If you have never heard of Cyber Essentials or are yet to be certified, you could be missing out on one of the most effective ways to protect your organisation from increasingly common cyber threats.
We’ve put together this jargon-free guide to Cyber Essentials which will help you understand everything you need to know about the Cyber Essentials scheme and how it could be a game-changer for your business.
As a certifying body of the Cyber Essentials scheme, we want to lead you through the process of becoming certified. So, whether you want to find out which certification is best for you or you are ready to take the next step, contact us today and start the process of protecting your business.
Contents
- Understanding cybercrime and the threat to your organisation
- Background to Cyber Essentials
- What is Cyber Essentials?
- The five technical controls
- Benefits of Cyber Essentials certification
- Cyber Essentials and the GDPR
- Types of Cyber Essentials certification
- Cyber Essentials Vs Cyber Essentials Plus
- Steps to certification
- How much does Cyber Essentials certification cost?
- Frequently Asked Questions
- Summary
- The next steps
1. Understanding cybercrime and the threat to your organisation
There has been a considerable increase in cybercrime in the last ten years. According to the Government’s 2021 Cyber Breaches Report, 46% of UK businesses reported cyber breaches in the previous 12 months. Whether it’s an error made by accident by an employee or a hacker somewhere in the world attempting to gain access to unauthorised data, cyber threats can:
- Infect systems with malware to damage, disrupt, and gain unauthorised access to an organisation’s IT systems
- Manipulate employees into divulging confidential and personal information for fraudulent purposes
- Exploit weaknesses in an organisation’s systems
- Overload with DDoS (Denial of Service) to flood and target the bandwidth and resources of an organisation’s systems. In the event of a DDoS attack, a company’s website and IT systems receive so many requests they cannot deliver a response and fail to respond to legitimate requests
As businesses continue to experience thousands of cyber attacks a day, it’s clear that cybersecurity must be a priority for every business owner. Cyber attacks come in many different forms, but most can be as simple as an opportunist thief trying a car door to see if it’s unlocked. Regardless of how complex these attacks might be, they can have considerable negative and reputational implications for the organisation involved.
To help organisations adopt good practices in information security, the Government launched a certification scheme called Cyber Essentials.
2. Background to Cyber Essentials
Before the launch of Cyber Essentials, the Government had already begun to make strides towards helping organisations protect themselves against cyber attacks. In 2012, it published its 10 steps to cybersecurity, followed by Small businesses: What you need to know about cybersecurity in 2013. The Government aimed to help organisations determine whether they were managing their cyber risks effectively enough and to encourage Senior Executives to take more ownership and accountability of these risks. However, despite adopting stronger security measures, there were some security measures that many organisations failed to implement, leaving them open to threats. Cyber Essentials was created to plug this gap by offering a straightforward and accessible approach to cybersecurity.
3. What is Cyber Essentials?
Cyber Essentials is a government-backed scheme launched by the Department for Business, Innovation, and Skills in 2014 following a collaboration with the Information Security Forum (ISF), the Information Assurance for Small and Medium Enterprises Consortium (IASME), and the British Standards Institution (BSI).
Cyber Essentials helps organisations to guard against the most common cyber threats. It addresses the most common online threats to cybersecurity by identifying vulnerabilities and reducing the chances of an attack. These threats include:
- Hacking: Exploiting known vulnerabilities in internet-connected devices using widely available tools and techniques
- Phishing: A way of tricking users into installing or executing a malicious application (read more about how to protect against phishing)
- Password guessing: Manual or automated attempts to log on from the internet by guessing passwords.
Cyber Essentials acts as a checklist for organisations to examine the current condition of their cybersecurity. The aim is to reach the Cyber Essentials standard and, once completed, to receive certification. Cyber Essentials includes an assurance framework and simple security controls to protect information from threats coming from the internet. Organisations are required to undergo re-certification on an annual basis to maintain their certification. Certifying bodies, such as British Assessment Bureau, are licensed by accreditation bodies, which are government-appointed.
