A few weeks ago, Ged and Jude, took to Teams to go through some of the most common Cyber Essentials questions in our Cyber Essentials Webinar. Having achieved Cyber Essentials Plus ourselves, we know a thing or two about preparing a business for Cyber Essentials. Watch the full webinar to find out what Cyber Essentials is, how it benefits businesses and how to implement it. Alternatively, read the summary of the webinar below.
In simple terms, what is Cyber Essentials?
Cyber Essentials is not a software or tool, but a government-backed certification scheme based on a set of controls and policies, designed to help organisations demonstrate their commitment to cyber security compliance.
Businesses adhering to the Cyber Essentials requirements can submit for assessment, and if they meet the criteria, they receive certification, which acts as a public signal of their cyber security posture.
IASME is the main partner licensed by the NCSC to set and maintain the standards for Cyber Essentials certification, acting as a bridge between government policy and real-world assessments, and managing the framework and licensing of assessors.
What are the benefits of Cyber Essentials?
There are internal and external benefits of Cyber Essentials, including risk reduction, cost savings, improved reputation, competitive advantage and access to certain markets.
- It helps reduce the likelihood of common cyber attacks such as phishing, malware and ransomware. It ensures secure system configuration and can save money by preventing costly incidents.
- It encourages organisations to train employees in good security habits, including access control, password hygiene, and the use of multi-factor authentication.
- It acts as a mark of credibility and professionalism, can provide a competitive edge in tenders, and is increasingly required for access to government contracts and supply chains. For example, large organisations – such as Sony – require their suppliers to have Cyber Essentials. Avoiding certification can result in being excluded from certain markets.
How do I implement Cyber Essentials?
There are several different practicalities of implementing Cyber Essentials, including five technical control areas, which are: firewall configuration, secure device configuration, updates and patching, user access control and malware protection. See the webinar slides for further detail.
The scope of certification must include all devices, users, and cloud services accessing business data, including personal mobile devices if they are used for work purposes.
Is it easy to implement Cyber Essentials?
The difficulty of implementation depends on an organisation's existing IT practices, with some finding it straightforward and others needing significant remediation, especially if they lack dedicated IT staff or have legacy systems.
How long does it take?
Organisations should allow sufficient time for remediation work, which can involve updating or replacing devices, removing unused software, and cleaning up user accounts, as these steps can be time-consuming.
Are there any major challenges?
There can be challenges for organisations with highly customised or legacy software. Occasionally, certain systems must be isolated from the main network to achieve compliance. No case is impossible with the right approach.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is self-certified via a questionnaire, while Cyber Essentials Plus requires an independent assessor to verify compliance through testing.
After achieving Cyber Essentials, organisations have up to three months to complete the Plus assessment without repeating the basic assessment.
How often does Cyber Essentials need renewing and how much is it?
The assessment cost for small to medium businesses is typically around £500-600, but additional costs may arise from remediation work. Certification must be renewed every 12 months. Cyber Essentials certification reflects compliance at a specific point in time, and ongoing vigilance is necessary to maintain security between assessments.
Does Cyber Essentials remove the need for additional cyber security measures?
Cyber Essentials provides essential baseline controls but does not protect against all advanced or targeted threats, insider risks or social engineering.
Cyber Essentials is a baseline standard, which requires additional ongoing security measures, such as the Resolve Cyber Security service, to provide continuous monitoring and protection.
Resolve Cyber Security offers ongoing monitoring of network activity, logins, and suspicious behaviour, supplementing the annual Cyber Essentials assessment.
What do I do if I am interested?
Contact us! There is a low barrier to entry and scoping, remediation and assessment are straightforward processes.
Call 0114 299 4050 or email hello@resolve.co.uk and ask for Solutions.
