Home / Blog / General / 5 steps to get your business ready for Cyber Essentials certification

January 11, 2017

IT professionals need to stay ahead of the unprecedented tech changes and resulting IT security challenges, often seeking to simplify IT security as much as possible, especially when their company’s critical data is on the line.  Cyber attacks cost businesses thousands of pounds in lost work days, revenue, in lost data, as well as the significant fines associated with GDPR. Nearly half of businesses reported a cyber breach in the past year alone, according to the UK government’s official report. So how can you keep your network and cyber security up to date to meet the challenges faced?

The UK government-backed Cyber Essentials certification scheme ensures businesses have the essential tools and processes in place to defend against the common cyber attacks we’ve seen today, such as WannaCry, or Petya/NotPetya – a core framework to provide confidence and ownership over their cyber security strategy.

Conceptual digital image of lock on circuit background.jpeg

Cyber crime is industrialised, with hackers quickly and easily exposing vulnerabilities on unprotected systems to take money, data, and intellectual property from exposed organisations. It’s important all companies take action to protect themselves, ensuring they have good basic protection in place. Cyber Essentials is the first step in putting those essential controls in place to offer a good level of protection from the most common cyber threats. Cyber Essentials ensures a basic level of competence to fend “known” cyber threats, making sure essential processes are in place to ensure you maintain your defences.

Before you embark on prepping your business for the certification – we’ve rounded up the 5 key steps you can take to ensure your business is Cyber Essentials-ready.

1. Will your business benefit from being Cyber Essentials certified?

Unless your organisation already has an active cyber security strategy in place, with resource focused on maintaining your security, you will certainly benefit from the certification. An unpatched security update on an single laptop can leave your company exposed to a significant threats, like the WannaCry ransomware attack. Similarly, ensuring your Antivirus and other security technologies are fully deployed and up to date – across the whole of your organisation, will help detect and identify known threats.

These type of easy-to-fix breaches are easily avoided by ensuring an effective patch management process, taking into account both risk and priority. ‘Critical’ security patches should be patched immediately, with ‘High’-risk vulnerabilities following etc.

Undergoing the certification process will identify your current threats but also prepare your organisation to ensure protection from known threats in the future, which is why it’s an excellent idea to be certified – especially those in retail, financial sectors, who work with the government, or in the healthcare industry. In fact, many suppliers now require organisations to be Cyber Essentials-certified.

2. Conduct a vulnerability scan or security assessment

If you haven’t decided to hire an external body to conduct your Cyber Essentials certification, known as Cyber Essentials PLUS, and you’re doing it yourself, you’ll need to conduct a Vulnerability Scan to assess and report on the state of your network security as part of the certification process.

Vulnerability Scanning

Vulnerability scans use a suite of tools to assess your IT systems by scanning your network infrastructure, identifying any unpatched software updates, incomplete deployment of security software, or open ports.

These scans should be performed both from within your network, internally, and when outside of the network, externally. It’s called a vulnerability scan because the tools scan and identify the open doors – the known vulnerabilities most commonly exploited by hackers.

These scans should be performed quarterly as a minimum for Cyber Essentials compliance, but are required before you are certified, to prepare your organisation’s defences to ensure you have the correct processes in place to ensure a continued level of protection from known cyber threats and resulting data loss.

74% of scans find critical vulnerabilities

Security Audit and Assessment

Assessing the policies, process and effectiveness of your current security defences is a critical step to understand the current status of your information security. Security audits and assessments provide a top-level security evaluation, providing a framework and road map to develop a robust cyber security strategy. It is also an essential step in preparing for General Data Protection Regulation compliance (GDPR).

When you (or an external body) are conducting a security assessment, you are aiming to understand the overall state of security, your current policies and process, data access rights, any ‘at-risk’ data from third parties (if external companies have access to your data), any undefended critical threats, as well as how to defend against an attack, any security technologies not being fully or effectively utilised, how you meet your compliance requirements – how you rank and compare against your industry peers in terms of security risk.

Understanding where your vulnerabilities and threats lie will help you get ready to be Cyber Essentials certified.

3. Research the certification to understand its components

External auditing bodies understand the steps to take to get you Cyber Essentials certified, but if you’re doing it yourself, you need to understand the exact steps you need to take and what questions to answer.

You’ll have to demonstrate that you have appropriate:

  • Firewalls, preventing unauthorised access.
  • Secure Configuration, setting up systems securely.
  • User Access Control, restricting access only to those who need it.
  • Malware Protection, using anti-virus software.
  • Patch Management, updating software.

4. Complete the Cyber Essentials questionnaire

Once you’ve prepared and validated all of your process to ensure your data security is assured, you can complete the Cyber Essentials questionnaire and send it off to a certified body for certification; alternatively, you can have an external auditor come in and conduct Cyber Essentials PLUS certification for you. An external body will run all of the necessary checks and tests, and will advise you on how to meet the requirements of, and maintain Cyber Essentials compliance.

5. Display your certification badge

Cyber Essentials, and in particular Cyber Essentials PLUS compliance has now become a recognised badge of confidence. Once you’ve gone through the other four steps in the process to ensure your readiness – and you’ve gained your certification – you can display your certification proudly. Cyber Essentials certification tells your customers that you take protecting their data seriously.

It is vital that all businesses work to protect not only themselves from data breaches, but also their customer data from being exploited – and avoid significant costs from business disruption, time, ransomware payments, as well as the fines associated with GDPR.

Cyber Essentials and Cyber Essentials Plus: What’s the difference?

Further reading

About Comtact Ltd.

Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).