Cybersecurity and safeguarding valuable and sensitive business data from cyber threats remains essential priorities for both employees and business owners.
The cyber threat landscape is increasing, and it’s putting thousands of businesses at risk of a cyberattack.
In the Cyber Security Breaches Survey 2024, the most significant finding related to the frequency of attacks or breaches experienced. Half of UK businesses (50%) and around a third of charities (32%) report having experienced some form of cyber security breach or attack in the last 12 months. This is much higher for medium businesses (70%) and large businesses (74%). Despite the growing number of cyberattacks, the proportion of businesses seeking external information or guidance on cyber security has fallen since 2023.
For example, only 12% of small, 43% of medium and 59% of large businesses are aware of the cyber essentials scheme.
Cybercrime is ever evolving and it’s the responsibility of organisations to ensure they have the right technology and security measures in place to prevent a cyberattack. However, as many SMEs lack the knowledge and resources to manage cyber security effectively in-house, it can be particularly challenging to ensure the right level of protection is in place.
We recommend implementing a multi-layered approach to cyber security as well as utilising Cyber Essentials to increase the effort required for cyber criminals to conduct an attack.
What is Cyber Essentials?
Cyber Essentials is a simple, yet effective, practical framework which enables all businesses to mitigate against common cyberattacks.
The Government worked with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) to assess Cyber Attacks against businesses. They discovered that implementing basic technical controls could stop or significantly mitigate 70% of cyber attacks. This set of technical controls are what make up the Cyber Essentials scheme.
The scheme is designed to reduce the effectiveness of web based cyber-attacks against a business. In April 2023, the NCSC and its partner, IASME, updated the technical requirements for Cyber Essentials. These updates will help ensure the scheme continues to help UK organisations protect themselves against cyber threats.
What are the five key Cyber Essential controls?
- Boundary Firewalls– that’s your outer most barrier to the web
- Secure Configuration– how difficult it is to get into your systems
- User Access Control– who has permission to data and installation of software, for example
- Malware Protection– continuous detection of malicious software in place
- Patch Management– ensuring there are no flaws in software which can be a way in for the cyber criminal
Each of the above controls serve a purpose to shield your organisation from a wide range of attacks.
For certification, a business needs to demonstrate that they have these five technical controls implemented and that they are working sufficiently to stop any risk of a breach.
What are the self-assessment questions?
For the Cyber Essentials self-assessed questionnaire, the questions are based around the five key controls:
#1 – Boundary firewalls
- Have you implemented a business grade firewall?
- Have the passwords changed from the one it was supplied with?
- Are all unnecessary ports closed down?
#2 – Secure configuration and network management
- Are your software packages kept up to date with security fixes?
- Do you have an account lockout policy, to mitigate against brute force attacks?
- Is auto-run disabled for USBs/CD/DVDs?
#3 – User access control
- Are all users forced to use secure passwords?
- Are administrative accounts used for day to day internet browsing and email?
- Do staff have the correct permissions to do the tasks they need?
#4 – Malware protection
- How do you protect against malware on your network?
- Do you use Anti-virus?
- Is it kept up to date?
- How often does it scan?
- Does it scan web pages you visit?
#5 – Patch management
- Are all systems still in support by a manufacturer who provides security updates?
- Do all systems have security patches applied in a timely manner?
What is Cyber Essentials Plus?
Cyber Essentials Plus is an enhanced version of Cyber Essentials. It includes all the requirements of Cyber Essentials, plus, an extra verification step by an external Certification Body. This includes a full audit of the network, a comprehensive vulnerability assessment, internal and external penetration testing.
These additional steps verifies that the Cyber Essential controls are in place and ensures all business locations meet the minimum criteria for each control section and has adequate defences against the threats in scope.
The first test audits the first key control Boundary Firewalls.
Remote vulnerability assessment
The purpose is to test whether an Internet-based opportunist attacker can hack into the Applicant’s system with typical low-skill methods. We look for open ports on the firewall and assess the security of services using those ports.
The second, tests the requirement for Patch Management (Key control # 5).