Whether your organisation is in the public, private, charity, not-for-profit, higher education sector, you must achieve the Cyber Essentials certification if you want to secure public contracts. The Ministry of Defence and most local authorities have made Cyber Essentials certification a minimum requirement.
4. The five technical controls
The basic requirement of Cyber Essentials involves a self-assessment questionnaire that covers basic technical and procedural controls that should be in place. Cyber Essentials tests five key areas of an organisation’s IT infrastructure:
Firewalls
Firewalls prevent unauthorised access to or from private networks. However, both software and hardware need setting up properly to be effective. Boundary firewalls determine who has permission to access your IT systems and enable you to control where users can go. While antivirus software is useful in protecting the system against unwanted and potentially harmful programs, a firewall will help to keep external threats from getting access to your systems in the first place.
Secure configurations
When you fail to configure your servers properly, it can lead to a variety of security problems. Web server and application server configuration is crucial in cybersecurity. This reduces the number of vulnerabilities and only provides the required services for fulfilling the intended function. This helps prevent unauthorised actions and ensures that a device only discloses very minimal public information about itself.
User access control
It may be convenient to give administrator rights to several users but, to reduce the risk of hacking, only a limited number of people should have access to data and services. Hackers want to get hold of administrator rights to gain access to applications and other sensitive data. Therefore, user accounts, especially those granted special access privileges, should only be assigned to authorised individuals who are given the minimum level of access to computers, applications, and networks.
Malware protection
Malware protection is crucial in protecting an organisation from malicious software, known as malware, which wants to damage files, steal confidential information or, in the case of ransomware, lock files and prevent access unless a ransom is paid.
Patch management
Patch management keeps software and operating systems up-to-date and helps fix any known weaknesses.
5. The benefits of achieving Cyber Essentials certification
Cyber Essentials certification helps to protect an organisation against 80% of the most common types of cyberattacks. It also helps you reduce the risk of business disruption due to downtime caused by cyberattacks. Meanwhile, existing and potential customers have the reassurance that you take cybersecurity seriously, which can be instrumental in attracting new business. Furthermore, Cyber Essentials certification can help to improve an organisation’s reputation, credibility and paves the way for new business opportunities and even discounted cyber-insurance cover.
Other key benefits of achieving Cyber Essentials certification include:
- Protecting your organisation from common cyber threats: When an organisation effectively implements the scheme’s five technical controls, it is then protected from 80% of the most common cyber threats, thanks to tightened security.
- Increased credibility and reputation: When your organisation is certified under the Cyber Essentials scheme, it shows your commitment to protecting your data and that of your partners and customers. The certification enhances your organisation’s reputation and shows that you are actively taking action to reduce the threat from cyberattacks.
- Win government contracts and create new business opportunities: Organisations who want to bid on government contracts are required to be certified under the Cyber Essentials scheme. Achieving the certification can also lead to new business opportunities as it demonstrates that your organisation works in a safe and secure digital environment.
- Eligibility for discounted cyber-insurance cover: Cyber Essentials certified organisations could be eligible for discounted or even free cyber-insurance cover.
Even without achieving full certification, the scheme’s controls provide a basic protection level that can help prevent most cyber attacks. There’s also the additional advantage of driving business efficiency, saving money, and improving productivity. However, achieving certification ensures you will receive the full benefits of the scheme.
6. Cyber Essentials and GDPR
Cyber Essentials helps organisations meet their data protection requirements under the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018. GDPR protects the privacy of individuals and their personal data. It identifies privacy and security risks and ensures robust processes are in place to allow data subjects to enact their rights. GDPR covers a range of requirements, including technical controls, conveniently overlapped by Cyber Essentials, primarily focusing on basic technical controls.
Cyber Essentials can help organisations achieve GDPR compliance, specifically with Article 32, which requires data handlers to implement measures that ensure sufficient data security for the level of risk presented by processing personal data. GDPR also requires that a third-party organisation that shares data must also implement appropriate standards. A straightforward way to identify organisations that have taken data protection seriously would be to check whether they have met Cyber Essentials standards and are certified.
