“Cyber Essentials” is a term you hear buzzing around business spaces and techie circles – from LinkedIn, to networking events, and beyond.
But what exactly is Cyber Essentials? What does it involve? How does it help? And should your business seek Cyber Essentials certification?
Here’s our jargon-free lowdown…
What is Cyber Essentials?
Cyber Essentials is a UK Government-backed cyber-preparedness scheme that any British organisation can apply to join. Cyber Essentials certification represents your organisation’s promise to uphold numerous, specific cybersecurity best practices.
There are two levels of certification: Cyber Essentials and Cyber Essentials Plus. Cyber Essentials evidences basic digital security compliance, whereas Cyber Essentials Plus is an amped up version of the basic scheme that involves “a hands-on technical verification” to ensure your levels of cyber defence.
Certification needs to be renewed every year. The basic Cyber Essentials costs £300+VAT every year, whereas Cyber Essentials Plus pricing depends on the size and complexity of your network. The scheme was developed by the British Government alongside industry partners like the Information Security Forum (ISF), Information Assurance for Small and Medium Enterprises (IASME), and British Standards Institution (BSI). It is operated by the National Cyber Security Centre (NCSC) and certification is handled through IASME. The scheme was launched in 2014.
Why get Cyber Essentials?
Though there are many benefits to getting Cyber Essentials certification, they primarily boil down to these five benefits:
- Provides reassurance to clients, prospects, and suppliers – When you become certified, you are allowed to use the Cyber Essentials logo on your outwardly facing collateral including websites, email signatures, flyers, stationery, etc. This provides potential customers and stakeholders with the peace of mind that you are actively committed to keep your IT systems secure and that you’re unlikely to pass on any malware or other digital nasties.
- Potential competitive boost – Cyber Essentials is a widely known scheme, even if not everyone quite knows the ins and outs. If you are looking for contracts where you will be relied upon to store or process sensitive information, having Cyber Essentials may make you a more attractive prospect compared to competitors without.
- Shines a spotlight on your cyber readiness – The certification process requires intimate knowledge of your internal cybersecurity stack, so the yearly Cyber Essentials application process can be an opportunity to fully reassess your current security measures.
- Mandatory for certain Government contracts – As of 1st October 2014, the UK Government requires suppliers who handle sensitive and personal information to hold a Cyber Essentials certificate. Got a tender in mind? Get your certification sorted before you bid! Different rules apply to those looking to supply the Ministry of Defence.
- Possible reductions to cyber insurance premiums – Sometimes insurers will provide discounted cyber insurance premiums to organisations that have provable cyber readiness measures in place, like Cyber Essentials. If you pay for cyber insurance and you are considering Cyber Essentials, speak with your insurer to see if this will have a (hopefully positive!) effect on your premium.
Who needs Cyber Essentials?
We would recommend that all organisations become Cyber Essentials certified. Certification isn’t limited to any specific company size or structure, so we feel that any organisation who can afford the £300+VAT yearly outlay should go for it.
There is one situation where Cyber Essentials becomes a must: if you want to bid for central governmental contracts – especially ones that handle sensitive information – you will need to be Cyber Essentials certified. The MOD have their own cyber-compliance schemes for contracts which they explain within the webinar linked here. Additionally, ESFA-funded further education and training organisations who handle sensitive data have been instructed to achieve Cyber Essentials’ requirements from the 2020/21 academic year onwards.
If you handle any kind of personally identifying information – whether you’re a service-based business with a full CRM or a busy ecommerce store, we would highly recommend that you consider signing up to the scheme. Under UK GDPR, “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’),” so if you have any data that fits that bill (and you probably do), we’d recommend that you start the process today!
But even for organisations outside of those groups, Cyber Essentials certification is still a good idea. It gives you a set of standards to manage your cybersecurity by and a nice, spiffy badge to show that you’re serious about cybersecurity.
What do I need to achieve Cyber Essentials?
