Cyber essentials plus: the startup guide with Linux
This guide has been kindly reviewed by our auditor TechForce Cyber
Cyber Essentials Plus is an important certification when you get started in the UK. This blog is partly a guide and our experience getting certified using Linux.
This guide is not set in stone, so if you think there are areas of improvement, feel free to contact our team and we'll improve it đ
Just note: itâs intended for startups and small teams with a strong technical core. If you are past the small team, this guide could be a good read, but some advice will not apply to you. If you are not working in tech or have a weak technical team, this guide is absolutely not for you, and you would be better off going with a consultant.
There are also a lot of personal decisions (choosing Linux is a big one). It is not what YOU have to do. We are bootstrapping our company, and our main challenge was to make it as cheap as possible and offer a good developer experience.
The TLDR is that we chose Ubuntu for our systems, and it made the process a lot easier, faster, and cheaper. In total, our expenses were around ÂŁ3000 + VAT for the audit plus three laptops.
If you are ONLY interested about the steps in linux, you can skip to section 4.
1. What is it, when to do it, should I do it?
Cyber Essentials and Cyber Essentials Plus are two certifications (valid in the UK only) about your posture in IT security.
Those certifications do:
- Establish a baseline to mitigate cyber threats that comply with government standards.
- Show the importance of cybersecurity and prepare you for potential threats, as they can affect businesses of all sizes, including small ones (the best example is if you hire a marketing student, the student will not be able to download malware and leak important information).
- Shows prospective/existing customers you are taking the necessary steps to secure your IT.
- Give you free cyber security insurance (you must have a physical address in the UK).
They do NOT:
- Make your app secure. We are talking IT here, not app development. You should do a pen-testing for securing your app, and invest in devsecops. We will make another blog post on this matter as well đ
- Make you 100% resilient to cyber attacks (only pro-active and regular sensibilization help).
Cybersecurity consultants can do the audit and offer help during the certification process. In 2023/early 2024, the prices to get certified ranged between ÂŁ1500 and ÂŁ2500 depending on how much help you want. Additionally, no matter how much help you receive, you should know this is a significant investment in time (at least 4 weeks)
Finally, the cyber essentials (without âplusâ) is a form you fill with no audit. You can say whatever you want in the application and still get certified. You should prefer the plus version (with an audit). If you only have cyber essentials, some customers might not take you seriously, and you also should be wary of suppliers without the âplusâ.
When to do Cyber Essentials Plus?
It depends on what stage your company is at, and who you are talking to.
Do you have more than 10 employees? -> Yes you should do it unless you have another cybersecurity certification like ISO or SOC.
If your customers are consumers, you donât need it until your user base has significantly grown, or you deal with sensitive data. Just move on.
If your customers are businesses, are they requesting the certification? If yes then go ahead. If not⊠Think that this certification is a big distraction, unless itâs an absolute necessity, you should better postpone it.
However, a friend did the certification several times and found that the older the business is, the harder it is to implement it (any cybersecurity certification). The reason is that people get used to insecure behavior, and habits are notoriously hard to change.
Here are some examples (some I worked with, some from friends):
- A chat app-> B2C -> not needed
- A recycling tech app for consumers and businesses -> No sensitive data -> not needed
- An AI agent for job contracting -> B2B customers donât care -> not needed until asked for
- A search engine that has access to an entire company's data (our main company Ansearch) -> lots of sensitive data access, B2B customers wonât sign a trial without it -> needed before MVP.
Cyber essentials vary in scope from a single team to the entire business. As a startup, itâs better to do it for everyone once and for all, unless you face a major hurdle.
2. The requirements
Knowledge
You should be all right working with an operating system, and know the basics of networking (whatâs a router, whatâs a firewall, etc). If you are working from home, or not managing an internet network, it will be very easy.
A technical person should be able to go through the audit without too much trouble. If you are not technical donât do it alone, you will need help.
What to look at
There is a ton of information to digest about Cyber Essentials Plus. But really, there are just a few that are relevant for startups:
- Accounts must be non-admin: You cannot let employees use a local admin account (if you can access sudo on *nix or click yes on administrator privileges on Windows, you ARE a local admin). Unfortunately, many laptop OS will set up your main account as local admin by default (this is not the case for phones unless they are rooted/jailbroken). So your first point of concern is forcing people to use a non-admin account on their laptop/workstation.
- Software must be automatically updated, so if a vulnerability is found, the computers will be up to date without any need for intervention. This is why you should prefer SaaS/Web applications rather than software that needs to be installed, and when you install software, you need to make sure it can be automatically updated.
