How it works
Hedgehog Security has over ten years of experience at the forefront of cybersecurity. Our CISO team had worked with some of the world’s largest and most complex businesses and industries. We have a deep understanding of both existing and emerging threats, as well as their rapidly changing tactics, techniques and procedures.
Our consulting practice is here to carry out all manner of Cyber Essentials services for your business.
Hedgehog Security has been delivering Cyber Essentials gap analysis, preparation, implementation and audit services since the inception of the standard. We will help any business achieve the UK Governments base level of Cyber Security after 2000 successful audits.
Our consulting practice is here to carry out all manner of Cyber Essentials services for your business.
Cyber Essentials is the Government-backed, industry-supported foundation for basic cybersecurity hygiene. The scheme guides organisations of any size in protecting themselves against cyber threats. You can read more about the government’s scheme here and more in-depth information on the audit process here.
The foundation level is an independently verified self-assessment. You complete an online assessment questionnaire which is approved by a Senior Executive of your business. Upon submission, we will independently review and confirm your responses. If successful, we will award you the requisite certificate and badge that you can display on your company website.
Cyber Essentials Plus
The next stage of your security journey and involves both independent internal and external tests of your network and computers. You must have been awarded the foundation level certification in the last three months before you can proceed with accreditation.
Successful accreditation provides a higher level of assurance. It demonstrates that your organisation has a robust cybersecurity regime. It shows that controls are present to maintain a vigorous defence against Internet-based attacks.
A device is a company issued computing device that can be used to connect to and use internet based resources such as webpages, web applications etc. They key thing here is consider is the access to the internet. If the device has no access to the internet, and this is enforced by a technical control such as firewall or air gapped network, then that device can be considered out of scope.
A device can be any one of the following:
• Workstation or Laptop
• Server that provides users access to the internet through a GUI.
• Mobile Phone (company issued)
This is our concise guide to the Cyber Essentials Audit and the Cyber Essentials Plus audit guide, as delivered by our NCSC approved team.
One of the important things to note here, this is a UK Government audit. The instructions on how we perform the audit are set in stone by the NCSC via IASME. We are not permitted to deviate from these in any way. We are very aware there are a number of certifying bodies that are taking short cuts and will give you a certificate regardless. We are NOT one of those bodies. Our audits are strict and fair, and follow the governments instructions.
When you place an order for Cyber Essentials or for Cyber Essentials Plus, there are some key information that we will ask you for. You may have provided this before, but our internal process requires us to ask it every time to ensure that our information remains fully up to date and avoids any errors.
• Company name
• Name of person completing the online questions
• Their job title
• Their email address
• Their mobile phone number to send the portal password to
If this is a Cyber Essentials Plus assessment, we will also need the following:
• Your Cyber Essentials Certificate Number (must have been in the last 3 months);
• Your external IP addresses;
• Your internal IP addresses;
• A fully completed Device workbook (download from here);
• VPN details to connect to your network to run the vulnerability scans internally;
• and Teamviewer client installed on the devices identified as part of the workstation audit group. Teamviewer can be downloaded here.
A VPN connection into your environment is only needed for the Cyber Essentials Plus audit.
It is now very common for companies to not know how to provide a VPN connection. We have a very simple work around for this issue. If you are able to provide local admin rights to a user account for each of the machines in the sample set, we can install and run openVPN which will connect to our scanning service. Our engineers are able to do this on all the machine needed, and remove it once the audit is complete.
If you wish to install the OpenVPN on the sample machines prior to the engagement, they you are very welcome to and we do appreciate it. The downloads for Windows and Mac OS can be found below.
OpenVPN Connect for Windows
OpenVPN Connect for Mac OS
The questionnaire is supplied in an online format through the IASME assessment portal. The portal can be accessed using the button below or by browsing to https://portal.iamse.co.uk.
IASME Assessment Portal
During the initial process, you main point of contact will have been sent the access username and password. The username is typically sent to the main users email address and the password is sent from the system via a SMS message to their mobile phone.
