What is Cyber Essentials and How Can it Protect Your Organisation?
June 7, 2022
Cyber Essentials is a government-backed scheme designed to help UK organisations protect against common cyber attacks. Organisations participating in the scheme can prove their cybersecurity credentials and demonstrate their commitment to maintaining safe practices.
IASME manages the Cyber Essentials certification process and licences third parties to conduct assessments. Upon becoming Cyber Essentials certified, organisations are listed on the NCSC’s database and can publish badges on their website to make clients and customers aware.
The Cyber Essentials scheme focuses on five basic IT infrastructure security controls:
Firewalls: Creating a barrier and scanning traffic passing between internal IT networks and the rest of the internet with the help of network firewall.
Secure Configuration: Ensuring the organisation’s devices and software use secure settings.
User Access Control: Controlling who has access to the organisation’s data and services.
Malware Protection: Implementing appropriate anti-malware software to keep malware away.
Security Update Management: Keeping devices and software up to date to protect against vulnerabilities.
UK cyber security landscape
Cyber attacks continue to break new records. In March this year,ICO, the UK’s independent data watchdog, sounded the alarm regarding the heightened threat of cyber attacks, urging organisations to remain vigilant. ICO reports there has been a continual and significant increase in attacks against UK organisations over the last two years.
The government’scyber security breaches survey published on March 30th, 2022, shows that 39% of UK businesses were the target of a cyber attack in the last 12 months. However, this number likely undercounts the number of attacks, with less cyber-savvy organisations unable to identify and report attacks.
The organisations reporting a material outcome from a cyber attack (loss of data or money) provide an estimate for the average cost of all cybercrime in the last 12 months to be £4,200. For medium and large businesses, this figure rises to £19,400.
Of the 39% of businesses reporting attacks, the most common by far was phishing attempts (83%). 21% of those targeted reported more sophisticated attacks, including:
With the pandemic and working from home complicating IT operations and the increased use of new technologies, such as IoT, cybercriminals have never had it so good.
Organisations now need to protect their data while finding safe ways for employees to access business servers from inherently less secure home WiFi networks. Plus, with new IoT devices connecting to the network, there is just so much more attack surface to protect.
Why your organisation should consider Cyber Essentials
Although cybercrime is constantly evolving, the vast majority of attacks still remain basic in nature. Hackers spam unsophisticated attacks, opportunistically looking for sloppy organisations without adequate protection. Most of these attacks can be easily countered just by implementing relatively simple safeguards and ensuring employees follow best practices.
The Cyber Essentials scheme is a way for organisations to let others know they take cyber security seriously and have proper procedures in place to mitigate the risk. Cyber Essentials allows you to:
Reassure customers they are working with a secure company
Improve your reputation and attract new customers
Cyber Essentials certificates mean clients, vendors, and business partners are more likely to share sensitive information with you. Being able to share data securely can improve operations for both parties.
Another crucial factor to consider is tendering for government contracts, many of which require businesses to be Cyber Essentials certified. This is the case for any contract that involves handling sensitive or personal information. In addition, some Ministry of Defence and local authorities only accept Cyber Essentials Plus certified organisations.
TheNCSC commissioned a third party to assess how the Cyber Essentials scheme affects the attitudes of UK businesses. They found:
93% of certified organisations are confident they are protected against common cyber attacks.
Of the certified organisations targeted by a cyberattack, 66% stated Cyber Essentials positively impacted how they responded.
61% of certified organisations are more likely to work with other companies if they also hold a Cyber Essentials certificate.
Cyber Essentials certification levels
Cyber Essentials is the baseline certification level. It allows you to self-assess your security level by answering a questionnaire based on the five main technical controls listed above. This level of certification is suitable for any organisation.
For small businesses, the questionnaire can act as an educational tool to help guide cyber security practices, increase awareness, and ensure protections are in place to guard against common attacks. For many larger businesses, it is likely that the required security controls defined by the Cyber Essentials certificate are already implemented.
To become Cyber Essentials certified, you must cover the assessment costs. The final amount to be paid depends on the size of your business:
0-9 employees: £300 + VAT
10-49 employees: £400 + VAT
50-249 employees: £450 + VAT
250+ employees: £500 + VAT
Cyber Essentials Plus
To become Cyber Essentials Plus certified, you must complete the Cyber Essentials questionnaire. The requirements of the Cyber Essentials Plus certificate are the same as the basic option; the only difference is an independent technical audit proving protections are in place.
With a Cyber Essentials Plus certificate, you can prove appropriate cyber security controls exist, assuring current and future customers as well as opening up the possibility of securing sensitive government contracts.
