July 23, 2021

Overviewing Cyber Essentials

CCL's Ben Strudwick runs through the Cyber Essentials scheme and makes a case for accreditation being part of your cyber security toolkit.

Cybercrime is a pressing issue which causes an unwanted headache for businesses up and down the country. According to the United Kingdom’s publication of the Cyber Security Breaches Survey 2021, “Four in ten businesses (39%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months”. Perhaps even more alarmingly, it goes on to say: “Like previous years, this is higher among medium businesses (65%), large businesses (64%) and high-income charities (51%) (Cyber Security Breaches Survey 2021 - GOV.UK (www.gov.uk)). These statistics not only confirm the on-going challenges companies face from securing their digital presence, but that the number of medium and large businesses suffering breaches or attacks is steadily increasing year-by-year.

The reason behind these statistics varies. However, one key area that should be highlighted is the apparent lack of general security awareness. As businesses continue to compete across a fiercely competitive capitalist economy, cyber security is either overshadowed by the prospect of profit earning, or the cyber budget is overlooked altogether. Many are not aware of the potential risks that inevitably ensue from their online activity. The onus is on security professionals across the sector to lead by example to create a security-first approach to working culture. Emphasising the security basics will go a long way in the effort to reducing cybercrime, making the internet a much safer place to conduct business.

What is Cyber Essentials?

Cyber Essentials is a UK-based scheme which helps to equip businesses with a foundational level of baseline security. It is an official government-backed initiative which is endorsed by a multitude of highly respected cyber security organisations across the United Kingdom – including the Government’s National Cyber Security Centre (NCSC). It is partnered with the IASME Consortium, who rigorously quality check 250 Certification Bodies to deliver the scheme. The scheme addresses five fundamental technical controls which are imperative for companies to protect themselves online. These are:

• Access control;
• Boundary firewalls and internet gateways;
• Malware protection;
• Secure configuration; and
• Patch management.

The assessment is based upon a self-assessment questionnaire which is completed by the applying party. This questionnaire contains a series of questions which relate to the five technical controls, allowing a dedicated Cyber Essentials Assessor to assess the submitted answers. Additional help can also be provided to those less technically-minded, supporting them on challenging areas within the questionnaire – such as establishing scope.

Once the certification has been awarded, the sort-after Cyber Essentials badge is issued to show that party are Cyber Essentials certified.

Following on from this, a natural progression path is to then pursue Cyber Essentials Plus. Cyber Essentials Plus facilitates a more rigorous assessment; involving real-life testing from a security expert to confirm if security is aligned with the claims made on the questionnaire previously submitted.

How does Cyber Essentials benefit me?

Cyber Essentials establishes, verifies, and secures boundaries from unwanted online attackers, by ensuring basic security measures have been considered to keep you secure. By assessing the five technical controls across its offering, it is the perfect starting-point for businesses looking to protect their internet-facing assets from the current online threats we face today. To reinforce this point, Lancaster University conducted a qualitative assessment of Cyber Essentials to measure its effectiveness for small to medium-sized enterprises (SMEs).

Figure 1 - Cyber Essentials Aggregated Vulnerability Mitigation Results

It concluded that by having the five technical controls implemented, 69.2% of vulnerabilities were mitigated and 30.1% partially mitigated from the most common cyber-attacks. This leaves 0.7% of vulnerabilities that were not mitigated – which resulted from hard-coded flaws in hardware or software which could not be patched to a secure state. Security is therefore dramatically increased, making Cyber Essentials a sound return on investment for any organisation. Becoming certified in this scheme sends a strong message to affiliated audiences that security has been taken seriously.

Other benefitting factors include:

• Free cyber liability insurance for any UK organisation who certifies their whole organisation and have less than £20m annual turnover (terms apply);
• Commercially advantageous: Customer confidence improves by signalling to them that security has been addressed. This has the potential to accumulate more trade and collaborations;
• Some contracts in tender require that bidding parties must have already obtained Cyber Essentials. Becoming certified opens a gateway of opportunity to compete for new contracts;
• Peace of mind that your defenscs will protect against the most common cyber attacks; and
• Gives a clear picture of an organisation’s cyber security level.

Who is eligible for Cyber Essentials?

The purpose of Cyber Essentials is to offer a government recognised scheme which offers UK businesses a quick, realistic, and affordable method to implement basic technical controls in the fight against common internet-based threats. It applies to any UK-based organisation, more specifically:

• Any business which resides within the United Kingdom is eligible for Cyber Essentials;
• It does not matter what size company;
• It does not matter how much annual turnover (terms apply for cyber liability insurance);
• Any number of employees;
• It accommodates businesses across a wide-ranging pool of backgrounds; and;
• It is not industry specific. Businesses can apply from a diverse portfolio of sectors or marketplaces.

How do I get started?

CCL Solutions Group is recognised by IASME Consortium as a Certification Body. CCL has a cohort of dedicated Cyber Essentials Assessors who are ready to guide you through the process to becoming certified.

If you are a UK business looking to take your first steps on your Cyber Essentials journey, we will be happy to assist you.

We're here to help

Our experts are on hand to learn about your organisation and suggest the best approach to meet your needs. Contact an expert today.

Get in touch