How to earn Cyber Essentials certification
The UK’s government-backed security standard provides reassurance for you and your customers. Nik Rawlinson explores what’s involved – and how to get it
If your business has any kind of internet connection, it’s at risk. In a recent survey by Deloitte, a full third of executives said their accounting and financial data had been targeted over the past months; in , an incredible three-quarters of organisations polled reported that they’d been the subject of an attempted ransomware attack.
And things are unlikely to get any better any time soon. As AI and machine learning go mainstream, the potential for malicious actors to cause harm is only increasing. Your organisation must be ready to defend itself – and you need to be able to prove it to potential customers and partners. If not, they’ll understandably be hesitant to rely on your services and trust you with their data.
For small businesses, the Cyber Essentials certification programme is a great solution. It’s accredited by the UK government and delivered by the IASME consortium ( iasme.co.uk), which became the National Cyber Security Centre’s (NCSC) sole Cyber Essentials Partner in April .
Cyber Essentials provides a clearly defined, widely recognised security framework, which can save you from having to formulate policies and practices from scratch. The guidance is broad and, for the most part, non-prescriptive, so it can apply to a wide range of business types; rather than mandating specific tools and settings, it guides companies through assessing their exposure, identifying possible vulnerabilities and implementing whatever measures are necessary to close them off.
Cyber Essentials certification is a requirement for any organisation bidding for UK government contracts that involve handling certain types of sensitive or personal data. But even if you have no interest in that sort of project, certification demonstrates to your customers, partners, staff and suppliers that you’re taking cyber security seriously. Moreover, should you fall victim to an attack or data breach, your certification will show that you understood the threats and took steps against them, potentially helping minimise your liability and the damage to your reputation.
What does certification mean?
Cyber Essentials certification is an indication that a company recognises its security responsibilities and has implemented at least a minimum level of protection against attacks. To gain certification a business must implement a set of basic technical controls, which protect them – and the data they work with – from online security threats.
However, qualifying isn’t like passing a driving test; it’s not a one-off assessment that then remains valid for decades. Since technology moves quickly, and new types of online threat are appearing all the time, it requires annual re-certification.
Indeed, since Cyber Essentials was introduced in , the criteria for certification have been revised several times. A significant update in early broadened the scope of the programme to include guidance on cloud services, multi-factor authentication, PINs and passwords. Other changes have reflected
“Certification demonstrates to your customers, partners, staff and suppliers that you’re taking cyber security seriously”
adjustments to the way day-to-day business is conducted: for example, it now takes in the security implications of remote working and BYOD policies that allow staff members to work on their own devices.
Many of the steps required for certification are simply good business practice, such as backing up data and storing those backups remotely; the guidance even explicitly spells out the need to install and enable antivirus software. As the government points out, “cyber-attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked.”
There are five key requirements that organisations must meet in order to gain certification:
Use a firewall to secure your internet connection
Choose the most secure settings for your devices and software
Control who has access to your data and services
Protect yourself from viruses and other malware
Keep your devices and software up to date
These requirements may sound obvious, but it’s worth thinking about what they mean for an organisation of your specific size and structure. Procedures that are suitable for a sole trader working from a laptop will be very different to those appropriate for an enterprise, which may have adopted a cloud-centric workflow to enable data sharing and more efficient working across multiple sites and time zones. Controlling access to data is another area where the appropriate steps may vary enormously from one business to another.
How do you get certified?
There are two levels of certification: Cyber Essentials and Cyber Essentials Plus. The first simply involves auditing your own infrastructure and filling in an online survey. If your responses satisfy the criteria, you qualify for certification – but don’t assume this is a mere box-ticking exercise. An assessor will examine your answers, and you may be told you need to make changes and reapply for certification.
For organisations employing fewer than nine people, each application costs £ plus VAT. This increases in tiers, topping out at £ plus VAT for + employee organisations. Once you’ve paid your fee, the process itself should be quite speedy: the target is for you to receive either certification or feedback within three days of submitting your survey.
You might wonder whether this basic certificate is really worthwhile, since it relies so heavily on selfreporting. However, the process of working through the survey questions can help expose gaps in your protections, or in your awareness of what’s happening on your network. And, as pointed out above, cybercriminals like to look for easy targets; simply confirming that you meet the standard Cyber Essentials criteria also confirms that you’ll pass a malicious actor’s “unlocked door” test, making it more likely they’ll move on to seek more promising victims.
