Launched in 2014, Cyber Essentials is a government-backed scheme designed to help businesses defend themselves against the majority of online threats. The scheme advocates the deployment of 5 key technical controls, which when implemented correctly, offer protection against roughly 80% of cyber threats. The scheme is a useful starting point for organisations seeking to assess their cyber defences against a recognised standard, and lays the foundations for more advanced cyber defence infrastructure.
From man-in-the-middle (MITM) attacks and DDOS to password cracking and the exploitation of software vulnerabilities, hackers use a variety of methods and capabilities to infiltrate poorly guarded IT systems. Recent years have seen a dramatic increase in the frequency of cyber-attacks globally, with many criminals taking advantage of technologies such as AI to perpetrate more potent and harmful hacking campaigns.
Despite this, the majority of attacks remain fairly rudimentary and opportunistic in nature, relying largely on weakly defended networks and end users with poor security awareness. Poor password hygiene for example, can increase the chances of a hostile account takeover, with password cracking tools able to hack weakly defended accounts in minutes. Similarly, improperly maintained software can also present opportunities, with hackers often using glaring software weaknesses to insert malware into networks.
By implementing its 5 Key Controls, Cyber Essentials will ensure your organisation has the tools in place to counter the most common cyber threats, and it may help entrench a strong cyber security culture among your team. Once the necessary safeguards have been instated, the scheme offers 2 levels of accreditation, each offering a range of business benefits.
What does the accreditation process involve?
The scheme feature two tiers of accreditation: Cyber Essentials and Cyber Essentials Plus.
Cyber Essentials is the scheme’s entry-level accreditation, with certification awarded upon successful completion of a self-assessment questionnaire. This questionnaire requires you to demonstrate your organisation’s implementation of the 5 key controls required by the scheme, which include firewalls, secure configurations, user access controls malware protection and patch management. Don’t worry, we’ll go into each of these in greater depth in our next article.
Once the questionnaire is completed, an independent assessment body will review your submission, ensuring that the answers you’ve provided satisfy the criteria of the scheme. If successful, certification will be awarded. If you fail a component of the assessment you’ll be given 2 working days to rectify any issues and resubmit your application. While this base-level certification offers numerous benefits and establishes a sound cyber security framework, the scheme’s next level of accreditation offers greater rewards for organisations willing to rise to the challenge.
Cyber Essentials Plus assesses your organisation against the same 5 key controls as before, only this time the adjudication process features an on-site technical audit administered by a registered certification body. This rigorous assessment process will feature:
- An examination of a random sample of endpoint devices to ensure they are configured and maintained in line with the scheme’s requirements. These devices will be subjected to a vulnerability scan to ensure patch management and system configurations meet the required standard.
- An external port scan will be carried out to check for blatant vulnerabilities and configuration errors in internet-facing hardware.
- Checks to ensure email clients/browsers are configured to prevent the actioning of malicious files.
- The collection of ‘screenshots’ as evidence to support your certification bid.
Once the assessment body is content that your organisation satisfies the scheme’s criteria, you will be awarded the Cyber Essentials plus checkmark. You are free to display this symbol publicly for a period of one year after your certification date, to demonstrate your organisation’s cyber security credentials.
Both Cyber Essentials and Cyber Essentials Plus require yearly reassessment to maintain certification, and both require application of the same technical controls: only the assessment process differs.
What benefits are afforded by accreditation?
Peace of mind for clients and stakeholders
Clients, stakeholders, partners, suppliers and other interested parties will rest assured knowing that you have a comprehensive suite of protections in place to safeguard their data. Accreditation will also boost your organisation’s credibility in the eyes of potential customers.
An insight into your cyber security posture
The process can be enlightening, and offers an opportunity to compare your current cyber defences against the ideal standard. However, make sure you act on any noted deficiencies before starting the adjudication process.
Protection against the vast majority of online threats
The 2022 UK Cyber Security Breaches survey found that around 4 in 10 businesses suffered a cyber security in the preceding 12 month period. While Cyber Essentials doesn’t promise network invincibility, it will help safeguard your IT systems against roughly 80% of cyber threats.
Free Cyber Liability insurance
Accredited organisations benefit from free cyber liability insurance offering up to £25,000 of indemnity. To qualify your organisation must be registered in the UK, have a turnover of less than £20 million per year and hold an active Cyber Essentials or Cyber Essentials Plus accreditation.
Bid for public-sector and military contracts
Public sector and MOD contracts often only entertain bids from Cyber Essentials accredited organisations, with some contracts even stipulating Cyber Essentials Plus. The MOD in particular often requires contractors to handle information of a very sensitive nature, requiring strict confidentiality and extensive technical protections. Without holding the accreditations required, your organisation will be frozen out of these potentially lucrative opportunities.
Demonstrate GDPR compliance
UK GDPR’s ‘security principle’ requires data handling organisations to safeguard the data they hold by means of the ‘appropriate technical and organisational measures.’ Should your organisation fall victim to a data breach of some kind, your cyber essentials accreditation will help support your claim to the ICO (information commissioner’s office) that you had established in good faith the required technical measures in accordance with your obligations under the GDPR.
Cyber Essentials accreditation demonstrates a steadfast commitment to cyber security best practice, and signals to interested parties that your organisation can be entrusted with sensitive data. In addition to the benefits listed above, accreditation lays solid foundations for more advanced security countermeasures and can help instil a strong ‘security-first’ mindset among staff. Stay tuned for our next article, where we’ll give an overview of the 5 Key Controls that are fundamental to achieving cyber essentials accreditation.
Let us help you maintain the privacy of your customer data
We are living in a world where cyber threats are real, and they are affecting every organisation. Almost half of British organisations are expected to suffer an attack in 2023, so it’s up to them to protect their stakeholders with essential and fundamental investments, like Cyber Essentials. By implementing Cyber Essentials, your organisation will be protected from 80% of cyber attacks, reassure customers, and avoid heavy fines from the ICO. To find out how we can help you achieve accreditation and identify gaps with your cyber security, please get in touch to arrange a free Cyber Essentials Gap Analysis.
SolCo IT Support Reading
Based in Reading, Solution Consultants provides IT Support, Telecoms, and Cloud solutions for SMEs across the Thames Valley. We get to know your business, challenges, and goals and deploy scalable and agile technology solutions that make a real difference.
We specialise in simplifying IT, making valuable technology more accessible than ever before. We believe technology has the power to transform your business and open access to new markets. Check out our site here.