What is Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a government-backed scheme launched in 2014 that helps to guard organisations against common online threats and demonstrate their commitment to cybersecurity. Developed alongside the Information Assurance for Small and Medium Enterprises (IASME) and the Information Security Forum (ISF), the scheme aims to encourage organisations to cultivate their cybersecurity systems against the most common forms of cyber attack, as well as to provide clarity on proper cybersecurity practice.

In the Cyber Security Breaches Survey 2020, 46% of businesses and 26% of charities reported experiencing a cybersecurity breach or attack in the last 12 months, and only 50% of businesses say they have carried out an internal or external audit in this time.

The vast majority of cyber attacks are very basic in nature. Essentially, it’s the digital equivalent of an opportunistic thief trying a door to see if it’s unlocked. Following advice from Cyber Essentials covers the fundamental things an organisation should be practicing in order to remain cyber secure.

Operated by the National Cyber Security Centre (NCSC), Cyber Essentials is suitable for all organisations, of any size, in any sector. It is considered the best first step to a more secure network. Holding a Cyber Essentials certificate protects you from 80% of the most basic cyber security breaches and enhances a company’s credentials as it independently measures if they are following IT security measures and best practice.

The Cyber Essentials certification scheme offers two levels of certificate:

Cyber Essentials (CE): the foundation level certification demonstrating that basic controls are in place to mitigate the risk from a wide variety of the most common cyber attacks.

Cyber Essentials Plus (CE+): the highest level of certification involving a more rigorous test on an organisation’s cyber security systems to protect against basic hacking and phishing attacks.

Cyber Essentials Certification

Cyber Essentials (CE) is the most basic level accreditation within the Cyber Essentials scheme and is suited to businesses who require an entry-level security certification to demonstrate that they have the recommended controls in place. 

This level is self-assessed by the organisation and approved by a board-level representative or owner, before being independently verified. This assessment consists of 70 questions split into 8 sections, covering 5 key technical controls:

  1. Firewalls – Firewalls determine who has permission to access your system and prevents those without permission from accessing your networks. A good setup will help to keep external threats from gaining access to your systems.
  2. Secure configuration – Computers and network devices should be configured to only provide the services required, minimising the number of vulnerabilities. This will help to prevent unauthorised actions and minimise the information accessible to internet sites.
  3. User access control – Access to your data and services should be kept to a minimum to prevent hackers from having open access. Accounts with access privileges should only be assigned to authorised individuals, provide only the necessary access, and should be reviewed regularly.
  4. Malware protection – Your business should be protected against malicious software that could gain access to files, steal information, damage data or prevent access until a fee is paid. Having malware protection and virus removal software in place will help to protect information.
  5. Patch Management – Cyber attackers often target well known technical vulnerabilities. Proper patch management should ensure that vulnerabilities in systems are patched and updated as soon as they are identified.

Cyber Essentials Plus Certification

Cyber Essentials Plus (CE+) is the most advanced of the accreditations, best suited to organisations that have employees working remotely or who have third parties with access to IT systems.

This certification includes the same questionnaire as the basic CE accreditation but involves an additional internal scan and on-site assessment. This includes the assessor testing a random sample of company systems, devices, and servers for their security. The assessment follows the below steps:

  • Internal Vulnerability assessment
  • External vulnerability assessment
  • User Access Controls test
  • Browser download test
  • Email test

The Cyber Essentials Plus assessment also provides clients with a full report highlighting findings and improvements that need to be made before certification is awarded.

Why become Cyber Essentials certified?

Holding a Cyber Essentials certification indicates that your organisation has taken proactive measures against cyber attacks, demonstrating to customers, prospects and insurers that your data is being held securely. Even if your organisation isn’t legally required to complete the Cyber Essentials certification scheme, there are many other benefits.

With a Cyber Essentials accreditation, you can be assured that data your company holds is protected against 80% of common cyber threats, giving peace of mind.  It will also help to assure customers and other organisations in your supply chain that their data is protected, enhancing your reputation as a trustworthy organisation to do business with.

By completing the Cyber Essentials Plus certification process, your cybersecurity will undergo a thorough inspection by a trained specialist, allowing you to gain a clear understanding of how secure your business data is. This knowledge will allow you to plan accordingly and put appropriate measures in place to resolve any previously unknown issues.

Additionally, holding a certification can help to save your business money as cyber insurance agencies look more favourably on organisations with a CE certification. The Cyber Essentials certification costs around £300 a year, while the average cyberattack costs businesses £1,010. With the certification in place, you also benefit from £25,000 cyber breach insurance (if you have a turnover of less than £20 million), or reduced premiums (if your turnover is over £20m).

man at laptop practicing cyber security

Cyber Essentials & Government Contracts

From 1 October 2014, Government requires all suppliers bidding for contracts involving the handling of certain sensitive and personal information to be certified against the Cyber Essentials certification scheme. Requirements and exemptions may vary between departments, so it’s important to seek clarification for each contract. However, if you would like to bid for central government contracts, it is advisable to hold Cyber Essentials certification.

Cyber Essentials & GDPR

Although Cyber Essentials certification does not ensure total GDPR compliance, the certification does help organisations to protect sensitive data by ensuring they have implemented adequate security measures. By default, the assessment will lead to improved controls, reducing the impact of potential attacks or breaches, and therefore improving GDPR compliance.

Cyber Essentials certification is completed annually, which will ensure organisations continue to work on their cyber practices, and as a result, their GDPR compliance.

Do I have to have Cyber Essentials before getting Cyber Essentials Plus?

No, you can achieve Cyber Essentials Plus without first obtaining Cyber Essentials. As part of the process of gaining Cyber Essentials Plus certification, your Certification Body will work with you to complete the questionnaire needed for Cyber Essentials and verify compliance.

How to prepare for a Cyber Essentials assessment

If you choose to complete a Cyber Essentials certification, it is important to note that a failure in any one component will result in a fail overall, so preparation is key. Here are some things you can do to prepare:

  • Anti-Malware: Ensure that Anti-Malware software is installed on all devices, including making sure it is appropriately set up. This will protect devices against malicious software by detecting and removing it.
  • Emails: Ensure that potentially dangerous files sent via email are blocked at the gateway or that a clear warning message is displayed. If an attachment is malicious then it should be detected by the Anti-Malware.
  • Downloads: Ensure that potentially dangerous files are blocked at the gateway or that the user receives a warning message. If the file is malicious then it should be detected by the Anti-Malware.
  • Software: Ensure that all software is currently supported, this may include purchasing extended support for some software.
  • Patching: Ensure that all operating systems and software are fully patched and tested.
  • Passwords: Ensure that no one with access to your system is using default or out of date passwords. Systems with high-level controls should require Multi-Factor Authentication where possible.

Cyber hackers are becoming more advanced every year, adapting to new hacking measures and overcoming standard controls. The Cyber Security Breaches Survey 2020 reported that the nature of cyber attacks has changed in recent years, with the number of businesses experiencing phishing attacks jumping from 72% in 2017 to 86% in 2020.

No matter the size of your organisation, it is possible to become a target of cyber attack or phishing, making it key to have the right measures in place. Suppliers, third party vendors and sister organisations are all interconnected and without the correct measures in place, one breach can spread all throughout the whole supply chain.

Peoplesafe is proud to hold a Cyber Essentials Plus certificate, demonstrating that we have the necessary controls in place to protect our own and our customer’s data against cyber-attacks.

To check if your suppliers are Cyber Essentials certified, the NCSC has created a free to use certificate search.