Check patching via an authenticated vulnerability scan
This identifies missing patches and security updates that leave vulnerabilities and threats within the scope of the scheme and potentially be easily exploited. Both operating system updates and software updates are tested.
The last three tests focus on Malware Protection (Key control #4) in particular for End User devices (EUDs).
Check malware protection on End User Devices
This checks that all of the EUDs in scope benefit from at least a basic level of malware protection.
Check effectiveness of EUD defences against malware delivered by email
A test to decide whether EUDs are protected against malware that is delivered via email attachments. To facilitate this a selection of safe files that should be detected as malware are sent to the applicants email system.
Check EUD defences against malware delivered through a website
This tests whether EUDs have protection from malware delivered through a website. Similar to the test above, a selection of relevant files for your particular operating system are attempted to be downloaded from the internet.
Testing Criteria
Each test has its own criteria for passing, however, if the Cyber Essentials controls have been implemented successfully then there should be no trouble passing the audit tests for Cyber Essentials Plus.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
There are two levels of certification:
Cyber Essentials is a self-assessment where you, the applicant, needs to be able to answer questions that provide evidence you have the five technical controls implemented.
Cyber Essentials Plus is a verified version of the self-assessment; an external assessor tests and therefore proves that the technical controls are in place.
| Cyber Essentials | Cyber Essentials Plus | |
| Questions | ✔ | ✔ |
| Evaluation | ✔ | ✔ |
| Verification | ✘ | ✔ |
| Certification (A pass is required for all Key Controls) |
✔ | ✔ |
Is it a requirement to have Cyber Essentials for the General Data Protection Regulation?
While it is not a requirement to have a Cyber Essentials Certification, it does support businesses with enhancing their cyber security posture and meet the criteria set out by the GDPR.
The Data Protection Act 2018 (DPA) and Article 32 of the GDPR, which came into effect May 2018, states “the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” – thus making it a legal responsibility of a business to ensure that customer data is secure.
The five essential controls implemented under Cyber Essentials go a long way to meeting the criteria set out in GDPR. GDPR also states that any third-party organisations, or suppliers, that access or share a business’s data should also implement appropriate controls. The National Cyber Security Centre (NCSC) hold a database of all companies that hold the Cyber Essentials certification available online, so it is now very easy to identify which suppliers take their data security seriously.
Cyber Essentials certification has also become a fundamental requirement for government contracts. This is to ensure that suppliers have basic cyber defences in place, protecting the integrity and confidentiality of government data.
What are the benefits to being Cyber Essentials Certified?
There are a number of reasons why becoming a Cyber Essentials certified business is a necessary next step. Obtaining a Cyber Essentials certification ultimately reduces the risk of over 70% of cyberattacks and provides credence that your business is taking cyber security and data protection seriously. Additionally, it:
- Provides eligibility for Government Tenders
- Reduces insurance premiums
- Increases efficiency and productivity
- Establishes trust in your organisation within your industry
- Provides confidence in your supply chain
- Ensure compliance with GDPR requirements
If that’s not enough to convince your business, The NCSC found that 93% of certified organisations are confident that they are protected against common cyberattacks. Furthermore, 61% of certified organisations are more likely to work with other companies if they also hold a Cyber Essentials certificate.
Cyber Essentials goes beyond safeguarding your own business data; it ensures the security of the data you hold—whether it’s related to vendors, clients, or staff—protecting everyone involved.
Demonstrating commitment to Cyber Security
Cyber essentials and Cyber Essentials Plus certification helps SMEs mitigate cyber security risks. They do this by providing a robust framework to help businesses implement essential security measures. By achieving this certification, SMEs demonstrate their commitment to protecting sensitive data. This also reduces the likelihood of cyberattacks and enhances trust with clients and partners.
As a fully trained and licensed Certification Body, we’ll help you implement and achieve the Cyber Essentials and Cyber Essentials Plus certifications.
Discover more strategies to improve your IT and cyber security in our blog post titled ‘Strengthening Your IT Resilience in 2024 & Beyond’ Alternatively, feel free to contact us for further assistance in enhancing your security posture through cyber resilience.
