limitations in providing a good level of cyber assurance however it’s the best place for any organisation to start their journey to a better cyber security strategy.

    Cyber Essentials Plus (CE+)

    After achieving your Cyber Essentials standard qualification, you have 3 months to achieve Cyber Essentials Plus. This certification is a security audit of a sample of your organisation; testing against the answers you’ve provided in your Cyber Essentials self-assessment.

    IASME Cyber Assurance (Level 1 and Level 2)

    IASME Cyber Assurance is the step up from Cyber Essentials and starts to consider aspects such as risk management, asset and data management, supply chain due diligence, vulnerability management and business continuity. The IASME Cyber Assurance standard is often referred to as a lightweight ISO27001 and starts to introduce a cyber risk strategy. IASME Cyber Assurance Level 1 is a self-assessment, similarly to Cyber Essentials whereas IASME Cyber Assurance Level 2 is an audit of your IASME Cyber Assurance submission.

Penetration Testing

  • Penetration testing, sometimes referred to as ethical hacking, can comprise a number of aspects depending on the type of test taking place. Typically, organisations will get penetration tests against web applications, their internal or external infrastructure, portals, API connections and even physical tests against the geographical locations (called red teaming).

    Whilst the type of testing will differ, all of the penetration tests will include a final report detailing each issue identified during the assessment, this would include such things as technically describing the issue, evidence so the issue can be reproduced, and any remediation advised to resolve the issue.

  • Penetration Testing serves as a way to assess the current state of an organisation’s security. A fully comprehensive penetration test can help identify weaknesses and vulnerabilities in a number of areas, whether that’s in the administrative or monitoring controls.

  • Vulnerability Scanning is a valuable automated tool, it will give you a list of known vulnerabilities and a report for mitigating these risks. Penetration testing however is a deeper dive into the risks and vulnerabilities. Typically, a vulnerability scan is the first method of a penetration test as it helps to identify potential issues quickly however, a skilled penetration tester/security consultant will approach an application with a more manual methodology. This allows them to take a hands-on look for security weaknesses and vulnerabilities in the current security posture of the system.

  • There are a number of benefits which come from penetration testing. It gives you the ability to test the current controls which are in place to determine whether they are working as expected. Following this it allows for the identification and prioritisation of real-time risks. Penetration testing also helps build user confidence in the system that they are using that their data is going to be protected as well as following compliance with a number of certifications such as IASME Cyber Assurance and ISO 27001. On a basic level, organisations get to see what a potential attacker could do in a safe and controlled environment, which is why penetration testing is often referred to as ethical hacking.

Security Operations Centre (SOC)

  • An outsourced SOC can provide a better value option compared to an in-house SOC where you need to cover costs for staff salaries, licenses, and continuous professional development / training. As a third-party verification of a company’s security, it can also have an impact on the cost and ability to secure cyber insurance cover.

  • An effective SOC team can give confidence to an organisation’s clients and partners, and in doing so provide a valuable internal and external confidence. It demonstrates that that you take protection of data and assets seriously. Your role in the security of your supply chain in today’s threat landscape could not be more important. Ensuring your suppliers also have the same rigour in terms of security is also essential.

  • Cyber criminals work around the clock and many inhouse security teams work 9-5. Cyber criminals do not stop at 5pm so why should your cyber security? An outsourced SOC can provide a 24/7 active threat detection service for a fraction of the cost when compared to operating an in-house team on a 24hr shift basis. An outsourced SOC team can prevent the impact of a critical event.

  • With an outsourced SOC team, a business can put more focus on strategies for success, stability and growth knowing they have a high level of protection and confidence in their security. This frees up internal resources, staff, and overhead costs enabling the organisation to be agile and responsive to opportunities.

  • An outsourced SOC team can provide a flexible and scalable solution, without the need to hire additional personnel or purchase new hardware or systems. This allows you to quickly respond to new threats, new growth opportunities and emerging security requirements without stretching your budget or resources.

  • A centralised approach helps to streamline an organisation’s security resources and personnel within a single team. As such, a SOC also supports collaboration between team members and can help prevent miscommunication within an in-house security team, which can lead to critical delays in responding to an attacker and allow them to achieve their aims.

  • As many businesses have developed increasingly complex network configurations, from remote working and cloud computing, this has left many unforeseen vulnerabilities in its wake. An outsourced SOC can provide you with a single pane view of the necessary oversight and insight into your complete network and possible attack vectors.

  • Apart from faster response times, outsourced SOC teams leverage their expertise and experience as Managed Service Providers (MSPs) to swiftly analyze critical incidents, mitigating their impact.

  • Compared to in-house SOC setups, outsourced SOC teams excel in providing effective and comprehensive solutions against the evolving threat landscape. They tap into diverse sources of data and threat intelligence to enhance security measures.

  • Outsourced SOC teams are experts with extensive experience in implementing, managing, monitoring, and maintaining SOC services and tools. Their dedicated focus is on actively monitoring the threat landscape and safeguarding clients from cyberattacks.