The single biggest piece of advise that can be given is to not over think the questions and where you are unsure, use the comments box to put in as much detail as possible. This will greatly help the auditor provide you with good solid advise on what to do next.
It is really easy to fail the initial Cyber Essentials audit. This section has been written to help you avoid the most common pitfalls. The best single piece of advise is to read the question twice, do not over think the answer and if you are unsure, write comments in “Application Notes” field.
For our guide to some of the most common failures, check out our blog and search for CE Failure Points.
The workstation assessment is one of the most feared parts of the Cyber Essentials Plus audit, but it shouldn't be. Here we will break it down into the logical components, but first, here is the high level of what we are looking for.
1. That the build we are examining matches what you have documented in your Cyber Essentials questionnaire. For example, if you say you use application whitelisting over using antivirus, we will expect to see that.
2. That the build is up to date and fully patches. That there are no missing operating system or application patches that are older than 14 days.
3. That the system does not have any High or Critical risk vulnerabilities.
4. The the endpoint protection is running and is up to date.
5. That the system is correctly secured in line with the Cyber Essentials Plus guidelines published by the National Cyber Security Center.
For the internal tests, we need to test a sample of all end-user devices which includes tablets and smartphones. We also must sample all servers that allow users to access an interactive desktop environment.
An “interactive desktop environment” means a graphical interface such as an X server, Windows remote desktops or macOS similar. It does not include a text-based environment such as an SSH or telnet session or a bash / DOS / PowerShell command line.
For the audit to be valid we must test devices that represent 90% of the common devices in use at the organisation. This means that if you have one to two obscure devices then these would not need to be tested.
The audit standards states that: “For the common devices that you decide are in scope for testing, you must select a random sample of a certain quantity of each.” This means that we must randomly select the appropriate number of machines to meet the sampling requirement from the list of all devices that you completed in the Device Workbook.
IMPORTANT: Vulnerability Scanning and Patch Checking is performed over a VPN. This can be done by one of our appliances being sent to your site or by providing us with a network level VPN.
We will scan each of the systems listed in the scope using one of our Vulnerability Scanners. Depending on the engineer assigned to your test, it will either be Nessus or OpenVAS being used. Both products are the fully license commercial versions.
The scans will be performed using the credentials that you supplied and we are looking for any of the following:
Vulnerabilities with a CVSS v3 score of 7.0 or higher; and
Any missing patches that were released more than 14 days ago.
If we identify either of these, that constitutes a fail for that system.
For each device in the scope, we will log into the device using team viewer and test the malware protection. This is done to ensure that the malware protection on the device is in use and functional. We will check:
That it is installed, and up to date. When checking that the product is up to date, we will check that the core binaries have been updated to the latest version in the last 30 days and that the signature pack is no older than 23 hours and 59 minutes.
We will check that any mobile device is not jail-broken and that any installed certificates for application signing etc are correct and valid, and
Where sandboxing is used, we will test to ensure that it is functional and effective.
For this test, we will attempt to download and execute simulated malware files through a web browser and we will also test by attempting to deliver these files via email. Each of these is performed using a standard, non-administrative user account, using TeamViewer to access the device.
Web Browser Test: For this test, we will connect to a randomly generated URL within our hedgehogsecurity.com domain. However, if we think a client has blacklisted our domain, we has 95 other domains to use from a variety of IP addresses. If we are unable to connect to that domain to download the files, that is an automatic fail. The files will be downloaded once in each of the web browsers on the device. So if there is say Firefox, Chrome and IE, then the test will run three times, in each web browser.
Email Test: Each device must be in a state where it can both send and receive emails. The first test is to send an email from the device to the engineer, and then to respond to the test to ensure that two way email delivery is working. The engineer will then send all of the simulated malware files via email, one at a time, to that account. There are around 14 emails containing the simulated malware, and one test email that should not trigger any protection mechanisms. If the test email does not arrive, then deeper investigation may be warranted.
