Cyber Essentials Certification: Everything You Need to Know

Cyber security has become a hotly debated topic in recent years, with its prevalence and prominence only continuing to grow. Cyber crime is on the rise, and the ramifications of a successful cyber attack can be devastating for businesses. Not only are organisations impacted financially, but their reputation could be damaged, they could find themselves in hot water regarding compliance and many businesses never manage to fully recover.

It is therefore essential that cyber security is a top priority for organisations of all sizes, and the Cyber Essentials scheme has been introduced to ensure that it is. There are a number of reasons why an organisation may choose to complete the Cyber Essentials certification, such as:

• Demonstrating security to existing or potential customers
• New opportunities for your organisation
• Saving on costs
• Avoid your organisation becoming a victim of avoidable attacks
• And many, many more...

What is Cyber Essentials?

Cyber Essentials is a scheme launched in 2014 and sets out the baseline standards for basic Cyber Security in businesses. The Government consulted and worked with industry organisations to come up with what we now know as the Cyber Essentials Accreditation. As organisations face significant risk of a cyber attack, now more than ever it is essential that you are doing everything in your power to protect your organisation.

In order to bolster your cyber security posture, in accordance with a government backed scheme, you must complete a Cyber Essentials questionnaire. This will take a look at five integral components of cyber security, and assess whether there are areas that need further attention, investment or support.

There are two versions of the scheme: Cyber Essentials basic and Cyber Essentials PLUS, and it is down to you to decide which would be a better fit for your organisation.

Cyber Essentials Vs Cyber Essentials PLUS

Cyber Essentials come in two levels of certification:

Cyber Essentials – an independently verified self-assessment. Organisations assess themselves against five basic security controls and a qualified assessor verifies the information provided.

This level comprises of eight sections and 70 questions, all of which must be answered. Prior to submitting your questionnaire answers, however, they must first be approved by a Board level representation, business owner or somebody of an equivalent level, declaring that all answers provided and accurate and correct.

This level is appropriate for organisations of all sizes, and many micro or small businesses have reported that preparing for the questionnaire was a great learning experience – leading to a heightened awareness around cyber security, and even a change in behaviour.

For many larger organisations, they will already be deploying a range of the security controls that are listed in Cyber Essentials, but may be looking to showcase their commitment to strengthened cyber security to reassure existing customers, or perhaps attract new clients, as Cyber Essentials is a Government approved scheme.

Cyber Essentials PLUS – a higher level of assurance. An independent assessor examines the same five controls, testing that they work in practice by simulating basic hacking and phishing attacks.

The assessor will typically test roughly 10% of your systems, but they may choose to conduct further testing if it is necessary. The test will examine the strength of your devices, internet gateways and servers against hacking and phishing attacks.

In order to qualify for Cyber Essentials PLUS, you must complete the Cyber Essentials questionnaire, however, the two can be completed simultaneously. If you have already completed the Cyber Essentials questionnaire, you are required to undertake the Cyber Essentials PLUS audit within three months.

What’s Involved in Cyber Essentials Training?

So, what are the five controls that Cyber Essentials tests in our business?

1. Boundary firewalls and internet gateways
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management
   
   

Between these five areas, 64 questions are asked to see if you meet the required standard that together mitigate over 99% of the most common, unskilled cyber-attacks that businesses fall victim to every day.

Cyber Essentials has become the minimum standard required for working with some central government departments, and this is pushed down the supply chain, and is widely expected to be required across government departs and local government over time.

Let’s take each of those 5 controls and give some examples as to what is expected:

Boundry firewalls and internet gateways

This area looks to check that only safe, and necessary internet traffic is accessed by correct configuration on the firewall and also that the firewall configuration is protected with strong credentials, and restricted to only those that require access.

Secure Configuration

The secure configuration checks are there to reduce the level of vulnerabilities that are in systems as default and that machines or services run with the minimum level of security for the role being fulfilled. An example of this would be to remove administrative privileges for employees and change all default password to secure ones.

Access Control

This area looks at user accounts and makes sure they are assigned to authorised individuals only, and that they provide access to only those applications, computers and networks actually required for the user to perform their role.

Malware Protection

This is the one that’s always in the news currently, and this area is used to confirm that you have adequate security to stop the running of known malware and to prevent harmful code from causing damage or accessing data. This is the area that most people concentrate on protecting themselves for, but without the other controls within the Cyber Essentials standard it is not effective.

Patch Management

Patch management is the process for which you ensure that devices and software are not vulnerable to known security issues for which fixes are available. Software vendors regularly release fixes and patches for vulnerabilities that the standard requires are installed in a timely manner.

As you can see the 5 areas cover all the basics, but they are basic areas that most SME’s do not control within their businesses, if they do some of them, it’s rare that small businesses do them all, and to a good standard.

How Southern IT Can Help You Get Started with Cyber Essentials Certification

At Southern IT, we have a wealth of experience in helping organisations of all sizes with attaining their Cyber Essentials certification. Whether you are hoping to strengthen your cyber security posture, or reassure customers that you are cyber security conscious through a government back scheme, we are here to help!

To garner a greater understanding of Cyber Essentials, and to discover what it is you need to do to prepare for it, check out our Cyber Essentials Readiness Tool, today. You can also find more info on why you should become Cyber Essentials certified, by downloading our Cyber Essentials eBook.

‍