The Cyber Essentials certification has been established to set the minimum standard of cybersecurity that businesses should reach. It is a Government-backed certification scheme that has two tiers of certification:
Basic – this is level that is ideal for SMEs. It is usually cheaper and quicker to get certified as it is based on self-assessment
Plus – this level offers stronger assurance for larger business and requires independent validation
The scheme looks at five key areas to help make sure that you have covered the most important aspects of cybersecurity:
Firewalls
Secure configuration
Access control
Malware protection
Patch management
The government’s Cyber Essentials website highlights the stat that there were 7.7m cyber crimes over the past year. Establishing the Cyber Essentials certification is the government’s way of providing guidance about how to make sure you’re not caught up in that stat for next year.
Do I really need Cyber Essentials for my business?
In a word: yes!
To go back to what the government website says, they believe that Cyber Essentials “can helpevery organisation– from micro businesses to large corporations.”
And that’s what we believe at ERGOS as well. If you use data, your customers use data or you could, in any way, be open to a cyber attack then Cyber Essentials is something your business should have.
If you aren’t sure whether it is something you need, then as part of the ERGOS Cybersecurity support, we would work with you to run a gap analysis – where we assess how close you are to the Cyber Essentials requirements and look to create a plan to fix any issues.
What’s the difference between Cyber Essentials and Cyber Essentials Plus?
The main difference between the two levels of certification is how they are assessed. The basic Cyber Essentials certification is self-assessed – you complete an online self-assessment questionnaire and answer questions about your level of cybersecurity.
For the Cyber Essentials Plus certification you must firstly be certified for Cyber Essentials. The Plus certification doesn’t require additional cybersecurity measures, but is instead based on an external assessment of your security.
It is this extra level of verification and the fact that it is external and independent that provides an additional layer of trust and confidence in your cybersecurity preparedness. This is especially important if you have customers that require you to be Cyber Essential certified.
The top 5 reasons for failing Cyber Essentials certification
Lack of multi-factor authentication (MFA)
An important requirement for Cyber Essentials is that MFA is used across your organisation. Too often MFA is used on an ad-hoc basis, with certain people not using it, or certain services not requiring it. You should be using MFA on all cloud services and Cyber Essentials requires that you do.
End of life (EOL) systems
If you’re running older systems, for example an out-of-date version of Windows or older servers, that haven’t been updated with the latest security features, then you are likely to fail your Cyber Essentials certification.
User training
When the vast majority of cyber breaches involve some form of phishing attack – cyber criminals tricking people to reveal passwords or other sensitive information – making sure that your workforce is as educated as possible about the risks is a sensible business approach. It is also a requirement of Cyber Essentials certification.
Weak antivirus
Nowadays basic antivirus is no longer strong enough to fully protect you. The Cyber Essentials certification requires your anti malware to also be able have network control and web monitoring. Instead of antivirus, you need to be upgrading to Endpoint Detection and Response (EDR).
Local admin controls
For many small businesses it makes sense that each user is the local admin of their own device. This makes it far easier and quicker to install new software, for example. However, the Cyber Essentials scheme does not allow this. The reason for that is that an attacker can do more damage if they get access to those same admin rights.
Cyber Essentials priorities
There are some basic first steps that you should take if you’re looking to become Cyber Essentials certified. By considering and addressing the points below you will speed up the process of certification.
Cyber Essentials Basic or Plus
The first thing you need to decide is whether you want to have the basic certification or the Cyber Essentials Plus certification. The main difference for you initially will be cost, but once you achieve certification there is an extra level of assurance for your clients, suppliers and partners, due to the additional verification required, with Plus. You will need to decide whether the two balance each other out.
Gap analysis
Once you have decided which certificate, then the first thing you should do is run a gap analysis. This will tell you where you are in relation to the requirements for Cyber Essentials and help you to create a plan of action to reach the level of certification. Your plan will be specific to the needs of your business, but it is likely to contain some or all of the elements listed below.
Establish MFA
Not only is it required for Cyber Essentials verification, but establishing rigorous multi-factor authentication (MFA) policies is also best practice for cybersecurity.
Staff awareness
Cyber criminals see people as one of the biggest weaknesses in cybersecurity defences, so make sure that all staff are aware of the risks and of best practice and create a training schedule for them to stay up to date. You will reduce the chances of a phishing attack and increase your ability to become Cyber Essentials certified.
Update systems
The most recent programs and systems have the most up-to-date cybersecurity software built in to them. Check your operating software, antivirus software and any other systems you use are as up-to-date as possible.
How ERGOS helps you get certified faster (and with less stress)
ERGOS is a big supporter of the Cyber Essentials scheme and we always advise clients to go through the process – both for the advantages that certification brings, but also because it helps to make clients safer from cyber attacks.
However, we also understand that not every business is able to do this on their own, so we can guide and support them through the process.
We will always start with a gap analysis to identify the areas of the framework that are unaligned with their current environment. We will then work with clients to remediate the environment and provide any additional security measures relevant to their business.
Finally, we work with an auditor to work through the details and ensure there are no surprises before we submit your application for final assessment and certification.
FAQs About Cyber Essentials
Can I get Cyber Essentials certified without an IT team?
You don’t necessarily need to have an internal IT team, but you will almost certainly need IT support of some sort. The Cyber Essentials scheme is about configuring your IT estate and managing it correctly, which will need a level of expertise and experience.
What happens if I fail the assessment?
If you submit your assessment independently to IASME and fail, you get one chance to re-do it. If you fail again, then you forfeit the assessment fee.
If you work with ERGOS, our process ensures you do not fail. We appraise and remediate your IT environment and also review your assessment before submission.
How long does it take to get certified?
The time it takes depends on what is identified in your gap analysis. However, if everything is perfect and very few changes are needed it is possible to achieve certification within two weeks.
Does Cyber Essentials help with Cyber insurance?
Some Cyber insurance policies may require you to have Cyber Essentials. You do, however, automatically gain access to free cyber liability insurance (up to £25,000 cover) if your organisation has under £20m annual turnover. This is included at no extra cost and helps protect against the financial impact of a cyber attack — covering expenses such as data recovery, business interruption, and legal costs.
Being Cyber Essentials certified demonstrates to your prospects that you adhere to cybersecurity standards. Not all contracts will require it at the moment, but more and more will start to.
Cyber Essentials is a UK government backed framework, so expect government contracts to ask about it.
What support does ERGOS offer during the certification process?
We can support you through the whole process: gap analysis, remediation, assessment, audit and certification.
How often do I need to renew my Cyber Essentials certification?
Certification lasts 12 months and the standard is updated every year.
Can ERGOS help if we’ve failed Cyber Essentials before?
We can.
Let ERGOS take the stress out of IT for you
Contact us now to get six months of IT Support for free