All of the simulated virus files must be blocked. All of the executable test files must show a warning and not be run without user input.
If you do fail on any of the points in the CE or CE Plus, then you need to remediate the issues identified within 30 days or a failure report will be generated.
Once a failure report is generated, you will need to rebook your assessment and pay again.
On an average day around 4 hours is all you will be waiting. It can be longer at peak holiday periods and towards the end of the financial year as the team are busier than normal then.
The scheme sets out five basic security controls to protect organisations against around 80% of common cyber attacks, allowing you to focus on your core business objectives.
Benefits of the Cyber Essentials scheme include reassuring customers that you take cyber security seriously as well as attracting new business with the assurance that you have cyber security measures in place.
Cyber Essentials is designed to help organisations of any size demonstrate their commitment to cyber security – all while keeping the approach simple and the costs low.
If you supply – or want to supply – larger organisations that manage their third-party risks properly, the independent verification of your security posture provided by certification offers assurance that you will not endanger the supply chain.
If you want to apply for government contracts, you will need Cyber Essentials certification.
The Ministry of Defence mandates Cyber Essentials for all its new suppliers and their relevant supply chains.
Cyber Essentials certification now includes cyber liability insurance for any UK organisation that certifies the whole organisation and has less than £20 million annual turnover (terms apply).
Organisations complete the IASME self-assessment questionnaire (SAQ). This must be verified and signed off by a member of the board or an equivalent signatory. It is then independently verified by a certification body trained and licensed to certify against the government’s Cyber Essentials scheme.
Cyber Essentials Plus provides a more advanced level of assurance and includes a technical audit of the systems that are in scope for Cyber Essentials. Organisations applying for Cyber Essentials Plus must also pass an on-site assessment and an internal vulnerability scan (these can be performed remotely in certain instances), plus an external vulnerability scan conducted by the certification body.
Only certification bodies that have been trained and are currently licensed by IASME to certify against the government’s Cyber Essentials scheme can undertake assessments and issue certificates. Hedgehog Security's assessors are IASME trained and Hedgehog Security is licensed to deliver Cyber Essentials and Cyber Essentials Plus certifications.
For common device in scope, we must select a random sample. The sample size is defined in the audit guide provided by IASME and the NCSC to every auditor. The audit guide states:
Number of devices of each build/type: 1
Sample size: 1
Number of devices of each build/type: 2-5
Sample Size: 2
Number of devices of each build/type: 6-19
Sample Size: 3
Number of devices of each build/type: 20-60
Sample Size: 4
Number of devices of each build/type: 61+
Sample Size: 5
You have 100 Windows 10 2004 desktops, 150 Windows 10 1903 laptops and one Ubuntu 20.04 laptop.
In this example, we would test 5 of the Windows 10 2004 desktops and 5 of the Windows 10 1903 laptop.
The following describes the Cyber Essentials certification process using the Hedgehog Security branded Cyber Essentials portal by Pervade.
Purchase one of our Cyber Essentials certification packages.
You will be required to provide the email address and mobile phone number for the person responsible for completing and submitting the SAQ.
Receive an email and SMS message with details needed to log in to the portal.
Complete the scope and SAQ.
Contact us before your first submission to undertake a precheck of your responses to the SAQ to determine whether you are likely to pass on that basis.
Confirm all answers provided in the assessment have been approved at board level or equivalent. Signed confirmation will be required.
The assessment is marked by one of our Cyber Essentials assessors, who will provide feedback with the result.
If the result is a ‘pass’:
A Cyber Essentials certificate will be issued for you to download from the portal along with a copy of your assessment.
IASME will contact you to provide your branding pack and insurance details (as applicable).
The Cyber Essentials certification process is complete.
If the result is a ‘fail’:
Review the feedback provided by your assessor. If you have purchased a Cyber Essentials package that includes consultancy support and you have support time remaining, one of our cyber security experts can help you understand how to address any non-compliant areas.