- Non-approved Software should require more than two clicks to run, or not run at all: this means that people downloading malware cannot execute it.
- Simplify your IT as much as possible, this means home working, shared offices, or offices where the landlord handles internet (can be shortened by: donât mess with your local network, let it be handled by someone else). This will reduce your workload and make the audit rely on firewalls installed on devices that have good defaults.
- Avoid local hosting, VMs, or VPS, prefer managed clouds (your servers, even in Azure or AWS will be in scope, but a managed database, managed container, or serverless functions will not).
- List everything, OS, apps, Devices, etc.
- (optional) Create simple processes: This will make staying compliant easier, by specifically telling people what they can, and cannot do.
The rest of the guide will go through all those points
3. Laptops, phones: BYOD or company-owned?
The first step will be to decide if you use BYOD (bring your own device) or a company-owned device. Any device capable of accessing your company data (think emails, chats, etc) will be in scope.
A major point for Cyber Essentials Plus is that you need to have your employees using non-admin accounts:
- For computers, this means BYOD is mainly a hurdle. Because everyone will need to set their day-to-day account as non-admin (and by default, every os makes you admin).
- For phones, this is by default, so BYOD is okay (unless they are rooted/jailbroken, in this case, do not use those phones)
What we did was buy laptops for our team, and let everyone use their phones.
Side chapter: choosing the laptops, leasing, buying, and refurbished
A quick side chapter about choosing a laptop. You can skip this section if you already have some as this is not needed for preparing Cyber essentials.
Really, you canât go wrong here. Pick anything decently recent with 16GB of RAM. Until recently I was working on a 12-year-old laptop running Linux, and except for processing heavy software (games, AI, video editing, CAD) everything was working fine - I was running an IDE, three microservices, two databases, and an embedding model on a dual-core without any struggle.
Whatâs important though is choosing between leasing and buying laptops:
- If you lease, your cashflow will be happy, but in the long run, it will be very expensive.
- If you buy, this is a bigger investment upfront, and more annoying to get rid of once the machines are too old, but this will be much cheaper than leasing.
- If you buy refurbished, this is the cheapest option, but you will have to be careful (donât buy from individuals), the second upside is that itâs better for the environment.
As a bonus (related the the next section) using Linux will also save you the Windows license if you find computers without Windows pre-installed (refurbished or specific laptop makers like System 76, Framework, Dell, etc).
What we did: we bought three refurbished laptops, a total expense of ÂŁ900. A good way to find good refurbished laptops is to seek business hardware (such as Lenovo Thinkpads), as usually itâs in very good condition. You also need to ensure you buy from a business, and not from an individual. I had to be careful on those machines, making sure what was advertised was what we got; This included checking the screen resolutions, verifying battery health, verifying specs, verifying the bios was not locked, etc. We had two funny surprises that required us to return the laptops, so I emphasize: ensure the business you buy from is trustworthy.
4. IT management software & operating systems
Trying every OS out there (except Mac) & setup the OS
Believe it or not, the easiest OS to set up was⊠Linux.
- I tried first ChromeOS Flex (a version of Chrome os for all laptops) but faced issues with software compatibility.
- Windows was a nightmare to set up with Google Workspace, and since recently local non-admin accounts have been very hard to set up (seems to require registry edit), Microsoft is pushing hard their mobile management device solution. I almost burned out trying to set this up.
- I did not try Mac OS (not a fan of Apple) and we do not have Apple computers, so I cannot tell for this platform.
So eventually I just went back to Linux and set up Ubuntu.
Being compliant and preparing the computers for the team was not a big deal, and much easier than with Windows. The longest part of installing Linux was creating a guide to go through for my team. Just read it and copy whatâs written and you will be compliant, it takes on average 1 to 2 hours to set everything up, the slowest part being the installation, which leaves you plenty of time to do an onboarding while it's getting ready.
The document can be summarised by:
- Encrypt your volume during installation
- Create a second user without root access
- Remove the admin user from the login screen
- Enable UFW, add app armor profiles
- Install a browser with policies enabled: it can be Firefox, but we chose Chrome (read the next section for that)
- Enable Ubuntu pro
- Ask everyone to use exclusively Snap/app center
Side note on Linux
Now Iâm 99% sure any non-technical people reading this got scared instantly (I might have to remind this guide is more tailored to technical people).
Linux being âdifficultâ is a popular belief that was pushed by Microsoft more than 20 years ago and this is no longer relevant. Due to recent Microsoft hiccups (ahem windows 11), Linux is getting a record-high market share in workstations.
