Breaking Down the Cyber Essentials Accreditations
Prioritising cybersecurity has never been more important for businesses. According to The Cyber Security Breaches Survey 2024, half of businesses (50%) and around a third of charities (32%) reported having experienced some form of cyber security breach or attack in the last 12 months.
That is truly a staggering statistic, and it shows us exactly why it’s time to invest in robust cybersecurity defences to protect your business against the high prevalence of cybercrime in today’s society.
Without further ado, let’s get stuck into today’s blog post!
Understanding Cyber Essentials: A Comprehensive Guide
What is Cyber Essentials?
The National Cyber Security Centre defines Cyber Essentials as ‘an effective Government backed scheme that will help you protect your organisation, whatever its size, against a wide range of the most common cyber attacks’.
However, not only does it provide your business with an additional layer of protection which will help protect it from these ever-present cybercriminals, but it also helps you demonstrate your commitment to cyber security to your customers, employees, and partners.
How exactly does it protect your business, I hear you ask? The Cyber Essentials scheme provides a solid framework for businesses to follow, ensuring that the cornerstones of business IT are sensibly configured and well-protected. In turn, the certification received shows your clients and partners that you’ve done all you can to protect your business against the most basic forms of cybercrime, such as phishing and ransomware attacks.
You can think of it as the digital equivalent of having a ‘Beware of Dog’ sign on your front porch or garden. It alerts potential intruders that their attempt to breach your property may be met with resistance, in the same way, that a cybercriminal will recognise that a Cyber Essentials certification displayed on your website will deter them from committing to what may ultimately be an unsuccessful cyber-attack.
The UK’s Department for Science, Innovation & Technology states that ‘a total of 132,094 Cyber Essentials certificates have been awarded since the scheme began’ a staggering statistic highlighting just how much of a priority UK business place on cybersecurity.
What Does Cyber Essentials Include?
Cyber Essentials is made up of the following five foundational pillars:
- Firewalls and Internet Gateways: In layman’s terms, it’s probably easiest to imagine a firewall as a security guard for your personal computer or wider network. A firewall will monitor incoming and outgoing internet traffic and segment each inbound user either as a trusted visitor or a potential intruder. In essence, they help to keep your digital space secure, so are well worth having.
- Secure Configuration: This foundational pillar refers to configuring your devices, software, and systems to minimise security risks across your business. Secure configuration practices may involve changing default passwords regularly, disabling inactive accounts and limiting privileges by assigning appropriate permissions.
- User Access Control: User Access Control is exactly what you’d imagine it to be; it revolves around managing who can do what within a specific system or network. Common User Access Control practices include using the Least Privilege Principle or Role-Based Access Control (RBAC).
- Malware protection: Malware (aka malicious software) protection simply involves installing and updating antivirus software regularly across all devices within a business’s IT infrastructure. This pillar also includes conducting regular anti-malware scans to identify and eliminate malware promptly.
- Patch Management: Last, but by no means least, we have patch management. This step includes keeping organisational software and systems up to date with security patches (software updates designed to fix vulnerabilities within programs or computer systems).
Is Cyber Essentials Worth Having?
Now, I’m sure you're thinking at this stage, is a Cyber Essentials certification worth having? Our cybersecurity experts can assure you that it definitely is. As we covered in the introduction to this blog, cybercrime is on the rise, and with each passing year, cybercriminals are finding more intuitive means of breaching your business.
Having a Cyber Essentials certification is the minimum your business can do in this day and age to alert these cyber attackers that your business takes cybersecurity seriously. By not having a Cyber Essentials certification, you are essentially letting each and every cybercriminal know that your business is a prime, unsuspecting target who will, more likely than not, be attacked successfully.
Having a Cyber Essentials certification will give you peace of mind that you’ve done the minimum required to deter cybercriminals and protect your business.
Furthermore, businesses must renew the Cyber Essentials certification on an annual basis. The requirements are reviewed and will change each year to ensure businesses keep up to date with the latest technology and can protect themselves adequately.
Cyber Essentials PLUS
What is Cyber Essentials PLUS?
The advanced Cyber Essentials certification, Cyber Essentials PLUS, follows on from obtaining the standard certification.
The PLUS iteration of Cyber Essentials can only be attained by having an external assessment carried out by independent regulators who will assess the five foundational pillars which we covered earlier and gather evidence as proof that your systems are secure.
Whilst the standard Cyber Essentials certification focuses primarily on the basic assurance of security controls and processes, Cyber Essentials Plus offers comprehensive validation through rigorous rounds of testing to ensure your cybersecurity defences are well-equipped to deal with cybercrime effectively.