You have two working days to resubmit. If you do not resubmit your application within this time, our certification guarantee is invalidated.
You have six months from purchase to complete your application, after which it will be archived automatically by IASME and you will need to purchase a new package to continue.
For Cyber Essentials Plus, there are additional steps for the internal assessment, including internal and external vulnerability scans. You will need to complete these steps within three months of achieving your last ‘basic level’ Cyber Essentials certification from an IASME-licensed certification body.
The scans are conducted to a common standard, as mandated by IASME for Cyber Essentials Plus certification.. Including the scans as part of the certification process means the application process is more efficient and cost-effective. For this reason, only IASME-licensed certification bodies can conduct vulnerability scans as part of the Cyber Essentials Plus certification work.
Cyber Security for any size of business
CREST member company
Team of friendly certified experts
I so enjoyed Peter as a member of my Chief Information Security Officer Council at Microsoft Ltd UK. He always provided a unique insight into IT security issues of import to many global companies who were also members. A respected and senior member of the IT community, Peter and his business stands out as honourable and are the people you would want on your side.
Edward P. Gibson, Microsoft
We have used Hedgehog’s services for 7 years now. Always professional and leading in the field of Cyber Security, I have never looked back. Over the years they have regularly provided top tier penetration testing and cyber security consulting. I look forward to the next 7 years with them.
Maurice Whittaker, TWI
Peter and his company, Hedgehog Security, has been a fantastic partner/customer/advisor/anything else someone could be for me and Rapid7 sense I met him a few years ago. Their collective depth of knowledge and understanding of what's actually important in the security space & how to relate it to the business would make them a fantastic addition to any organisations IT/Executive group.
Jason PItzen, Rapid7
I original met Peter at an event where he was the guest speaker at a hacking workshop hosted by a supplier of ours. I knew from that moment I would work with him on many projects going forward. What Peter didn't know about gaining access to an organisations "crown jewels" wasn't worth knowing. He was instantly recommended by me to our then Head of IT at Towry and we proceeded to buy into everything Pete had to offer. A trusted partner and advisor whom I'd have no problem recommending to people who need to protect valuable data within their organisation.
Michael Golding, Towry
Peter is a total Internet Security guru! He can detect a threat to a website a mile off and I have never known him not to get right to the bottom of a security risk. Despite being one of the busiest people, Peter was always happy to help out with any concerns, queries or requests I had concerning security issues. He always resolved whatever had gone wrong within hours, and would always report back to let me know what had been done and what action I needed to take. He and his company are incredibly committed to their work and are a force for good for any company.
Louise, The Telegraph
I worked with Hedgehog on a very challenging project and was extremely impressed by their dedication to get the issues resolved. Hedgehog’s ability to come up with solutions while under extreme pressure is something I realised quickly and I will definitely appreciate their technical input when I am in a bind in the future.
Michael Reynolds, Aruba Networks
Peter is a rare breed of individuals who (like me) have a unique combination of heavy technical skills coupled with excellent managerial and other soft skills that make him a prize for any company. The brief time I worked with Hedgehog was great fun. Peter and his team are very practical but does not give in to any argument if they knows they are in the right. Brilliant person, brilliant company. Highly Recommended.
Amar Singh, Cyber Management Alliance
I worked closely with Peter and his fledgling company during a core network upgrade and found him to be a source of solid knowledge as well as a reliable, dedicated member of the team. The work carried out has proved very robust over the past year.
Duncan Reddish, Royal Botanic Garden Edinburgh
Hedgehogs approach focusses solely on doing what is best for the company as a whole. Completely professional, I always knew I could count on their support and advice when working on any project. A real benefit to the team, and Peter is a guy I hope to work with again in the future.
Alec, CEO Sapphire
Ask us a question, any question at all. As long as it has to do with Information Security / Cyber Security, we will get back to you with an answer.