What is Cyber Essentials Certification?

Cyber Essentials logo

Cybercrime is at an all time high, and criminals are only developing more devious and ingenious ways to steal your data. Cyber criminals have way more entry points into your organisation than ever before. The Internet of Things has ushered an unprecedented era of connectivity–along with it creating new and considerable vulnerabilities for businesses.

Keeping your business protected from cyberattacks is no longer just a matter of installing antivirus software on your office computers. There’s an entire web of devices to protect, from mobile phones used by employees to access work remotely to the WiFi-enabled security cameras in your office.

Along with the scope of devices, the radius of risk has also grown. Cybercrime used to be the concern of large firms and organisations. Attacks on small businesses were rare. Today, even your neighbourhood, family-owned corner shop is at risk. Spend on security measures like malware and training has skyrocketed in an effort to catch up to crime. Even micro businesses are allocating an average of £2,200 on cybersecurity.

Yet with all the money being sunk into security, a lot of businesses still don’t feel prepared for attacks. A lack of clear standards and highly technical terminology is enough to leave any business owner perplexed and uncertain.

The Cyber Essentials scheme backed by the UK Government offers to streamline the path to effective and cost-efficient cybersecurity. In this guide we’ll find out more.

What is a Cyber Essentials Certification?

Cyber Essentials is a government backed-programme. A certification in Cyber Essentials means that a business is adequately educated and trained in cybersecurity, and has the appropriate measures in place to keep data secure. The initiative’s objective is to help businesses with limited technical savvy improve their cyber defences. It also helps consumers protect their data by choosing only organisations equipped to keep it safe.

There are two Cyber Essentials badges: Basic and Plus. With Cyber Essentials Basic, an individual answers a test questionnaire, which is then submitted to certification bodies for checking. The Cyber Essentials Plus includes a physical audit of your office against certification requirements by a third-party.

Why should I apply for certification?

Instills trust in consumers

The digital age has turned business transactions into a sort of modern trust fall–albeit one where consumers expect to be let down. Completely proving the trustworthiness of software and computers is virtually impossible, so consumers have no choice but to provide personal data in exchange for a better experience, even though only a quarter of them actually believe businesses can protect them.

Safety can’t be proven line by line of code or component by component of hardware. Instead, businesses can signal competence and a commitment to security with a Cyber Essentials certification. A badge on your site speaks louder than any promise or guarantee.

Arms you with the essentials

Every IT analyst or Chief Security Officer has something to say about cybersecurity. Individuals who want to learn how to protect their business without hiring a budget-breaking IT team can quickly find themselves lost in a sea of guides.

With the aptly named Cyber Essentials scheme, you’ll be tested only for what’s efficient and necessary. The requirements can serve as a guide to help you figure out where you should be funneling your cybersecurity budget. The site itself has a nifty security checklist businesses can go through in preparation for certification.

An effective deterrent for criminals

Roughly half of all cyberattacks in the UK are phishing attempts, according to research firm PwC. This type of crime hinges on social engineering, which means criminals use psychology to trick unaware employees into giving up sensitive information like usernames and passwords.

A badge won’t guarantee iron-clad protection against attacks. However, it can significantly reduce attempted attacks against your systems. Thieves choose easy looking targets. Similarly, the sight of a Cyber Essentials Certification logo on your site can send prospecting crooks looking for easier, more vulnerable targets.

Helps you avoid hefty fines

Under the local Data Protection Act companies can be fined up to £500,000 for security breaches. The EU’s larger General Data Protection Regulation (GDPR) takes an even more massive bite–up to 4 percent of a company’s turnover. To give you a scale of that potential fine, British Airways was fined 1.5 percent of their turnover for their 2018 data breach–roughly £183 million.

A Cyber Essentials Basic certification will cost a business £300. The sum pales in comparison to the fines levied against companies who inadvertently compromise sensitive user data.

Qualifies your business for government contracts

The government is a lucrative client, and not just for large, established enterprises. Billions go to SMBs, partly in an effort to stimulate the economy. Yet to win these profitable contracts, businesses have to get certified. Certification is mandatory for businesses who bid for government jobs–it’s been this way since Cyber Essentials launched in 2014.

Specifically, certification is required for jobs that need you to process or store the personal data of UK citizens or the confidential information of government employees. Businesses and suppliers who want to work with the Ministry of Defence in any capacity need to be certified.

How do I get my business certified?

The process starts with picking a certification body to evaluate your IT systems. Currently there are 5 certification bodies you can approach: APMG, CREST, IASME, IRM security, and QG. However, beginning April 2020 only IASME will be the sole recognised accreditation organisation.

Next, you will be asked to submit evidence that your IT infrastructure meets the security standards set by Cyber Essentials. Finally, you’ll be asked to answer a questionnaire that assesses your knowledge of how to install and maintain your software and systems.

How can I prepare for certification?

Like any standards test, preparing for Cyber Essentials takes time and money. To help you get started, here are a few major tasks or initiatives that you can work on immediately:

  • Cyber Essentials requires you to keep your IT infrastructure up to date, also known as “patching”. One fast and painless method to ensure you stay on top of updates is to set all your devices to update automatically. Constantly check if vendors and developers are still supporting your software and equipment, and upgrade to newer products when necessary.
  • Install a firewall on all your devices that can connect to the Internet. Employee phones and laptops also fall within this scope, particularly if your organisation practices Bring-Your-Own-Device (BYOD). Security controls are generally more difficult to implement a BYOD approach. Yet that doesn’t make certification impossible. Businesses can look into management software that can remotely control or wipe data from connected devices, or password-protected virtual desktops.
  • Learn how to practice the concept of least privilege. Only give employees access to software and data that they absolutely need to get their work done. This may require considerable rewiring for some organisation, but ultimately it will increase your chances of getting certified, as well as improve your general security.

If you need help and advice regarding Cyber Essentials Certification give our IT support team a call at 0117 369 4335 and we’ll discuss your needs and what we can do to empower and help your business.