Table of Contents
Have you heard about Cyber Essentials yet? Despite the Government-backed scheme being launched in 2014, research shows that just 13% of UK businesses are aware of Cyber Essentials (ranging from 10% of micro-businesses to 40% of large firms). However, with the growing number of cyberattacks, and the recent updates to the scheme, Cyber Essentials could feature on your next boardroom agenda. So let’s ensure you’re up-to-speed and understand how to get the cyber essentials certification for your business.
What is the Cyber Essentials scheme?
Administered by the National Cyber Security Centre (NCSC) and delivered through the IASME Consortium, Cyber Essentials is designed to introduce a baseline cyber security standard to help businesses of all sizes guard against cyber risk with five main technical controls:
- Firewalls and routers.
- Secure configuration.
- Access control.
- Malware protection.
- Software updates.
With these controls in place, it’s estimated that 80% of cyberattacks can be prevented, including:
- Phishing attacks.
- Password-guessing attacks.
- Network attacks.
However, since the scheme was launched nearly a decade ago, a lot has changed:
“Today’s organisations are operating in a very different context to 2014. We’ve seen the rise of cloud computing, greater availability of multi-factor authentication, the pervasive threat of ransomware and of course the global pandemic, which has brought an unprecedented change in the way organisations are working and technology is used.” National Cyber Security Centre (NCSC)
To reflect these trends and ensure meaningful controls remain in place to build more secure environments, an update was issued on 24 January 2022.
The most significant change is the inclusion of cloud services. In particular, a shared responsibility model is added so that cloud users can no longer ‘pass the buck’. The new model dictates the security obligations that both the cloud provider and cloud user have, to ensure clear accountability.
Additionally, multi-factor authentication (MFA) is now an essential requirement. Under the update, MFA should always be used to provide additional protection to accounts that are accessible from the internet. Right now, all admin accounts must have MFA enabled, extending to all user accounts by 2023.
Read the updated guidance in full here.
What’s the difference between Cyber Essentials and Cyber Essentials Plus?
Quite simply, it’s the addition of an independently verified audit.
Cyber Essentials is a basic self-certification, which most micro and small businesses opt for. By completing a questionnaire with supporting evidence, you show the actions you have taken to mitigate the risk of the most common cyberattacks. Your answers must be approved with a signed declaration from a board-level representative. The latest questionnaire can be viewed here.
Cyber Essentials Plus includes a hands-on technical verification of the information contained in your questionnaire. An external vulnerability scan is performed, and your internal security systems are tested to check how robust they are. The audit consists of user devices, internet gateways, and all servers with services accessible to unauthenticated internet users.
What are the benefits of Cyber Essentials certification?
The Cyber Essentials scheme is specifically designed to help strengthen your security posture. Therefore, the biggest benefit is reducing your risk of a cyberattack – and the associated damage that creates, through downtime, reputational damage and regulatory fines. Additionally, smaller UK organisations turning over less than £20m benefit from the inclusion of cyber liability insurance.
As an extension of your robust security posture, Cyber Essentials will support your marketing efforts. In a digital world where cloud-based infrastructure and remote workers are ‘the norm’, Cyber Essentials will be a hygiene factor that partners/customers/suppliers expect you to have in place. Also, third-party risk is in the spotlight because supply chain attacks, which use loopholes in third-party services to strike a target, have increased by 78%. The certification provides reassurance that you have visibility over your entire IT infrastructure and do everything to protect your business.
Some Government contracts require you have Cyber Essentials certification before you’re even allowed to bid for a tender. While 61% of certified organisations say they are more likely to choose suppliers with Cyber Essentials or Cyber Essentials Plus certification.
Many use a project to get their certification, you can read our tips and pitfalls on why security projects can get tripped up here.
What steps does it take to implement Cyber Essentials?
The actual certification process for Cyber Essentials is relatively simple. Once you’ve completed the questionnaire and paid the assessment fee (from £300 – £500 +VAT depending on the organisation’s size), you can be certified in 1-3 days. And that certification lasts for 12-months.
But the scheme isn’t a simple tick-box exercise; it’s designed to ensure your ongoing protection against cyber risk. Therefore, enhancing your security posture requires several recurring steps to be taken. These include:
- The creation and maintenance of an information security policy.
- Employee training and testing their knowledge to identify gaps.
- Tracking your digital assets – including all cloud applications and data storage repositories.
- Enforcing access control and removing access when people leave the business.
- Ensuring new tools are correctly configured with MFA enabled.
- Regularly reviewing your security.
How can I get support?
NCSC and IASME have produced some excellent guidance to download from their websites. In addition to the links shared above, take a look at:
And if you need some help, talk to us about how our dedicated Cyber Essentials Consulting services will support your business to get certified. It might be that you have sector or industry specific compliance obligations such as the Telecommunications Security Act – if that is the case, we can help advise on how to meet compliance against these regulations and directives.