What are Cyber Essentials and why do they matter?

The Cyber Essentials scheme was rolled out in 2014, supported by the NCSC (National Cyber Security Centre). It sets out five cyber security controls designed to prevent the most common cyber threats from harming UK businesses.

Being Cyber Essentials certified greatly increases your chances of winning new business and shows your customers that you value their cybersecurity. The program will also grant you permits to win government work and to work with the Ministry of Defence.

This article lays out the foundations of Cyber Essentials and how it can help secure, protect, and grow your business.

What are Cyber Essentials and why do they matter?

The purpose of Cyber Essentials is to protect your organisation from the most common cybersecurity threats. As previously stated, it is divided into five distinct categories: phishing, malware, ransomware, password-guessing, and network attacks. 

By implementing the Cyber Essentials scheme in your business, the chances of being impacted by these security threats are vastly reduced. Due to it being a baseline in online protection, Cyber Essentials is suitable for any type of organisation, no matter how large or small, or the sector.

Since 2014, the UK Government has awarded 190,000 Cyber Essentials certificates to various organisations - including schools, charities, local authorities, and, of course, businesses. The results speak for themselves, as 92% fewer insurance claims relating to cyber attacks are made by organisations when Cyber Essentials controls were implemented. As well as this, if your business turns over less than £20 million, you are entitled to automatic cyber liability insurance.

It matters to be Cyber Essentials compliant, as the risks and consequences of a cyber attack on your business can be severe, as well as a lack of opportunities which arise from not being certified.

Higher likelihood of insurance claims
As we mentioned earlier, companies with Cyber Essentials certification are much less likely to make an insurance claim relating to cyber attack damages.

A lack of basic security controls
Cyber Essentials is a baseline in online protection that helps protect against common, yet basic cybersecurity threats. Without these controls, organisations are far more susceptible to such attacks.

Lack of trust
Consumers and suppliers will be less likely to trust a business that hasn't demonstrated its commitment to cybersecurity through Cyber Essentials certification. This can lead to weakened supply chain relationships and lost business opportunities.

Financial and reputational damage
A cybersecurity breach can severely damage an organisation's reputation, potentially leading to loss of customer trust and long-term damage to the business. There may also be severe financial losses incurred by a business as a result of a cyber incident.

What are the benefits of Cyber Essentials certification?

Boosted Business Reputation and Trust
By being Cyber Essentials certified, you are proving to your customers, partners and suppliers that you take cybersecurity seriously. It will also give your business a competitive advantage when bidding for work or trying to stand out in a crowded market by building credibility and confidence in handling sensitive or personal data.

Encourages Ongoing Cybersecurity Best Practices
Certification must be renewed annually, which encourages organisations to maintain healthy cyber practices over time. It also promotes a culture of regular monitoring, updating and patching of your online data.

Stronger protection against common online threats
Cyber Essentials helps guard against around 80% of cyber attacks. By reaching certification, your business is at much less risk of having its data infiltrated, leaked or stolen.

Opens up opportunities for public sector and government contracts
Certification of Cyber Essentials standards is a requirement for many UK government contracts, particularly those involving sensitive or personal information. It is also becoming a standard request in many private sector processes.

International Recognition
Although Cyber Essentials is a scheme run by the UK Government, it is internationally recognised, meaning that countries not based in the UK can also apply for certification.

Sets a foundation for further security standards
Cyber Essentials is a great first step for more secure online security, and can be used as a stepping stone towards more advanced standards, such as ISO 27001, or PCI DSS (if your company handles online payments). Our article introducing the three most common cyber security standards in the UK is an ideal place to start when considering other frameworks on top of your Cyber Essentials certification.

How do I become Cyber Essentials certified?
Becoming Cyber Essentials certified may seem like a daunting task - however, we'll break it down into some simpler steps.

Prepare for an assessment

Conducting an internal audit against the 5 control areas by initiating an internal vulnerability scan. (Phishing attacks, malware, ransomware, password-guessing attacks, network attacks) is critical. Make sure your systems, which protect your business from these common cyber attacks, are up to standard. 

As well as this, testing your site security through an external vulnerability scan would give great insight into how your business can become certification ready.

As we mentioned before, ensuring your systems are updated and patched is also important, as well as checking your internal passwords and two-factor authentication processes. If you have any unused services or accounts, make sure they have been removed. Whilst completing these pre-assessment tasks, document all the actions you're taking.

Outline the risks to your company if you stay non-compliant with Cyber Essentials guidelines. Review how your current practices compare to those that are Cyber Essentials compliant - which areas could be improved, and how will they impact your company if they're compromised?

Implement the control areas

The main priority of the Cyber Essentials certification process is focused on implementing the 5 controls we mentioned earlier as a barrier against the most common cyber attacks. Ensure that all the departments of your organisation keep track of all the changes they make so that implementation can be supported throughout the business. These changes to improve your site security may involve:

• Installing a firewall to protect against unauthorised access
• Changing usernames and passwords across all accounts, devices, internet gateways, routers and anything else to be more secure
• Limit access rights, so people can only see what they're supposed to be looking at
• Make sure antivirus/antimalware software is installed on all devices
• Invest in educating and training employees on staying cyber secure
• Remove any outdated or unsupported software/accounts.

Complete the Self Assessment Questionnaire (SAQ)

The Cyber Essentials SAQ is a comprehensive set of questions used to assess an organisation's cybersecurity posture before becoming Cyber Essentials certified. It includes a series of questions that explore the organisation's IT environment, cybersecurity measures, and practices related to the five core controls. 

Businesses complete the SAQ, and an independent Cyber Essentials assessor marks the answers. The certification body may vary in price and business speciality, but expect to pay more if you are part of a larger business.

Once the SAQ has been assessed, it must be signed off by a board member (or equivalent), which would indicate that the responses to the SAQ are accurate and honestly represent the organisations' cybersecurity practices. If your business passes the SAQ, it certifies that the cybersecurity practices in place are sufficient to meet Cyber Essentials standards.

When you have passed, your business will be awarded a Cyber Essentials certification, valid for 12 months. This will also open the door to working towards Cyber Essentials Plus, a more in-depth and secure cybersecurity certification, which we will cover at a later date.

Recertifying after 12 months

The regulations surrounding Cyber Essentials ensure that all certified bodies must be reassessed after 12 months. Here are some of the best practice tips to ensure a seamless recertification.

• Set a reminder to start your reapplication process a month before expiry
• Review any changes to the Cyber Essentials scheme and how they might differ from your current cybersecurity practice
• Audit your organisation's actions over the past year and ensure they're still in line with Cyber Essentials guidelines.

If your business continues to uphold the best practices of Cyber Essentials, there should be no issues regarding recertification procedures.

How Igentics can support your Cyber Essentials process

For nearly 25 years, we have been supporting businesses across the globe in advancing and improving their cybersecurity. Through monitoring and advising on security issues and best practices, we can help prepare your business to achieve Cyber Essentials certification as well as help protect your existing business data. Your business deserves to succeed with optimum cybersecurity - talk to Igentics today to see how we can help.