Thankfully, the central provider of Cyber Essentials certificates, IASME, has provided a free Readiness Tool – a short questionnaire that helps you better understand your own digital security position and provides an automated action plan designed to help you meet all of the Cyber Essentials criteria.
What can I do today to keep my organisation safe?
The NCSC have provided a list of five basic technical controls to help you stay secure straight away:
- Use a Firewall: A firewall acts like a defensive wall around a device or network, designed to keep most online threats at bay. The NCSC accurately describe network firewalls as creating a “buffer zone” that allows incoming traffic to be scanned for security before it is allowed into the network proper.
- Choose the Most Secure Settings: Devices and software often come with all of their features switched on so that the user can make the most of them straight out of the gate. Though this provides maximum functionality, it may not provide the best security. So always check a device’s settings before you connect it to your network – switch off features that you don’t need, use passwords for access wherever possible, and protect sensitive logins and apps with multi-factor authentication.
- Adopt Stringent Access Control: Take a look at the levels of access each team member has and restrict their access to only the bare minimum they need for their role. “All-access” administrative privileges should be restricted to the few who truly need them, with others given more restricted access. Access to the organisation’s whole software stack is often handed out too readily too – for example, if someone in your HR department doesn’t need access to your invoicing package, don’t give it to them!
- Protect Yourself Against Malware: The NCSC advises that you familiarise yourself with the concept of malware; learn about how malware spreads (including through email, dodgy websites, and removable drives); as well as understanding and installing antivirus software. It also gives sandboxing an honourable mention (which is just one of many valuable heuristic antivirus measures).
- Keep Everything Up to Date: All software you have installed on your devices needs to be kept up to date – even if you don’t use it that often. Avoid old, unsupported software versions wherever possible as the latest versions will have been updated with the latest security in mind. Whether it’s your operating system, your productivity suite, your antivirus software, or the apps on your work phone, everything that can be updated should be updated. Many software tools allow you to apply updates automatically, so take this route wherever possible.
So, if you’re not doing any of the above, you can drastically improve your IT security readiness by starting today. However, there are a few pointers that the Just Cyber Security boffins would add to this list – completely unrelated to NCSC or Cyber Essentials, but they certainly won’t hurt:
- Keep a log of all of your devices: This one’s especially important for those of us with remote-working policies. When you know what hardware you have, you can see whether those devices are still supported by the manufacturer; what programs are compatible with each of them; check in on update statuses; establish how they connect to the network; and gauge whether a replacement or upgrade is needed.
- Keep a log of all of the software you use: Make a note of all of the software you use, what it does, and how your team accesses it. This should refer to both locally installed programs/apps and web apps that you access through a web browser. When you know what software your team are using, you can take steps to make sure it is kept up to date (and can potentially identify functional overlap to minimise expenditure).
- Note what data is stored where: Whether it’s housed within networked PCs; email servers; general purpose storage servers; or external app or cloud servers, take stock of where all of your business-critical data is housed. Therefore, if something happens to a cloud app’s servers or a particular machine gets infected, you know what data is potentially at risk.
- Enforce Strong Password Policies & Multi-Factor Authentication: Though the NCSC do touch upon this, it bears repeating. Encourage your staff to change their passwords every 6 to 8 weeks and only allow strong passwords with multiple upper- and lower-case letters; numbers; and special characters. They may find it useful to use a reliable password management tool to keep track of their various logins. If you can implement multi-factor authentication on a login, then do so – no matter how sensitive (or not) the data held within may be.
How Just Cyber Security can help you achieve Cyber Essentials
Want to get on the road to Cyber Essentials certification? Just Cyber Security can help you on the way, from a highly competitive £295+VAT!
After gaining an in-depth understanding of your current IT and cybersecurity setup, we will get together (in person or remotely) to fill in the appropriate Cyber Essentials application questionnaire. Our team will then provide expert support throughout the entire certification process.
Remember, Cyber Essentials gives you a robust security framework in line with industry best practices and it provides peace of mind to external stakeholders.