7. Types of Cyber Essentials certification
Cyber Essentials certification aims to protect the confidentiality, integrity, and availability of company information from internet threats. It is not a comprehensive cybersecurity strategy but instead recognises a basic level of due diligence from which organisations should build on. Achieving certification demonstrates to the organisation’s partners, clients, and suppliers a commitment to cybersecurity. It is also a requirement when tendering for government and local authority projects.
There are two types of certification, Cyber Essentials, and Cyber Essentials Plus.
Cyber Essentials
To achieve the basic Cyber Essentials certification, you must complete a self-assessment questionnaire on behalf of your organisation. The independent external certifying body you have chosen, such as BRITISH ASSESSMENT BUREAU, will review your answers. If all goes well, you will pass and receive a certificate. Cyber Essentials offers a good starting point for small businesses and provides the building blocks for cyber standards and identifying vulnerabilities. Cyber Essentials certification gives you:
- Cyber Essentials certifications awarded upon successful completion of all areas
- Access to the IASME portal to submit the completed self-assessment questionnaire
- Free cyber insurance and support
Cyber Essentials Plus
The Cyber Essentials Plus certification is more difficult to achieve, but it can drive a real improvement in cyber defences. It requires an independent external auditor to verify the organisation’s security controls to determine whether you have the required five technical security controls in place. This verification is in addition to the self-assessment questionnaire and provides an extra level of assurance. Cyber Essentials Plus is generally most suitable for businesses with employees who work remotely or those with third parties who need access to corporate assets. Cyber Essentials Plus certification gives you:
- Access to the IASME portal to submit the completed self-assessment questionnaire
- Internal credentialed vulnerability scan of a sample of end-user devices
- External non-credentialed vulnerability scans of external internet-facing IP addresses
- Email and file download test for end-user devices
- Checking of Anti Virus Software in use
- Mobile device checks
- Cyber Essentials and Cyber Essentials Plus certificates
8. Cyber Essentials vs Cyber Essentials Plus
While Cyber Essentials Plus certification is undoubtedly much harder to achieve, it is worth the additional effort. Cyber Essentials Plus requires an objective analysis of your current security controls, which can help drive significant improvement in your organisation’s cyber defences. This has made it a much more highly regarded certification than the basic Cyber Essentials assessment. It is ideal for both small and large organisations that want to make a substantial improvement in their cybersecurity.
It’s important to remember that certification is only valid for one year and needs renewal every year. Annual certification is an excellent opportunity to ensure your security is up to date.
9. Steps to achieving Cyber Essentials certification
Achieving Cyber Essentials certification takes a few simple steps:
Speak to us
Get in touch and let us know more about your business so we can assess your current situation and offer guidance on whether your business needs Cyber Essentials or Cyber Essentials Plus.
Achieve Cyber Essentials certification
We will support you through the process of getting your business certified for Cyber Essentials. Cyber Essentials defines a set of requirements in the five control areas, and you will need to make sure your systems and software meet these before you move on to the next stage of certification. You may be required to supply various forms of evidence before your chosen certification body can award certification at the level you seek, so it’s best to have this available if it’s asked for.
Having understood the requirements which Cyber Essentials puts on the installation, configuration, and maintenance of your IT, you are ready to complete the certification questionnaire and submit this to your certification body. Your certification body will supply the actual questionnaire you complete.
Achieve Cyber Essentials Plus certification
Once you’ve passed, you will be awarded your Cyber Essentials or your Cyber Essentials Plus certificate and may use the logo on your website and marketing materials. Your certificate remains valid for one year, after which you will need to re-certify if you want to stay on the list of certified organisations on the NCSC website.
Maintain compliance
Once your organisation has achieved Cyber Essentials and/or Cyber Essentials Plus, you will need to continue to focus on daily compliance to ensure your organisation is constantly aligned with standards of compliance.
