Do SMEs need to have a Cyber Essentials certification?


While the responsibility for cyber security lies with individual organisations, the UK Government has taken a leading role in setting the agenda for cyber security for organisations and businesses by introducing a range of schemes and frameworks including the Cyber Essentials certification scheme.

In an increasingly digitally connected world, cyber attacks are part of the new normal.  Most cyber attacks range in variety from the very basic to the highly sophisticated.  However, whilst sophisticated attacks only make up 20% of all cyber attacks, the remainder, almost 80%, of all cyber attacks are basic in nature and typically perpetrated by unskilled cyber criminals.

To ensure your organisation maintains good cyber security practice, the  Cyber Essentials scheme is one of the most useful of cyber security frameworks.   Launched in the UK on 5th June 2014, the Cyber Essentials scheme is in fact a term for the collection of two levels of certifications, namely Cyber Essentials and Cyber Essentials Plus.

Through the implementation of fundamental technical controls identified within the Cyber Essentials framework, the scheme enables organisations to protect themselves.

With small and medium organisations in mind, the Cyber Essentials certification scheme is devised to protect organisations from common security threats, which as stated previously, typically comprise of over 80% of cyber attacks.

Furthermore, the Cyber Essentials scheme has the backing of a number of industry bodies including the Confederation of British Industry (CBI), Federation of Small Businesses (FSB), and a number of insurance organisations.

Here we explain:

The main aim of this scheme is to motivate SMEs to adopt, maintain and adhere to information security best practices as part of their overall organisational strategy, thereby making the United Kingdom an overall more secure place to conduct business.

The UK Government developed the Cyber Essentials scheme in consultation with key organisations for two primary reasons:

  1. The first, to raise awareness, understanding and promote adherence to the fundamental principles of cyber security by organisations across the broad spectrum.
  2. The second, was to show investors, customers and trade partners, that those organisations have undertaken the basic precautions.

However, it should be noted, that scheme only provides a snapshot of how secure an organisation is at the time of certification and not how that organisations may sustain cyber security best practices.

Whilst aimed at SMEs, the scheme is open to organisations of all sizes and operating in all sectors – charities, public & private sector, educational establishments and not-for-profit.

What is the difference between Cyber Essentials and Cyber Essentials plus?

Both levels of certifications are assessed against the same criteria and 5 security controls.  The key difference is in the assessment.

Whilst the Cyber Essentials certification is self-assessed, the Cyber Essentials Plus certification is assessed by a 3rd party (IASME).

As a self-assessed certification, Cyber Essentials provides a basic level of credibility that the controls have been implemented correctly by the certified organisation.

Cyber Essentials Plus on the other hand, requires an on-site security vulnerability assessment by a 3rd party and in most cases, this will be conducted in a single day.

The security vulnerability testing will encompass all firewalls or internet gateways, any servers which provide services directly to unauthenticated Internet-based users and an illustrative sample of user devices which have the ability to connect to the Internet.

This ensures and measures that the 5 security controls are in place and are sufficiently protecting your organisation against cyber threats.

Since Cyber Essentials Plus provides a better understanding of an organisation’s cyber risk level (due to the on-site vulnerability scan), insurance agencies look more favourably at organisation Cyber Essentials Plus certification rather than those organisations which have only self-assessed.

Recertification is required every 12 months to remain compliant with the scheme.

What are the benefits of the Cyber Essentials Scheme for SMEs?

Small and medium organisations can benefit in a number of ways by getting certified against the Cyber Essentials scheme, here are the top six benefits:

1. An opportunity to audit your information Security

The five technical controls – firewalls; secure configuration; control user access; anti-malware and phishing – within the scope of the scheme, once implemented, will help improve your organisation understand its cyber security status.

The self-assessment level certification, requires the organisation to assess their internal security against a prepared questionnaire.  This must then be verified and signed by a senior officer of the organisation.

A ransomware attack or a serious data breach could have a devastating impact on an organisation.  An organisation’s desire to protect itself from such threats will seek to address three main risks – reputational, financial, and legal.

Simply bringing your internal security and associated security policies under this level of scrutiny will, in most cases, will raise cyber security awareness amongst your employees and management and across the organisation.

