About the Cyber Essentials Scheme
Launched in 2015 by the UK government’s Department for Business, Innovation and Skills, Cyber Essentials is an information assurance scheme operated by the National Cyber Security Centre (NCSC).
The aim of Cyber Essentials is to encourage every kind of organisation of all sizes and kinds to adopt good practice in information security and demonstrate your commitment to safeguarding your data, primarily against threats coming from the Internet.
The benefits of a Cyber Essentials certification
Cyber Essentials certification offers you a number of benefits:
- You can choose between two levels of certification and opt for the one that best suits your business needs.
- Certification can help to give everyone you work with peace of mind, reassuring your customers, colleagues and business partners that your IT is secure against cyberattack.
- Cyber Essentials certification can help you attract new business, as potential customers will be more likely to work with you if they are confident you have cybersecurity measures in place.
- Certification will provide you with a clear picture of your organisation’s cyber security level and, therefore, a better position to make any improvements needed.
- Undertaking Cyber Essentials certification will enable you to bid for and undertake contracts in some of the most highly regulated industries (particularly the UK and government and MOD), as holding such certification is rapidly becoming mandatory.
- Overall, certification will help you to mitigate risks to your business and better protect your IT, data, IP and confidential customer information from cyber threats.
The five controls
- Use a firewall to secure your Internet connection
Make sure all the devices you have connected to the Internet are protected with a firewall.
- Use secure settings for your devices and software
Change the manufacturer’s default configuration on all your hardware and software – it helps repel cyber attackers.
- Control who has access to your data and services
Your team’s user accounts should only give them access to the devices, software and settings they need to do their job. Admin permissions should only be given to those who need them.
- Protect yourself from viruses and other malware
All devices including laptops, PC’s, phones and tablets, should be protected against attacks by virus or malware. Once these threats are into your network, they can infect other connected devices and software.
- Keep your devices and software up to date
From operating systems, software and apps to mainframes, laptops, tablets and phones, you should keep all your technical resources up to date at all times. Manufacturers and developers release regular updates that add new features and also fix any discovered security vulnerability.
The Cyber Essentials self-assessment process shows you how to understand and prevent the basic and most common cyber attacks by defining a focused set of controls that provide clear guidance on basic cyber security which can be implemented at a low cost.
This is key because if your organisation is vulnerable to simple cyber attacks it can highlight you as target for more sophisticated and in-depth unwanted attention from cyber criminals.
Therefore, certification gives you peace of mind of knowing your defences will protect you against the vast majority of common cyber threats.
Unfortunately, this means attackers will likely move onto more vulnerable targets that do not have Cyber Essentials technical controls in place.
Cyber Essentials Plus retains all the Cyber Essentials trademark simplicity of approach and the protections you need to put in place are the same. However, Cyber Essentials Plus offers the added reassurance of a hands-on technical verification being carried out.
This more rigorous test of your organisation’s cyber security systems is where our cyber security experts carry out vulnerability tests to make sure that your organisation is protected against basic hacking and phishing attacks.
Alternatively, you can familiarise yourself with cyber security terminology so you gain enough knowledge to help you better secure your IT yourself.
Cyber Essentials Plus certification demonstrates that you’ve taken your cyber security to the next level and have met government requirements to respond to the threats.
Building a strong cybersecurity framework for your organisation – or, worse, trying to recover from a harmful cyber attack – can be expensive in time, money and technical resources. The Cyber Essentials scheme can help you achieve a sound cybersecurity structure, quickly, simply and cost effectively.
You need it because:
- It’s mandatory if you want to work for larger organisations in regulated industries or bid for any central government and MOD contracts,
- It’s the ideal alternative to gaining the international certification standard for an information security management system (ISMS) – ISO 27001,
- It enables you to achieve optimum cybersecurity in line with regulations such as GDPR, under which your business can be fined up to €20 million or 4% of the company’s global annual turnover for a data breach,
- It’s UK government backed to give you, your people, your customers and your business partners peace of mind.
Cyber Essentials has been designed to be simple, rapid and cost effective to achieve. We believe though that you shouldn’t look at certification as a cost on your business but more an investment in its future security.
The cost of Cyber Essentials certification will vary depending on a number of factors that are likely to be unique to your organisation. These include:
- which level of Cyber Essentials you choose to work toward,
- the size of your business, including number of people, work stations, remote devices and so on,
- what IT and security tools and measures you already have in place – including the five controls mentioned above,
- how robust these security tools and measures are and how well they perform,
- the results of any penetration testing you undertake,
- the number and kind of improvements you might need to make,
- the length of time it takes for assessment and update implementation.