Assessors will review a sample set of your workstations and servers, test your email filtering and antivirus software, and will carry out external penetration tests against your company firewalls. A specialist vulnerability scanning tool will also be used on a selection of your devices to verify they are kept up to date and are not vulnerable to cybersecurity threats.
All of these methods have been strategically planned to see whether your business cybersecurity standards are up to scratch with the requirements of a Cyber Essentials PLUS certificate.
Is Cyber Essentials PLUS Worth Having?
The Cyber Essentials PLUS certification is tailor-made for organisations that are willing to leave no stone unturned when it comes to cybersecurity. Cybercriminals can breach your business, leading to a whole host of problems, including financial loss, reputational damage, and longer-term consequences (resources and budgets being stretched by the resulting cost of a cyber-attack).
It seems like every month; a new corporate behemoth suffers at the hands of cybercriminals as they find themselves caught out by ingenious cybercrime techniques. The BBC recently reported that global bank Santander’s staff, along with 30 million customers, were hacked due to an unforeseen cyber incident. This story was released the day after the British Broadcasting Corporation (BBC) posted an article stating that ‘data was allegedly stolen from 560 million Ticketmaster users’.
It is a scary world that we live in currently with the ever-constant threat of cybercrime looming around every corner. That’s why our cybersecurity experts at Netitude implore you to take the right steps to protect your business, such as completing your Cyber Essentials and Cyber Essentials PLUS certifications.
Answering Common Cyber Essentials FAQ’s
How Often Should Organisations Revalidate their Cyber Essentials Certifications?
Cyber Essentials certifications should be revalidated annually. As we know, cybersecurity is an ever-changing beast, affected by the latest technological developments, for better or worse.
Therefore, regular, stringent assessments of the five core Cyber Essentials is a must to ensure your business is compliant with security best practices and helps your organisation stay in good shape from a cybersecurity standpoint.
Do I need to do the basic Cyber Essentials before going onto Cyber Essentials Plus?
The short answer is yes; businesses that plan to improve their cybersecurity defences will need to complete the standard Cyber Essentials certification before moving on to the more advanced version in Cyber Essentials PLUS. If you are ready to go for Cyber Essentials PLUS, you will be required to complete the standard Cyber Essentials assessment as part of it.
Who are the Cyber Essentials assessments verified by?
When it comes to verifying a company’s compliance against Cyber Essentials, there tend to be three types of verifiers that are most commonly used:
- Self-assessment: To obtain basic Cyber Essentials certification, organisations must evaluate how they fare against the five basic security controls that we mentioned earlier in the blog (firewalls, secure configuration, access control, malware protection and patch management). If successful, the organisation can self-certify that they have done all they can to match the Cyber Essentials requirements and will be awarded the certification.
- Qualified Assessor: If an organisation wishes to reach the second stage of a Cyber Essentials certification (Cyber Essentials PLUS); an external certification body (CB) or qualified assessor will be required to evaluate the organisation’s responses accordingly.
- Certificate Issuance: Once, or if the organisation in question proceeds to the next stage, the organisation will be issued a Cyber Essentials certificate by the certifying body.
How quickly can I receive a Cyber Essentials certification?
A Cyber Essentials certification can be achieved fairly quickly; it just depends on the speed at which your organisation works to get the business up to scratch from a cybersecurity standpoint. Provided your business meets all requirements, the process of self-certifying via the web portal takes a couple of hours. An assessor will review your submission and pass or fail you within 2-4 business days.
Businesses must bear in mind that potential delays and roadblocks could be incurred upon submission, which may prolong this process. We are not able to give an exact timeframe for a Cyber Essentials PLUS certification as the process can vary considerably on a case-by-case basis.
How can Netitude help you achieve a Cyber Essentials certification?
On the whole, achieving a Cyber Essentials accreditation is much more manageable if you have a Managed IT Service Provider (MSP) like Netitude. Our technology experts will be on hand to guide you through the entire process, whether that’s Cyber Essentials or Cyber Essentials PLUS, so you can rest assured that our experienced tech consultants and qualified CREST-accredited cybersecurity partners can provide skilled support throughout the process.
The Netitude Take on Cyber Essentials
Cyber Essentials is a fantastic step to take for small-to-medium-sized businesses (SMEs), as it gives a framework to work towards and helps business owners understand why certain changes need to be made to secure their systems and data.
Everything in the assessment is backed by the National Cyber Security Centre, so you know you’re following expert guidance which is always reviewed and kept up to date.
The Bottom Line on Cyber Essentials
If you’re looking to start your Cyber Essentials journey and don’t know where to start, Netitude can provide a GAP analysis through our own technical audit, which is built around the Cyber Essentials framework.
Please don’t hesitate to contact us if you have any other queries regarding Cyber Essentials or Cyber Essentials PLUS – we look forward to starting your journey towards comprehensive cybersecurity safety.