Linux is more secure than Windows by design, and has a blessing in disguise: not support all the **** you can find on internet, thus preventing people from installing whatever they find. This is one of the fun parts, this default behavior of Linux is NOT to run unknown things, which made all the malware test pass by default (you would need the command line to run a Python script for example, double click will just open the editor).
Additionally, your technical team will thank you and have a much easier life doing their job.
What I would recommend though is if you choose Linux, commit to it and ensure everyone in your team has the same version, and choose a major distro such as Ubuntu or RHEL/CentOS, this ensures that everyone is on the same page, and help can be shared.
MDM (mobile device management software)
Finally, itâs important to note: you do NOT need mobile device management software (MDM). Everyone out there will push for it because this is their bread and butter and/or because they are in large organizations, but it is not required for the audit and is an unnecessary expense for startups.
The guide in the next section (tested on my team) takes an hour, and costs at least 10 times less than an MDM + Windows license.
An MDM might make windows easier to set up, I donât know. But we did not have the budget, and since our team is 100% technical, itâs hard to justify paying more for an OS that (in kind words) is unpractical for development, full of vendor lock-in, less secure than Linux, and finally with worse environmental impact (letâs not talk about the debacle around Windows 11 TPM and forcing companies to throw away tons of laptops due to W10 EOL).
Phones
In our team, the phones are not used much: itâs only our way to keep in touch with chats when away from our laptops. This means compliance there was very straightforward: ensure that phones are not rooted or jailbroken, and still up to date (a phone that does no longer receive updates will fail the audit), and you will be compliant.
If someone in your team has a non-compliant phone, you can:
- Give them a company phone
- Ask them to buy a new phone
- Ask/block them from accessing company data from their non-compliant phone
As a bonus, if you have Google Workspace, android has a neat way of separating work/personal data and itâs completely free: this is called android work profiles and is relatively easy to set up.
Managing Software
For compliance, you will need to ensure that people cannot install whatever they find online, and you will need to ensure everything is up to date.
- Preventing installation: on Windows and Mac you will need to enforce this policy (thus using an MDM will be much easier), on Linux, we managed to pass with only written policies to exclusively use Snap/app center from Ubuntu. In Linux, you can still add more policies by using SE Linux or AppArmor profiles, although this is not required by the audit.
- Ensuring everything is up to date: On Windows, you will have to make sure software is always up to date, the two options are to use an MDM or make extra sure whatever you let your employees install has auto-updates backed in. On Linux Ubuntu (cannot tell for RHEL-based distributions) you can achieve this through Ubuntu Pro, which is free for 5 machines, and then $2 per machine per month above that.
Chrome os & Policies
This is not required, but it will ease your work, having policies on a browser will prevent people from doing a certain number of actions. Firefox and Chrome have those policies, however in the case of Chrome, if you already have Google Workspace the process is significantly easier since you can enable/disable those settings from a central location, which will sync with all the accounts in Google Workspace using Chrome. If you are not using Google Workspace, you can still sign up for free here: https://chromeenterprise.google/products/cloud-management/Â
There are a lot of policies, so Iâll just go over the ones I believe to be the most important:
- Create organizational units, at a bare minimum one for your technical team and one for everyone else.
- (For everyone)
- Browser sign-in settings: Force to sign in
- Restrict sign-in to the pattern:
.\*@yourdomain\.com
- Enable site isolation
- Disable Google password manager (it's not a secure one, use another vendor)
- Enable leak detection for entered credentials
- Disable remote debugging
- Prevent dismissing compromised password alerts
- HTTPS is required for basic authentication
- Minimum SSL version is 1.2
- SSL error override: Block users
- Disallow third-party cookies
- Default legacy SameSite cookie behavior: use SameSite by default
- Flash and popup options: block everything
- Developer tools: Disable
- URL in the address bar: display the full URL
- Shared clipboard: disable
- Safe browsing: Enabled (standard or enhanced to your liking)
- Download restrictions: Block malicious downloads and dangerous file types
- Disable bypassing Safe Browsing warnings: do not allow users to bypass
- Password alert: Trigger on password reuse
- (For devs)
- Reuse the rules for everyone, and override the next three (or your developers will have a hard time doing their job)
- SSL error override allowed domains: localhost
- Developer tools: Enable except for force-installed extensions
- Download restrictions: Block malicious downloads
5. Lists, more lists, and even more lists
You don't like Excel? Me neither, so I'll try to show you how to avoid it as much as possible.
One of the requirements of Cyber Essentials is to have a list of all the software being used in the company, devices, and their version. (example: Lenovo Thinkpad X390, Linux Ubuntu 20)
All of this can be done in an Excel sheet, however, make sure it gets updated regularly, so, when possible, prefer using automated tools (SSO for example), Workspace/Entra, and create processes for onboarding and offboarding people working in your company.