10. How much does Cyber Essentials cost?
As part of the Amtivo Group, we are able to offer a range of packages to suit your individual needs. We would be happy to discuss your needs and offer a suitable product. Given that data breaches cost organisations nearly £3 million, according to an independent study by the Ponemon Institute, certification offers excellent value.
11. Frequently Asked Questions
How many questions must I get right to pass?
The assessment has very strict pass criteria set by the government, and organisations need to get the majority of questions right to prove compliance and pass the Cyber Essentials assessment.
Are there any automatic fail questions?
Yes. If the assessment shows that you are using unsupported software, such as Windows 7, your organisation will likely fail to achieve Cyber Essentials certification.
If my organisation fails to pass the assessment, will we receive feedback about why we failed?
You will get feedback on any assessment element that is not fully compliant for Cyber Essentials certification. The assessor will provide comments on the answers you provided that were considered non-compliant.
How long does the Cyber Essentials certification last before it needs renewing?
Both Cyber Essentials and Cyber Essentials Plus certifications expire after 12 months. If you do not renew your certification, your organisation will be removed from the government’s list of certified organisations.
Is it worth renewing my Cyber Essentials certification?
Yes, you should renew your Cyber Essentials for the same reasons you are certified in the first place: to reduce your risk of cyber threat, benefit from the Cyber Essentials scheme, and better understand your organisation’s cybersecurity position.
My organisation is based outside of the UK. Can I obtain Cyber Essentials certification?
Yes, overseas organisations can also achieve Cyber Essentials certification.
Do I need to have Cyber Essentials before achieving Cyber Essentials Plus?
Yes, you will need to have completed the first level of Cyber Essentials before achieving Cyber Essentials Plus.
What do I get when I complete the Cyber Essentials certification process?
You will receive confirmation from the certification body about your result, as well as your certificate reference number. You should also receive the Cyber Essentials badges, which you can use on your website. Your organisation will also be listed on the NCSC’s online database of Cyber Essentials certified organisations.
Who delivers the Cyber Essentials Scheme?
From April 2020, Information Assurance for Small and Medium Enterprises Consortium (IASME) became the sole partner of the Cyber Essentials scheme. IASME oversees certification bodies in the UK, which have qualified assessors who can certify businesses wanting to achieve the Cyber Essentials certification.
How are Cyber Essentials assessments verified?
A representative of your organisation is required to sign a declaration that confirms answers provided in the assessment questionnaire are all true. A qualified assessor will then evaluate your responses. If you pass, then you will receive a certificate. However, if the answers you provide indicate a fail, you will receive feedback that outlines the areas that can be addressed. If you have chosen to work with British Assessment Bureau you will have an opportunity to resubmit your answers.
12. Summary
Cybersecurity poses a real and immediate threat to businesses and organisations of all sizes. Any organisation is a target, and it’s up to them to do their best to protect their stakeholders by investing in Cyber Essentials. With Cyber Essentials certification, your organisation can have peace of mind that it is protected against 80% of cyber attacks, you can reassure partners and customers, and ensure you avoid huge fines.
13. Why you should choose British Assessment Bureau
As one of the UK’s leading certification bodies and part of the Amtivo Group, British Assessment Bureau is able to demonstrate its expertise in delivering a wide range of certifications, from ISO and Cyber Essentials to PAS, NHSS, and SIA. Combined with our Platinum partner status for delivering excellent client service, we feel confident that we can provide you with an excellent experience.
If you are new to Cyber Essentials we also offer free e-learning to help you understand and prepare for your assessment.
14. Next steps
The first step towards protecting your business with Cyber Essentials is to request a quotation. As a Certification Body working on behalf of IASME, we offer both Cyber Essentials and Cyber Essentials Plus certifications. Our expert team can guide you through the process and answer any questions you may have.
With Cyber Essentials certification, you are not only protecting your organisation from potentially devastating cyberattacks, but you also show your customers, suppliers, and partners that you care about data security and provide them with the trust they need to feel confident to continue working with you.
If you would like to speak with our team for guidance, please complete our contact form or call 0800 404 7007.