What is Cyber Essentials?

Cyber Essentials certification helps you protect your business from the most common cyber-attacks. Hackers will not specifically target your business. They’ve never heard of you! In fact, they’re targeting all businesses, all the time. Using clever automated tools that attempt to sniff out weaknesses, and then infect your computer. They target a large and random group of businesses with a relatively basic attack.

They will mostly target smaller businesses with these attacks due to their lack of investment in security. Hackers see SMEs as easy to crack cases. So, they will exploit basic weaknesses in software and IT systems. And that is when cyber essentials come in because it will show you how to fix those basics and help you get a good standard of cybersecurity in place. 

This scheme is backed by the government and it was introduced due to the growing threat of cyber attacks. It presents in a clear and easy-to-understand way the essential actions a business needs to take in order to protect itself.

It’s also available to all businesses so if your business has just a couple of laptops or if you have hundreds of PCs spread across multiple offices you will still benefit from the cyber essentials scheme. 

Now, it’s increasingly utilised by businesses to demonstrate to their clients and investors that they carry out effective cybersecurity practices as it gives them assurance that they’re safe to do business with. In fact, most government contracts will require you to have a cyber essentials certification. However, only 58% have actually assessed themselves against the government’s guidance which can give your business an opportunity as it will provide you a huge advantage over your competition. Since you will be able to win over clients by reassuring them that you’re working to secure your IT against cyber attacks.

There are two levels of certification 

1. Cyber essentials 

A foundation level certification designed to showcase that your business has the basic measures in place to mitigate the risk from common cyber threats. 

It’s a self-assessment questionnaire, with 60 odd questions, that you take online and will later be assessed. Most of the questions are a simple ‘yes’ or ‘no’. However, there are opportunities for you to give more information and we advise that you write a sentence or two as it helps the Assessor grade you and understand your business. 

It’s an online questionnaire you’re filling out and it gives you the chance to go through and answer ‘yes’ to what you can and you can either answer ‘no’ or simply not complete the ones you can’t do. Then, you can fix those problems, and after you answer ‘yes’ and get your certification.

It does need to be renewed every 12 months.

2. Cyber essentials plus 

The highest level of certification is offered under the cyber essentials scheme. It provides a more thorough test of your business’s cybersecurity. It also includes a self-assessment however because you fill it out yourself, there’s a lot of people who believe it doesn’t hold much value. That’s why cyber essentials plus includes an IT professional who does an audit and verifies that what you’ve said in the self-assessment is actually true. 

There are 5 basic controls that are tested in the cyber essentials scheme

1 – Firewall and internet gateways  

Looks to see if you have robust firewalls on every computer to protect your network and whether it’s set up correctly. If you have remote workers then the home routers would also need to be tested. 

2 – Secure configuration 

Here your servers, computers, and phones will be tested. Sometimes software is pre-installed or left on old devices and it’s not maintained properly, which can become a security risk for your business. It will also be looking at the quality of your passwords and making sure everyone has a unique username and password. 

3 – Patching and updates 

The software on your devices will be tested. So if you are using Windows 7 or even some versions of Windows 10 you will automatically fail because they’re no longer supported. All your servers and computers need to be up to date with the latest security patches. And they should be installed within 14 days.

4 – Access control 

If you have full admin access and you get hacked that means the hacker will also have full admin access and they can cause much more damage.  That is why everyone in your business should have standard user accounts to complete their everyday tasks. Apart from your IT personnel or when you specifically want to complete an admin task. It will also look at your new starter and new lever process. We often see businesses still have live accounts from people that left the business months ago. These people still have access to your IT systems which poses a huge security risk to your business. Therefore a process should be in place to determine how your IT department or company deals with new levers and new starters to your business. 

5 – Malware protection 

All devices in your network needs robust anti-malware protection and it must be set up and configured correctly 

We can help you get your Cyber Essentials Certificate