Cyber Essentials Plus assessment costs vary depending on your company’s size and its operations’ complexity. You can get a quote from an IASME approved Cyber Essentials certification body using theirwebsite or by contacting the company directly.
Before applying for Cyber Essentials certification, you can use IASME’sreadiness toolkit. After answering a series of questions, you will receive a personalised action plan in order to meet the Cyber Essentials requirements.
Cyber Essentials certificates are only valid for a year, meaning you must re-certify each year to maintain the status. However, the process changes very little from year to year, so if you keep the same technical controls in place, subsequent certifications will take considerably less time.
The self-assessed questionnaire is made up of eight sections and 70 questions. All the questions are freely available to download from theIASME website. You must answer all the questions and have your responses approved (signed declaration of accuracy) by a board-level representative or the business owner.
The questions are related to the five basic security controls (firewalls, secure configuration, user access control, malware protection, and security update management) and reviewed by a qualified assessor.
After paying for yourCyber Essentials assessment (£300 to £500), you will receive login details from IASME for the online assessment platform. You have six months to complete the evaluation.
If you fail the assessment, you have three days to fix any issues and re-apply for certification. If you require help with the Cyber Essentials questionnaire, you can contact one of IASME’s certification bodies for guidance (this will come with additional costs).
Cyber Essentials Plus
IASME manages the Cyber Essentials Plus certification process through certification bodies. Therefore, in order to become certified, you must choose an IASME approvedcertification body.
As the Cyber Essentials Plus certificate is essentially a third-party verification of the Cyber Essentials certificate, it must be performed simultaneously or after completing the questionnaire described above. The audit needs to be completed within three months of the questionnaire to be valid.
The audit requires an assessor to test a random sample of representative user devices, all internet gateways and all servers where unauthenticated users have access to services. Based on a random sampling of these systems (around 10%), the assessor will determine if further testing is required.
In the past, the audit required the assessor to visit your business’s head office and a sample of other offices to perform testing. Due to the pandemic, the process is currently remote. If you fail the Cyber Essentials Plus audit, you will have 15 days to implement the required changes before re-submission.
With the growing threat of cyber attacks, now is a good time to signal to the rest of the business world that you take protecting your data, systems, and networks seriously. The Cyber Essentials scheme is a great way to ensure you have controls to keep common threats at bay.
About the Author: Arthur Smalley is a science and technology writer based in the UK.
Prices, specifications, availability and terms of offers may change without notice. Price protection, price matching or price guarantees do not apply to Intra-day, Daily Deals or limited-time promotions. Quantity limits may apply to orders, including orders for discounted and promotional items. Despite our best efforts, a small number of items may contain pricing, typography, or photography errors. Correct prices and promotions are validated at the time your order is placed. These terms apply only to products sold by HP.com; reseller offers may vary. Items sold by HP.com are not for immediate resale. Orders that do not comply with HP.com terms, conditions, and limitations may be cancelled. Contract and volume customers not eligible.
HP’s MSRP is subject to discount. HP’s MSRP price is shown as either a stand-alone price or as a strike-through price with a discounted or promotional price also listed. Discounted or promotional pricing is indicated by the presence of an additional higher MSRP strike-through price
The following applies to HP systems with Intel 6th Gen and other future-generation processors on systems shipping with Windows 7, Windows 8, Windows 8.1 or Windows 10 Pro systems downgraded to Windows 7 Professional, Windows 8 Pro, or Windows 8.1: This version of Windows running with the processor or chipsets used in this system has limited support from Microsoft. For more information about Microsoft’s support, please see Microsoft’s Support Lifecycle FAQ at https://support.microsoft.com/lifecycle
Ultrabook, Celeron, Celeron Inside, Core Inside, Intel, Intel Logo, Intel Atom, Intel Atom Inside, Intel Core, Intel Inside, Intel Inside Logo, Intel vPro, Itanium, Itanium Inside, Pentium, Pentium Inside, vPro Inside, Xeon, Xeon Phi, Xeon Inside, and Intel Optane are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.
In-home warranty is available only on select customizable HP desktop PCs. Need for in-home service is determined by HP support representative. Customer may be required to run system self-test programs or correct reported faults by following advice given over phone. On-site services provided only if issue can't be corrected remotely. Service not available holidays and weekends.
Microsoft Windows 10: Not all features are available in all editions or versions of Windows 10. Systems may require upgraded and/or separately purchased hardware, drivers, software or BIOS update to take full advantage of Windows 10 functionality. Windows 10 is automatically updated, which is always enabled. ISP fees may apply and additional requirements may apply over time for updates. See http://www.microsoft.com.