Cyber Essentials Certification Explained

July 12, 2019

You may have wondered about Cyber Essentials or seen the Cyber Essentials badge on another company’s website – but what is it and is it something you should be looking at?

What is Cyber Essentials?

Cyber Essentials is a scheme supported by industry and backed by the government to help companies ensure they have basic measures in place to help protect themselves against cyberattacks.

The certification process means companies are guided to review their current cyber security and put further controls in place where they may be necessary.  Once they can confirm all controls and processes are in place and being used properly then they can achieve Cyber Essentials certification.

By gaining Cyber Essentials certification, you will be secure in the knowledge that you are helping prevent cyberattacks on your own business as well as showcasing your cyber security credentials to others.

Why do companies need Cyber Essentials certification?

1.   Protecting your business

Latest government figures show that of organisations surveyed, 32% of businesses and 22% of charities identified cyber breaches or attacks in the last 12 months *

  • Among the businesses recording breaches or attacks, this resulted in a negative outcome, such as a loss of data or assets in 30% of cases. The average cost to the business being £4,180
  • Among charities recording breaches or attacks, this resulted in loss of data or assets in 21% of occasions, with the average cost to the charity being £9,470

According to one UK government statistic, up to 80% of common cyberattacks are preventable if companies put simple cyber controls in place.

So the question is, can you afford NOT to gain Cyber Essentials Certification?

2.   Demonstrating your competence to others

If you have Cyber Essentials certification it demonstrates to other businesses that their information and data is likely to be safer with you than with another company which doesn’t have it – therefore offering competitive advantage.

Also if you are trying to gain public sector contracts, this is particularly important as Cyber Essentials certification is required for companies who wish to bid for new public sector contracts  which include the transfer of public sector identifiable information.

How to go about getting certified

The process of getting certified is relatively simple in that it largely depends on the completion of a detailed questionnaire which you need to submit but it’s quite long and technical.

We can help alleviate the stress and time you might spend on this by managing the entire process for you.  We fill in the questionnaire and identify areas you need to improve on, advising and assisting so your processes and controls are where they need to be.  Once completed, we will submit the questionnaire on your behalf.

We partner with a specialist (CREST certified) security company who are a Cyber Essentials certifying body.  If we were to submit a questionnaire which failed the process, we would then be advised by them on the measures required to address any problem areas before re-submitting the questionnaire – at no extra cost to you.

Why partner with a third-party security company?

It’s important that any cyber security measures which are put in place are tested rigorously using a layered approach to give you the upmost chance of keeping your business safe.  By working closely with a third-party specialist we can offer you advice on best practice to optimise the chances of your application for certification being accepted. At the end of the day, we use a third-party as there is really no benefit in us marking our own homework!

Does Cyber Essentials certification guarantee a company won’t get breached?

The simple answer to this is no, but it will certainly reduce your risk. For most companies Cyber Essentials is a way to help ensure they are getting the basics right – and that in itself will help protect you against a high proportion of breaches.

If you wanted to be more certain, there are additional measures we can help with including:

  • Gaining Cyber Essentials plus certification – which in addition to the basic Cyber Essentials Certification includes independent auditing and testing of your internal systems focusing on the following key areas:
    • Secure configuration
    • Access control
    • Malware protection
    • Patch management
  • Penetration testing – where we partner with a third-party to carry out an authorised simulated cyberattack on your IT systems, designed to evaluate the security of the system.  We then report back to you on the result – letting you know where any vulnerabilities lie and advising how to proceed.  This is all part of the layered approach to cyber security and reduces your chances of being attacked.