2. Protect your organisation against common threats

In spite of taking a pro-active approach to security, no information security strategy will be able to stop every cyber attack and data breaches will inevitably occur.  The main purpose of implementing an information security strategy is to put in place the appropriate level of mitigation against the known risks.

A large proportion of attacks seek to exploit weaknesses in IT systems, networks and software.  Typically, it relatively straightforward to protect against such weaknesses and vulnerabilities.

The Cyber Essentials scheme seeks to provide businesses with a solid foundation from which it can reduce its exposure to cyber attacks.

3. Demonstrate your commitment to cyber security to your customers

Due to the depth and breadth of the Cyber Essentials scope, attaining the Cyber Essentials certification demonstrates your organisations commitment to protecting not only your own data but also that of your customers and clients.

Let’s be clear here, achieving the Cyber Essentials certification is no small feat, and since it is backed by the UK Government and its agencies, gaining this certification will increase the reputation of your organisation and business – showing your company is taking pre-emptive steps to decrease the threat from cyber attacks.

This reputational advantage is beneficial for all SMEs, regardless of the industry or sector they operate in.

For example, you may be storing sensitive information (such as HR records or financial information), or hosting and storing commercially sensitive data. Being Cyber Essentials accredited and displaying the Cyber Essentials badge on your website, you are informing your customers, partners and investors that you take the security of your information systems and the integrity of their data sincerely.

This builds trust and gives you a competitive advantage, particularly if competitors do not possess the same accreditation. It also prevents potential customers identifying you as a potential ‘weak link’ in the supply chain.

4.  A foundation for other cyber security standards

GDPR (General Data Protection Regulation 2016/679) was introduced 2018.  Under the terms of GDPR, those organisations who collect and manage personal data are obliged to protect it from misuse and exploitation.

Implementing Cyber Essentials and adhering to the cyber security principles which underpin the Cyber Essentials framework helps you to maintain certain compliance requirements for GDPR.

Similarly, the ISO 27001 Information Security management standard can operate in tandem with Cyber Essentials principals and controls.

Whilst the ISO 27001 Information Security Standard is far more comprehensive, due to its wide-ranging scope for Information security components, Cyber Essentials will help focus on the cyber elements.

5. Bid for Government contracts with Cyber Essentials

Cyber Essentials certification will provide SMEs with new business opportunities as it shows business partners and potential customers that your company operates a secure digital environment.

Organisations seeking to bid for UK Government contracts you will need to be Cyber Essentials certified.  This is now a compulsory requirement for any company wishing to work with the UK Government. Gaining the Cyber Essentials Plus certification will provide SMEs the opportunity to work with the Ministry of Defence (MoD).

To ensure cyber security best practices in its supply chain, the UK Government has announced that until your company achieves Cyber Essentials, you cannot bid for government contracts. In general, such contracts will involve sensitive information to be handled and certain technical services to be provisioned.

6. Reduce cyber insurance premiums

Insurance companies specialising in cyber insurance tend to view SMEs that have attained the Cyber Essentials certification more favourably.

Demonstrating that your business has been successfully assessed against the Cyber Essentials Assurance Framework could make your organisation eligible for free cyber insurance cover, saving your business up to £25,000.

SMEs with an annual turnover of less than £20,000,000 that have achieved self-assessed certification encompassing their organisation to the Cyber Essentials Plus standard, may be awarded coverage of up to £25,000 of damages via Cyber Liability Insurance.

What does Cyber Essentials certification involve?

The Cyber Security Assurance Framework provides five core technical security controls that an organisation needs implement to protect itself against the most common form of cyber attacks originating from the Internet.

These controls are then independently assessed in order to attain the Cyber Essentials accreditation.

1. Update default security settings

Nearly all new software and hardware devices are released with a default security configuration.

This is typically done to ease set-up, functionality and connectivity rather than security.  Leaving devices with their default security settings makes them vulnerable to exploitation, providing opportunities for cyber criminals to gain illicit access to your data.

Consequently, all new device and software must have their security settings changed and updated.

Any device which can either store or access your organisation’s data must be secured by a password.  This is applicable to all user devices too, such as desktops, laptops, tablets and smartphones. Any default passwords must be changed and unnecessary services, functions, and accounts removed.

