Criminals are using ever more sophisticated digital tools to steal data, hack networks and exploit security vulnerabilities, alongside social engineering attacks that dupe unsuspecting employees into giving away sensitive information. This has led to cyber incidents becoming the number one risk for UK businesses in 2023.
This, of course, hasn’t gone unnoticed. The UK’s cyber security sector showed record levels of investment last year, with revenue generated by cyber security firms rising to £10.1 billion in 2022, showing that businesses are taking action to protect themselves.
But attacks are still getting through, and to properly mitigate these risks, simply having security in place isn’t enough. Businesses must ensure their security infrastructure is fit for purpose and sufficiently robust to withstand attacks and recover from them. They must also have the right talent in place to manage it and their staff must be suitably aware of potential threats. Additionally, they need to make sure that any third parties they are working with are equally secure, to avoid being put at risk by a compromised supply chain.
This is where the government’s Cyber Essentials and Cyber Essentials Plus frameworks come into play.
What are Cyber Essentials and Cyber Essentials Plus?
Both Cyber Essentials and Cyber Essentials Plus are government-backed schemes designed to help businesses protect themselves against cyber-attacks, by assessing and certifying the level of the organisation’s security.
Cyber Essentials provides a basic level of certification that shows the organisation has taken steps to protect themselves against the most common cyber threats. This includes things like ensuring firewalls and antivirus software are up to date, implementing secure password policies and regularly patching software vulnerabilities. Assessment for Cyber Essentials is self-conducted.
Cyber Essentials Plus provides a higher level of certification involving a more in-depth assessment of the security infrastructure. The basic security controls outlined in Cyber Essentials still need to be adhered to, however more thorough vulnerability assessments and penetration testing is carried out by a third-party auditor to confirm that the organisation’s security controls are effective.
Why do I need Cyber Essentials Certification?
By obtaining Cyber Essentials or Cyber Essentials Plus certification, you are not only protecting yourselves by ensuring your cyber security infrastructure is up to standard, but you are also demonstrating to others that you are working to secure yourself against attacks.
This holds a number of benefits of its own. For existing customers, you can provide them with reassurance that their sensitive data is protected and less likely to fall into the wrong hands, increasing their loyalty to and faith in your business. You also gain a competitive advantage when pitching for new business, or developing partnerships, as more companies become aware of the importance of robust security controls. And for any companies looking to pick up government contracts, Cyber Essentials and Cyber Essentials Plus are often a requirement.
Additionally, as cyber insurance premiums continue to rise and it becomes increasingly difficult to obtain coverage, having Cyber Essentials or Cyber Essentials Plus certification can help to secure insurance and keep costs down.
How do I get Cyber Essentials certification?
Gaining Cyber Essentials or Cyber Essentials Plus certification requires an assessment of your security infrastructure, and these assessments cost money (unless you are a charity or a small legal firm). It is therefore important to ensure you meet the requirements before starting the assessment, so you don’t pay more than once.
The first step is to understand the five technical controls that are going to be assessed and the objectives of each:
Firewalls: The first control is to ensure that all connected devices are protected by a correctly configured boundary or software firewall, an equivalent network device or via data flow policies (for cloud services). This is to ensure that only safe and necessary network services can be accessed from the internet.
Secure configuration: This control requires new devices to be properly configured with the right technical controls, to reduce the level of inherent vulnerabilities and only provide the services needed to fulfil their role.
User access control: Access controls are there to ensure user accounts are assigned only to authorised individuals and provide access to the networks, data and applications required to perform their role. This includes the use of password-based authentication, and multi-factor authentication (where possible).
Malware protection: This requires all devices to be protected against malware, including viruses worms and other malicious software, stopping harmful code from causing damage or accessing sensitive data.
Security update management: The final control requires all software to be kept up-to-date with the latest security updates and patches, to stop devices and software from being vulnerable to known security issues.
Once you have an understanding of the technical controls that are going to be assessed, you can begin conducting a gap analysis to identify and areas where your organisation may not be meeting the requirements. This will help you to determine any priority areas that need to be fixed prior to the assessment.
You can also conduct your own tests prior to the assessment, either internally or through a trusted third-party, to ensure controls are working effectively. These tests should also identify any areas of weakness or reaffirm your readiness to gain certification.
Protected by Cyber Essentials
Cyber threats have become part of our daily lives and, in the same way we lock our office buildings overnight to protect our physical workplace, we need to put the right security measures in place to protect our digital environment. Cyber Essentials and Cyber Essentials Plus provide guidance on the technical controls needed to do this and certify the organisations that have taken these measures.
These schemes grant companies peace of mind that they have suitable security measures in place, as well as demonstrating this to others extending that peace of mind to customers, partners and employees.
For further information on the 5 technical controls, see the full NCSC document here.
To discuss your cyber security environment with a trusted expert, get in touch with us.