Beyond Cyber Essentials: A Look into Diverse Cybersecurity Standards 

Illustration of a giant hand holding a flashlight, casting light in the shape of stairs. A person in a green jacket stands nearby, looking towards the stairs on a purple background.

Ransomware payments last year exceeded $1 billion, a trend projected to persist this year as a significant cybersecurity threat for all types of businesses, with reports that 69% of SMBs are unprepared to deal with the next cyberattack. However, many seek to meet global standards that assist them in strengthening their cybersecurity posture, defending against ransomware and other cybersecurity threats, and opening up new business opportunities. One such standard is the Cyber Essentials.

The 5 Security Controls of Cyber Essentials 

Cyber Essentials, launched in 2014 as a UK-based standard for cybersecurity controls and practices, was initiated by the National Cyber Security Centre (NCSC). Similar to many other cybersecurity standards, it helps businesses identify which clients are using effective cybersecurity practices and implementing proper data security. This, in turn, facilitates new business relationships, including those with the UK government. The Cyber Essentials includes five different security controls that are meant to defend against 80% of cybersecurity attacks. 

They include:

  • Firewalls and routers. Check anti-virus software and internet gateways routinely to prevent the use of default passwords and unauthenticated access. Remove permissions once they are no longer needed. Approve and document all rules for firewalls together with both an approved individual and the organization. 
  • Patch management. Ensure all software is licensed, supported, and patched within 14 days of an update release. Routinely fix vulnerabilities scored as “high” or “critical.” All vulnerabilities with a CVSS v3 score of “7” should also list the fixes.
  • Malware protection. Keep software up-to-date and configured to scan files when accessed. Web pages should also be scanned automatically when accessed through a web server, and connections to malicious software sites should be prevented.  
  • Access control. Protect against malicious attackers gaining access to systems and networks by only allowing authorized individuals to access accounts. Use a combination of authorization and authentication methods to accomplish this. 
  • Secure configuration. Misconfigurations are one of the most common sources of data breaches. Ensure your services and networks are properly configured to reduce the number of vulnerabilities malicious threat actors can potentially exploit.  

5 Alternative Cybersecurity Frameworks and Standards

While there may be some overlap between the Cyber Essentials and other cybersecurity standards, each 

  • ISO 27001. An international standard was formally adopted in 2005 by the International Organization for Standardization (ISO). Its goal is to facilitate the effective implementation, use, and improvement of information security management systems (ISMS) within a business and its third parties. 
  • NIST Cybersecurity Framework (CSF). Initiated by Obama in 2014 to improve the cyber resilience of critical infrastructure, it is now the most common set of voluntary standards adopted by businesses. It provides all businesses with a simple set of steps to execute to strengthen their cyber resilience. 
  • PCI DSS. A cybersecurity standard for businesses who transmit, store or generate data related to credit and debit card payments. Its goal is to protect consumers against fraud and data theft. 
  • GDPR. A regulation focusing on the data privacy of customers in the European Union or businesses who process customers’ data in the European Union. 
  • HIPAA. Developed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is a U.S. regulation aimed at protecting patient health information (PHI). 

Evaluating the Effectiveness of Alternative Cybersecurity Frameworks

The Cyber Essentials were developed with a specific use case in mind, one in which an attacker uses publicly available tools and techniques to launch security attacks. Although it broadly covers the five security controls mentioned, it may not be comprehensive enough for businesses in specific industries with specific compliance requirements and complex IT environments that encounter evolving cybersecurity risks. On the other hand, its broad scope makes it easier to implement for businesses of all sizes across industries.

Alternative cybersecurity standards and frameworks such as ISO 27001, PCI DSS, NIST CSF, and HIPAA have detailed guidelines for improving cybersecurity posture and protecting sensitive information according to their industries. While they are comprehensive and effective, they are limited in scope and can be harder to implement in larger organizations that have detailed requirements. Noted exceptions are the NIST CSF, which is adaptable and flexible for businesses in different industries but also consumes resources when implemented in larger organizations. The GDPR is also an effective regulation but can be difficult to implement due to its broad scope. It also focuses on legal aspects of data privacy rather than data protection. 

