Understanding Cyber Essentials Certification

What is Cyber Essentials?

So, we’ve all heard the saying ‘look after the pennies and the pounds will look after themselves’, right? Well, this principle applies to your cyber security posture too. For example, if you take really good care of the basics by ensuring that all your employees have adequate security training, and you create an internal cyber aware culture, then you have already protected your organisation from some of the most common cyber threats, such as phishing and password attacks. A great way to implement these basics is through a Cyber Essentials certification.

We understand that beginning your cyber security journey may be daunting, so Cyber Essentials is a great way to get an understanding of your security posture and the measures your organisation can take to protect your information assets.

Cyber Essentials was introduced by the UK Government and UK Ministry of Defence in 2014, and it was specifically designed to help organisations mitigate 80% of cyber threats by implementing a common standard for protection. The National Cyber Security Centre encourages all organisations that are based in or trading with the UK, to implement the Cyber Essentials scheme.

Upon passing the scheme, organisations receive a Cyber Essentials certification, a listing on the Cyber Essentials database, and may also be entitled to Cyber Insurance. Cyber Essentials can be used either to certify the entire organisation, or it can be focused on a specific business unit provided that there is suitable network segregation.

There are two levels to the Cyber Essentials scheme:

Cyber Essentials Basic

Cyber Essentials Basic requires organisations to answer a series of questions, in the form of a Self-Assessment Questionnaire, covering key aspects of their information security - this helps to gain an understanding of the organisations strengths and identify their weaknesses.

Cyber Essentials Plus

Once the organisation has Cyber Essentials Basic, they are able to apply for Cyber Essentials Plus. This involves a manual assessment of the technical controls and protections put in place within an organisation to secure it against common threats. Coupled with Cyber Essentials Basic, this provides a deeper assurance that corporate data and vital systems are protected.

Please note that the prerequisite for obtaining the Cyber Essentials Plus certification is having achieved Cyber Essentials Basic certification within three months prior.

Importance of cybersecurity in today's digital landscape

Cybersecurity plays a vital role in safeguarding an organisations sensitive information, digital assets, and critical systems from threats in today’s ever growing digital landscape. Failure to implement cybersecurity protections can lead to disruption of business continuity, financial stability, and information security. This is likely to damage the organizational reputation and shatter the trust between the organisation and their clients.

Up until July 2023 the UK has already seen 694 data breaches this year, compromising over 612 million documents. The current prominence of Cyber Essentials is no coincidence since breaches have become equally more frequent and sophisticated – Cyber Essentials is a holistic approach that encompasses the foundational cybersecurity practices that organisations must implement to ensure a robust defence against cyberattacks and to safeguard sensitive information.

Benefits of obtaining Cyber Essentials Certification for UK businesses and employees

• By implementing the technical controls emphasized by the Cyber Essentials framework, your organisation can defend itself against the most common cyber threats whilst being part of the endeavor to make the UK one of the safest places to do business.
• Achieving Cyber Essentials Plus not only demonstrates an enhanced commitment to cyber security but also allows one of our technical auditors to review the implementation of security controls to ensure that they are in place and effective.
• If your customers can see that you as an organisation have taken the steps to ensure an acceptable level of protection and maturity regarding your security, it shows them that you take great care of your data, and they can assume you will take great care of them too!
• When a UK-domiciled organisation with a turnover of under £20m achieves a self-assessed certification covering their whole organisation to either the basic level of Cyber Essentials or the IASME Standard, they are entitled to Cyber Liability Insurance that covers:
• Liability (limit of £25,000).
• Event Management
• Extortion Demands
• Regulatory Demands
• Business Interruption
• Loss of Electronic Data

The next few parts of our mini-series will provide you with further guidance on where to get started with cyber essentials and some top cyber essentials tips.