Threats in scope for Cyber Essentials

Threats in scope for Cyber Essentials

Cyber Essentials is a UK government backed Cyber Security backed scheme, who's aim is to increase the level of cyber hygiene amongst UK businesses and help protect themselves against a set of key cyber threats.

With cyber security thought leadership from NCSC (National Cyber Security Centre), Cyber Essentials addresses common Internet sourced cyber security threats. Many of these attacks make use of common malicious toolkits which require minimal skill to use, but can result in significant damage to an organisation.

Currently, Cyber Essentials scheme takes into consideration the following internet borne cyber threats,

  • Phishing - and various methods of tricking users into installing or executing malicious applications
  • Hacking - exploiting known vulnerabilities in Internet-connected devices, e.g. webservers, using widely available tools and techniques
  • Password Guessing — manual or automated attempts to log on from the Internet, by guessing passwords

Controls in scope

Cyber Essentials scheme encompasses the essential preventative controls necessary to mitigate the threats falling within scope. Technical controls which are considered are,

Threats & Controls not in scope

Cyber Essentials scheme does not currently include mitigations against the following types of threat,

  • Physical Device Access attacks
  • Denial of Service (DoS) attacks
  • Communication Interception - attacks that require interception of communication channels
  • Stolen Credentials - attacks using stolen credentials to navigate authentication mechanisms
  • Insider / Privileged Users - where an authorised user abuses their access
  • Undisclosed Vulnerabilities - exploitation of non-public vulnerabilities
Controls not include any preventative or recovery type controls such as Network Intrusion Prevention Systems (NIPS), Protective Monitoring.

Looking for more information?

Find out more about how to obtain Cyber Essentials certification for your business here.

If you are concerned about wider threat protection for your business beyond Cyber Essentials please contact us.