The Perfect Combination of Cybersecurity Standards 

Businesses that seek to replace the Cyber Essentials with an alternative cybersecurity framework must first evaluate whether or not it also covers these five security controls and has UK accreditation. Any additional framework should also require evidence that it tests against these controls or assesses the overall outcome (e.g., to manage the risk of an internet attack). 

Implementing alternative standards that complement the Cyber Essentials rather than replacing it can give your business additional recognition as a company that has a strong cybersecurity posture and implements best practices. However, implementing multiple regulations can also drain resources and be challenging depending on the requirements. Before adopting an additional cybersecurity framework, a business should ask itself which security threat it is trying to defend against. They should then explore which combination of standards might be the most relevant in defending against those threats. 

How Guardz Protects MSP Client Data 

As ransomware and other looming cybersecurity attacks increase against businesses, governments may develop stricter cybersecurity regulations and standards. Although businesses should continue staying informed of different types of compliance, they need a multi-layered approach and solution to these evolving threats in parallel. Guardz enables MSPs to streamline cybersecurity by automating detection and response across user data, devices, emails, and cloud directories from a single pane of glass.

Categories:

Tal Eisner is the Vice President of Product Marketing at Guardz, bringing over two decades of experience in cybersecurity and fraud management. Prior to joining Guardz, Tal led marketing efforts at Check Point Research, the Intelligence & Research division of a leading cybersecurity company. With a strong background in security, Tal combines his technical expertise with a strategic focus on marketing, communications, and business development. His career reflects a deep commitment to advancing cybersecurity solutions while effectively communicating their value to diverse audiences.

Subscribe to
Our Newsletter.

A person sits in a futuristic control room, resembling an archive, with large screens displaying stars and planets, suggesting space. The background features abstract mountain outlines under a pale sky with a moon.

Guardz, Cybersecurity
Co-Pilot for MSPs

Demonstrate the value you bring to the table as an MSP and gain visibility into your clients’ external postures.
Holistic Protection.
Hassle-Free.
Cost-Effective.

Guide to Boosting Your Email Security

Discover the Power of Cybersecurity for Your MSP Growth.

Dive into the crucial e-mail security protocols (SPF, DKIM, DMARC) to enhance your e-mail protection and make sure your e-mails are delivered in the inbox of your recipients instead of the spam or quarantine folder.

This guide provides you with innovative strategies and expert insights to elevate your MSP business, strengthen client trust, and stay ahead of ever-evolving threats.

A silhouetted astronaut figure stands in an open door frame, like an exit popup against the cosmos, facing a starry sky with a distant planet in view, contrasting with a plain, stark interior.
Graphic showing several yellow envelopes with letters, one red envelope marked by a red exclamation triangle, on a purple background with circuit lines. Green shield icons are on some envelopes, indicating security against cyber risks.

Guide to Boosting Your Email Security

Discover the Power of Cybersecurity for Your MSP Growth.

Dive into the crucial e-mail security protocols (SPF, DKIM, DMARC) to enhance your e-mail protection and make sure your e-mails are delivered in the inbox of your recipients instead of the spam or quarantine folder.

This guide provides you with innovative strategies and expert insights to elevate your MSP business, strengthen client trust, and stay ahead of ever-evolving threats.

Illustration of yellow envelopes with documents against a purple backdrop. Red warning icons with exclamation marks suggest potential cyber risks. Circuit-like lines enhance the background, reminiscent of a Cyber Risk Prospecting Report alert.
Illustration of yellow envelopes on a purple background, with two red envelopes marked by exclamation points, indicating cyber risk warnings. Green shield icons adorn some envelopes, while a radar-like pattern enhances the sense of alertness in the background.