In order to adopt good practices in information security, the UK government Department for Business, Innovation and Skills released a government-endorsed scheme called Cyber Essentials in 2014.
Cyber Essentials was developed in collaboration with industry partners such as the Information Security Forum, the Information Assurance for Small and Medium Enterprises Consortium, and the British Standards Institution.
On a very basic level, the goal of the certification is to protect company information from internet threats, but it's important to note that Cyber Essentials is a basic level of 'due diligence from which to build on - not a comprehensive cyber security strategy.
We’ll break it down for you.
The Cyber Essentials scheme was introduced to ensure the protection of data, and for companies to understand how that data can be used, secured, or compromised. The scheme ensures that data is protected from common cyber threats online.
Organisations can gain one of two Cyber Essentials badges, and it’s backed by the Federation of Small Businesses, the CBI, and many insurance companies who offer incentives to businesses.
| Cyber Essentials logo | Cyber Essentials PLUS logo |
The UK government launched this scheme on 5 June 2014. By October 2014, Cyber Essentials certification was required for any suppliers to the UK government who handled sensitive and personal information. Companies bidding for government contracts needed this certification (and still need it), and insurance companies have typically lowered premiums for companies that are certified.
The scheme is mostly aimed at businesses that do not have dedicated IT teams working around the clock to monitor threats. It’s important to note that even large organisations have faced security oversights, such as when the NHS was hacked by WannaCry ransomware in 2017. After this incident, the government realised more had to be done to protect sensitive data.
The government reports that cyber attacks cost companies thousands of pounds and long periods of disruption and downtime.
For example, if you suffered a ransomware attack and couldn’t access your business data or email, would you have a plan to stay operational? If not, you’d benefit from Cyber Essentials certification - if only to identify existing security weaknesses you have.
Cyber criminals don’t just target large corporations or banks - they go after smaller businesses on an industrial scale, exploiting any weaknesses in IT security, infrastructure and software.
Cyber Essentials addresses the basics of protecting against the most common attacks. The scheme isn’t designed to scaremonger or intimidate; the government has made it easy for you to become protected by following its steps.
The Cyber Essentials certification process requires that there are five technical controls in your company, and to pass the certification, your organisation must meet all of the requirements:
Organisations that have the capacity within their own IT departments can conduct their own Cyber Essentials certification, or you can hire a certified external, third-party body to do the checks for you.
Beyond the obvious advantages having the above in good working order, adding a trust badge to your site to show your compliance builds trust amongst your customer and client base. It’s not mandatory, but it’s highly recommended.
The two levels of certification are Cyber Essentials and Cyber Essentials PLUS.
Cyber Essentials is the DIY version. An organisation completes a self-assessment questionnaire and an external certifying body independently reviews the responses.
For this reason, while it is a step in the right direction, it should not be viewed that Cyber Essentials certification directly improves cyber security defences, but rather as a starting framework for small businesses.
Cyber Essentials PLUS has the same requirements as Cyber Essentials (where they must show they have met the requirements of the 5 technical security controls).
However, the critical difference is that Cyber Essentials PLUS requires an independent assessment of your security controls to verify that you have the 5 technical security controls in place.
The Cyber Essentials assessment involves a vulnerability scan to identify unpatched or unsupported software, open ports, incorrect firewall configuration, etc.
Learn: What is a vulnerability scan and does my company need one?
For this reason, Cyber Essentials PLUS certification can be difficult to achieve without the correct preparation and assessment.
BUT (and this is the important part), since your existing security controls are objectively analyzed, your cyber defences will improve significantly and you will get certified!
As a result, Cyber Essentials PLUS has become a much more highly regarded certification, suitable for small and large businesses looking to improve their existing cyber security controls.
Download:View the Cyber Essentials documents here.
If you have a dedicated IT team within your company, then self-assessment may be a practical option for you, particularly if you have an existing vulnerability management and software patching programme in place.
Independent assessors, those who offer Cyber Essentials PLUS, have experience working with multiple comparable organisations and going through the same process.
Before an independent auditor completes the Cyber Essentials assessment, they will scan your IT infrastructure for security vulnerabilities.
Download: Sample vulnerability scan report
The information gathered will guide remedial actions, ensuring your company meets the five technical controls to demonstrate good information governance practice. As the external body works through your certification, you must supply evidence to meet all requirements.
When performing vulnerability scans, we find that most organisations have known critical vulnerabilities - an automatic certification fail when completing the Cyber Essentials certification.
The purpose of Cyber Essentials is to improve your organisation’s cyber-readiness. Annual certification is required—an opportunity to ensure that your security is ready to defend against the common attacks we all too frequently see today.