For critical or privileged accounts, such as those used for administration of IT systems and online banking, two-factor authentication (2FA) should be employed.  You can find out more information in the Guide to password administration.

2. Use a firewall to secure your network

Firewalls protect your corporate network in its entirety, sitting between your organisation’s network and the internet (or other data networks), managing the data and voice (VoIP) traffic flowing in between.

Most small business broadband providers have firewalls bundled within their routers.  However, these tend to have limited functionality and it can be difficult to tailor the configuration to your company’s needs.

If your organisation is serious about Cyber Security, then a dedicated firewall will be mandatory as the Cyber Essentials Certification obliges you to configure your firewall.  This is crucial if your devices connect to public or untrusted Wi-Fi networks.

3. Controlled access to data

Under the Cyber Essentials Certification, organisations must control data access through accounts, limited permissions and access rights to specific roles and individuals.  Administrative level access must only be granted to those individuals who need them.

Access to settings, services and software should only be provided on the basis that they are essential for the fulfilment of a particular role. Extra permissions or privileges should only be granted once the need has been evaluated.

Furthermore, accounts with extra privileges must be restricted based on intended use and not be used to view emails or web browsing.  This will prevent potential damage in the event these accounts are compromised.

As part of best practices, software from trusted official sources should only be used.  It is recommended to only install apps software directly from the manufacturer or vendor, or recommended stores, such as Google Play, as applications are screened for malware.

4. Protect against viruses and malware

Viruses and ransomware are the two most prevailing types of malware.

Ransomware, such as WannaCry, is becoming increasingly prevalent and attempts to force money from organisations by restricting access to their own devices and systems.

Viruses operate by infecting software and systems, replicating itself and perpetuating from one system to the next.  Viruses typically enter an organisation’s IT system through email attachments, removable storage devices, or through devices access malicious websites.

Anti-virus and anti-malware software are usually included with newly released devices. However, it is imperative to ensure that the latest updates are installed as they become available.

Small and medium business can also protect corporate systems through whitelisting. Effectively, a list of applications or software approved for use by employees.  Any non-permitted applications or software is automatically blocked.

5. Ensure all devices kept updated and patched

Vendors and manufactures regularly release updated software patches for their products to fix to recently identified vulnerabilities.

Ensuring that all software and hardware devices is a crucial part of adhering to cyber security best practices.  Setting automatically update all devices and software such as operating systems, apps, and software on laptops, desktops, tablets, and smartphones, will ensure this process is regularly maintained.

When vendors and manufacturers cease support for a certain device or software, it may be time for an upgrade.

How much does Cyber Essentials cost?

An EY Cyber Security survey,  identified that 87% of businesses feel that their cyber security is underfunded.  Furthermore, 77% of organisations were operating with ‘limited cyber security and resilience’ capability, with a significant number (more than 50%) indicating that cyber security does not form part of their business strategy.

Fortunately, the Cyber Essentials accreditation is not prohibitively expensive with the Cyber Essentials self-assessment costing £300.00 + VAT.

However, SMEs venturing into the realm of cyber security for the first time may struggle with implementing some of the controls.  Organisations could engage an external consultant who could help you pinpoint the gaps you need to address to be compliant with the Cyber Essentials scheme, guiding you through the process and proving support for your company in answering all self-assessment questions.  The costs for such will vary, but you can expect to pay int the region of £700 – this will be in addition to the Cyber Essentials self-assessment costs.

The costs for the Cyber Essentials Plus certification are typically more expensive and difficult to gauge upfront as the on-site vulnerability scan will be dependent on the scale and locations of your systems and devices.

The Cyber Essentials Plus includes an on-site vulnerability assessment and authenticated configuration and patch level assessments of a sample of servers and end-user computing environment.

Is Cyber Essentials Certification mandatory for SMEs?

For small and medium businesses seeking to bid for government contracts and all Ministry of Defence contracts, being certified against the Cyber Essentials scheme is mandatory.

For other SMEs and organisations, being Cyber Essentials Certified makes sound business sense, giving you a clear competitive advantage by allowing you to demonstrate to existing and potential clients and customers that you have taken the fundamental steps to achieve cyber security certification and take the security and integrity of their data seriously.

You might also like