Cyber Essential and Cyber Essentials Plus
Is improving your cybersecurity on your company’s list of New Year’s Resolutions for 2023? Don’t know where to start? The Government-backed Cyber Essentials scheme might just be the perfect place. As a certification body, we’ve already certified over 3000 organisations of all shapes and sizes for the scheme. Senior Cybersecurity Engineer Ieuan Noble talks through the basics and benefits of the Cyber Essentials and Cyber Essentials Plus schemes.
What is Cyber Essentials?
Cyber Essentials is a Government-backed, industry-supported scheme to help organisations protect themselves against common online threats. It’s suitable for all organisations, of any size, in any sector.
Cyber Essentials involves a self-assessment that comprises of a series of questions the applicant must complete, which must then be approved by a board level representative or business owner before submitting. A certification body can help talk you through and complete the questions. Achieving Cyber Essentials certification ensures you have the basic level of protection in place against a variety of the most common cyber-attacks.
How is Cyber Essentials Plus different?
Cyber Essentials Plus covers everything that Cyber Essentials does but is a more rigorous test and involves an independent audit by a certified cyber security professional.
You’ll need to complete the Cyber Essentials self-assessment to reach Cyber Essentials Plus level, however, in order to get started with the Plus aspect applicants must first complete their self-assessments to a "passing" mark. Once archived CE+ audit may take place. Should applicants decide to receive their CE certificate prior to obtaining their CE+ they will have 3-months to achieve the plus from the date of issue
What aspects of security do the schemes cover?
To ensure all the main bases are covered, the scheme looks at five main technical controls. These are: firewall configuration physical or host-based; secure configuration, hardening end user devices and cloud services; user access control, limiting access to services and admin accounts by following models similar to 'least privilege'; malware protection, restricts the execution of malware and untrussed software; and patch management, achievable by good practice or technical control. All applicants must install security updates within 14-days of release.
Do applicants need to certify their entire business at once?
Not at all. Depending on the size and complexity of your organisation, applicants can choose which element of the business is covered by the certification, whether that be the entire business, or just a specific sub-set. Most businesses chose to certify the entire organisation at once.
What are the benefits of the certification?
The number one aim of certification is to ensure businesses have a baseline of security that protects them from the most common, and often most harmful, threats. In fact, the Government’s own data shows that Cyber Essentials Compliance mitigates a staggering 80% of the risks faced by business when it comes to cybercrime.
If your whole organisation is included in the scope of your Cyber Essential certification, you’ll also benefit from £25,000 of Cyber Liability insurance, included at no extra cost (certain caveats apply).
Perhaps the most important benefit, but often least considered, is the ability to show your stakeholders, employees and customers that you take your cybersecurity seriously. They can feel safe in the knowledge that their data and information is handled with security in mind. This could go a long way towards setting you apart from your competitors.
As an aside, if your business plans on bidding for Government contracts in the future, certification is now mandatory for certain central government contracts since 1 October 2014.
For how long is the certification valid?
The certification is valid for one year, after which you’ll need to re-certify to maintain your status. We’re proud to have a really high retention rate for customers re-certifying. The first time is always the toughest, but once you’ve got that baseline level of security in place, the majority of our customers find re-certifying really simple.
What do I need to do to get started?
If you’re unsure whether you would benefit from the Cyber Essentials or Cyber Essentials Plus certification, just get in touch and we’ll be happy to guide you along. We’ve been there since the very start of the Cyber Essentials scheme and have been an accredited certification body since 2014, so we’re very well placed to advise and certify companies wanting to achieve this high standard.