Leveraging existing tools (Google Workspace / Microsoft Entra)
If you are already using Google Workspace, or Microsoft 365, you will have the advantage that anyone connecting their account will be listed, alongside the device name, type, and version.
- For Google Workspace (from the admin panel) you can find this in Devices > Mobile and endpoints > Devices
- For Microsoft Entra (from the Azure portal), you can find this in Manage > Devices > All Devices
creating processes
A few simple processes can go a long way to keep your software list up to date, to stay compliant. Additionally, the onboarding/offboarding processes will make sure you get a good way of bringing people in or out of the company (Our other product Ansearch is in knowledge management, we can assure you that taking 2 hours to create those processes is an immense ROI, it will have a significant impact on quality of life, but it needs to be clear, repeatable and open to improvements).
What we did: We decided to create the first few pages of our company book, which include our processes for onboarding/offboarding and software lists.
- Onboarding team members (here is a link for ours)
- Referencing software used (here is a link for ours)
6. Passing the Cyber Essentials certification
By now everything should be ready if you followed this blog. This means you are ready for the audit. You are not quite going to do the audit right away though, the first thing you will have to do is to fill out the form, where you have to indicate all the devices you have (remember the lists), the software used, all the measures you have taken, etc. Having all the evidence close by is important, as the form is very long (you can save it and go back later). It took me around an hour to fill, but since I had some things missing (ex: what phone my team uses and the OS version) this bubbled up into multiple days.
Once the form is validated⊠You are Cyber Essentials certified (again there is no audit).
Then comes the audit for Cyber Essentials Plus.
The audit
Important note before the audit: if you are using Linux, you should warn the auditor beforehand, so they can prepare the set of tests that fit Linux, plus get to know what/where they should look for the policies being enforced. Linux is unusual, and the auditor might be unprepared for it.
This is going to be an hour-long call give or take. The auditor will either ask to use a remote desktop software or (if the previous one did not work) ask to share your screen and follow the instructions.
In the first step, the auditor will download various âfakeâ malware and execute it. To pass, you can:
- Show that the browser refuses to download the said file (best)
- Show that you cannot double click on the file to run it (for Windows/mac, it should prevent you from executing the file, or at minimum require more than two clicks to run. For Linux, this is a default pass since clicking on files open the editor)
The second step is going to verify emails with bad attachments are quarantined. Google Workspace does this by default, and it should be the same with Microsoft 365.
The third step is to verify that firewalls are enabled (for Linux, simply switch to the admin account and type sudo ufw status), and that you cannot download/install software (in our case we have written policies, which are simply âuse snap/app center and donât use apt except for Google chromeâ - for windows or mac you will need enforceable policies). Verify that the current user is not admin and how many users are on the computer.
Challenges we faced
- Being in sync with the auditor: Among other things, the audit will look at every software on your computer. If there was a security patch (even less than a week ago) it will be flagged! Additionally, since the audit is remote, the computers need to be turned on during the audit. So if you (and your cofounders) are working part-time, you must make sure of when the audit will take place, and the day before ensure that all software has been updated.
- A massive amount of online knowledge is tailored to bigger organizations, the NCSC website itself discusses much more about enterprise-sized setups than startups. There are a lot of unnecessary things (such as mobile device management) for startups. You need to be critical of what you need.
Final note & mission of A* Logic
I wish I had this guide for myself before. Preparing for the audit is not that hard once you know what you have to do.
Some purists might say âYou can do moreâ and this is right. To be fair, I was 8 weeks into this certification when we got all the green lights, and I needed to do something else. Moreover, as a small business, this was sufficient to pass.
One of the major ârisksâ in cyber security is ignorance (over 90% of breaches are due to human errors), and you can go a long way with good sensibilization on cybersecurity (which can be summarised by âdonât click on strange stuffâ & âavoid downloading thingsâ), combined with SaaS apps instead of installed apps, zero trust and a good password manager (avoid Googleâs, and prefer a secure one like Bitwarden or 1Password)
On that last point, whenever you can, prefer using OAuth (sign in with Google/sign in with Microsoft) or single sign-on when using online software. This is a proven and tested way to reduce password leaks, and, as a developer to have a strong and secure authentication.
I strongly disagree with making SSO an âenterpriseâ tier feature when itâs such an important security feature. This is why my team and I will be thinking about how to bring those at an extremely affordable price (or even free if we can), so people building with A* Logicâs APIs will be able to offer OAuth and SSO on all their price points.