Cyber Essentials (CE) is a government defined standard for cyber security, using a set of baseline controls. Certification demonstrates that the University meets (and actually exceeds) those requirements.
There are 5 control sets to implement:
- Firewall – a buffer between your computer and the internet, analysing incoming data to see if it should be allowed.
- Secure Settings – using strong passwords, turning off unused services, only installing applications when needed.
- Access Controls – Making sure all users have unique accounts, and are only able to access the areas they need to, restricting administrative privileges to those that need them.
- Protection – from virus and malware infection, by having up to date anti-virus software and only using software from reputable sources.
- Up to Date – applying software patches and updates to fix any known vulnerabilities, and only running licensed and supported versions of software. Hardware should also be supported for firmware updates, and replaced when these are no longer available from the manufacturer.
To achieve and maintain this certification we have to make sure all computers have the above controls implemented. It is a credit to IS staff and the teams who manage IT across Kent, including the School of Engineering and Digital Arts and School of Computing. Certification is validated by the certifying organisation through an external scan.
How does this affect Kent?
When applying for grant funding, or data sharing agreements with other organisations, we can prove that we take cyber security seriously and meet a recognised baseline.
CE is now a minimum requirement for any organisation that has a contract with a UK Government department, and many grant awarding and research bodies are also now requesting it as part of the application process.
The recent partnership between the School of Economics and the Civil Service for a degree-level Apprenticeship in economics is an example of where CE was stipulated as a requirement.
Researchers can be confident that we are taking care to protect their hard-earned, valuable research data.
Staff and students will know that their personal data is protected.
Although we are CE certified, it does not mean that we can relax. Users should remain vigilant to attempts to compromise their accounts – phishing emails, suspicious websites, downloading “free” software or documents without verifying they are genuine and safe, etc. Despite all the security measures in place, a few phishing emails will still get through, but the vast majority are blocked.
What you can do to protect yourself:
- Mobile devices should always be encrypted to an appropriate standard.
- USB sticks: you should only use a USB stick that has built-in encryption.
- Passwords must not be shared.
- Sensitive data should be encrypted at all times, even when stored within the data centre.