The rigorous Cyber Essentials Plus certification starts at £ , plus VAT. It includes more detailed guidance, with a broad toolkit organised into three sections, designed to help you prioritise appropriate investment, develop a roadmap for implementing security measures and efficiently demonstrate compliance. The idea is to embed cybersecurity within your business and its culture, help organisations to gather the information they need to understand their existing level of exposure to threat and how it can be mitigated and, finally, to implement necessary changes and plan for potential incidents. To confirm that you’ve met the required standard, an independent assessor tests your systems and judges your level of exposure.
To qualify for Cyber Essentials
Plus you also need to complete the standard online Cyber Essentials assessment; if you’ve recently completed Cyber Essentials, you can upgrade to Plus by taking the additional required steps within three months of certification.
“Many of the steps required for certification are simply good business practice, such as backing up data and storing those backups remotely”
Testing your own systems
Whether you’re applying for Cyber Essentials or Cyber Essentials Plus – or if you’re just curious – the NCSC’s
“Check your cyber security” site has a trio of online tools to help you gauge the degree to which your current setup leaves you exposed. You’ll find them at tinyurl.com/ check.
The first tool carries out a scan of your IP address and web domain, to see whether you’re hosting any exposed files or databases that an attacker could potentially access. It also checks for remote-access services that could be compromised. If anything untoward is detected, the tool will provide a brief explanation of the risk and suggest some steps for remedying it; for example, the scanner detected an FTP server running on my network, and provided instructions for shutting off external access on a variety of common routers.
The email tester inspects the domain and server you send messages from, to see whether it supports encryption and digital signature technologies. If it doesn’t, you’re at greater risk of being taken in by phishing attacks, as you can’t authenticate the origin of incoming messages. The service also checks whether someone could spoof your domain to send out spam or malicious emails that appear to come from you.
Finally, the browser test simply checks that your current web browser is up to date, to ensure that you’re not vulnerable to any exploits in earlier versions. I found the results of these tests illuminating: although I hadn’t been aware of any issues with my own systems, the tools found open ports and exposed databases on a variety of domains, misconfigured email servers, and a browser that was very slightly out of date (using the Chrome engine, rather than Chrome ).
We’d also recommend working through the Cyber Essentials readiness tool at tinyurl.com/ ready. This asks a series of questions about your organisation, your hardware and software, cloud and server resources, and policies, on the basis of which it draws up a Cyber Essentials readiness action plan. This includes a record of your answers, suggests technologies that can help and, where necessary, provides action points for plugging gaps in your defences. Even if you don’t intend to seek certification, this advice can help make your organisation more secure.
Who can get certified?
In its first ten years of operation, more than , Cyber Essentials certificates have been issued. While many of those were given to big companies, plenty have also gone to small businesses and charities. The government publishes specific cybersecurity advice for sole traders and small businesses wanting to get certified at tinyurl.com/ guidance.
Certification isn’t restricted to companies based or registered in the UK; overseas organisations can also take part in the scheme. You can search for organisations to whom a Cyber Essentials Certificate has been issued in the last months at tinyurl.com/ search.
While many companies may get certified as a confidence-building measure, some will have gone through the process to qualify them to apply for UK government contracts. Note, though, that while Cyber Essentials is a necessity for many government contracts, some departments have additional requirements: the Ministry of Defence, for example, requires certification not only for direct suppliers, but also for organisations further down the supply chain, providing products and services at a second, third or further remove.
Is it right for you?
Not all government contracts require Cyber Essentials certification, so if you’re considering the programme for that reason, talk to the relevant department before starting work as there may be exemptions in place. Bear in mind that these won’t be the same across all areas of government, so guidance from one department may not apply equally to all others.
Even if you don’t need the certificate, you can benefit from the Cyber Essentials principles. We’ve mentioned the free testing tools above, and the programme also comes with extensive publicly available documentation, which can help you harden your defences against malicious actors, or to reduce the vulnerability of your data. From a security standpoint, working through these exercises will give you exactly the same benefits as paying to be certified. At worst, you’ll gain a clearer idea of your current position and can gain guidance on how to improve – the only downside is that you won’t have the certificate to prove it.
“Even if you don’t intend to seek certification, the online advice can help make your organisation more secure”