Everything you need to know about Cyber Essentials
watch video here
More than 80% of the cyber-attacks happened on businesses in the UK could have been prevented with implementing some basic security controls. Hence the UK government introduced Cyber Essentials Certification in 2014. It is run by the National Cyber Security Centre (NCSC)
The Scottish Government has introduced a Cyber Essentials Voucher Scheme for SMEs. You can get up to £1000 towards achieving Cyber Essentials certification. Let’s look at what is Cyber Essentials and how do you get the voucher.
1. What is Cyber Essentials?
Cyber Essentials is a Government-backed, industry-supported certification and run by National Cyber Security Centre (NCSC). It helps businesses to put basic security controls in place to fight most common cybersecurity threats. By achieving the certification your business shows the commitment to Cyber Security.
There are two types of Cyber Essentials (CE) Certifications. Cyber Essentials Level 1 and Cyber Essentials Plus.
2. Why do you need Cyber Essentials?
By achieving Cyber Essentials your business is showing the commitment for Cyber Security. Your suppliers, partners and clients feel more confident in sharing data with you. If you are tendering for Government projects you must have Cyber Essentials. Some of the MoD projects and Local Authorities are asking for a minimum of Cyber Essentials Plus.
3. What is being tested in the process?
Cyber Essentials tests the following 5 areas of your IT infrastructure.
- Secure Configuration
- User Access Control
- Malware Protection
- Patch Management
4. What type of Cyber Essentials should you go for? What's the difference?
We would recommend you to go for Cyber Essentials Plus. The reason being, it involves an onsite visit and testing from the Certification body and ensures that you have the required security controls in place. Although it costs more to achieve CE Plus certification it is absolutely worth it.
Cyber Essentials Level 1 is a straightforward exercise where you answer the questionnaire from the certification body and they will evaluate your answers then perform an external scan on your IP address. If all goes well you will pass and certificate will be issued.
In layman terms, Cyber Essentials level 1 is you saying you have the security controls in place and Cyber Essentials plus is the Certification Body testing if what you said is right.
5. How much does the certification cost?
- The certificate cost for Cyber Essentials Level 1 is around £300 + VAT.
- The certificate cost for Cyber Essentials Plus is around £2,200 + VAT.
The costs are for certificates only. There will be an extra cost depending on your infrastructure and if you have security controls in place. If you are hiring an expert to help with this then costs will increase. In most cases, Cyber Essentials certification will cost you more than standard costs.
6. Do I need Cyber Essentials Level 1 to get Cyber Essentials Plus?
The short answer is no. You can apply for either Cyber Essentials or the Plus. Not both. Cyber Essentials Plus involves going through level 1 where you would do the self-assessment questionnaire then external scan and the onsite visit by the Certification Body. You don’t need to pay for the certification twice.
7. What is the Voucher Scheme and how do you get it?
The Scottish Govt has introduced the Cyber Essentials Voucher Scheme to help SMEs achieve the certification. You can claim up to £1,000 towards your certification. How do you do that? Register your interest here, the Scottish Enterprise will send you the application form, choose a provider that can help you with the CE or CE Plus, complete and the form and send it back. You will then be notified of the outcome. Achieve the certification, pay for the invoice and send the evidence to the voucher scheme admins at the Scottish Enterprise. You will be paid in one instalment. It’s that simple.
UPDATE on 07 July 2020: The scheme is now put on hold.
8. What are the criteria for Voucher Scheme?
The criteria to claim the Cyber Essentials Voucher Scheme is simple. Here it is
- Your business must employ less than 250 people
- Business must be registered in Scotland
- You access the internet to perform business activities
9. Does the certification expire and if so how often do I need to renew and how much does it cost?
Yes. Certification is only valid for a year and needs to be renewed every year to keep the status. The process will be same again but not as tedious as the first time as long as you are keeping up with security controls that were put in place.
10. Does it work for Mac's/Linux? How is the testing carried out?
The way the testing works is, you will need to pick one build [in laymen terms, sample] per group. For example, if you use Mac, Linux, Windows 7 or 10, etc… you will need to pick one per build and they will be tested.
11. How about if we have multiple offices or remote workers?
Any system or the user that is accessing the company’s data comes under the scope for Cyber Essentials. If you are going for Cyber Essentials Plus then the assessor needs to visit all locations. There might be extra charges for expenses and extra days of work.
12. If we fail, can we try again and how much does it cost?
If you fail you need to go through it again. The costs will be the same. However, we recommend you work with a Cyber Essentials consultant who makes sure you have the required controls in place and hence you will achieve the certification without any hiccups. TechForce is an Approved Cyber Essentials Practitioner and we can help with that [shameless plug]. Unless your infrastructure really poor and you are not willing to update then chances are you will likely fail. In fact, why go through the exercise when you don’t want to update your systems to be more secure?
13. Why do I need a consultant? And how much do you cost/what money do you save me/value do you add?
The need for a consultant depends on how good your infrastructure is and if you have internal resources to help. For example, if you are going for Cyber Essentials Level 1 it is a straightforward process for an IT literate person. You need to know what controls you have in place for the company. If you don’t know or don’t have the required controls then you will benefit from having a consultant help you. The whole exercise is to make sure you have security controls in place to ensure your business is not impacted by most common cyber threats. A good consultant will keep you right. If you do have an IT department and they need an extra hand or they don’t know where to start you will also benefit from a consultant service.
If you are going for Cyber Essentials Plus I would definitely recommend bringing an approved practitioner/assessor onboard. They will help you save time, hassle and make sure you have the controls in place to achieve the certification. They will also help you with the pre-audit scan. It will save you from failing the certification and going through the process again.
Consultancy services for Cyber Essentials Plus usually work on a day rate basis. Each company might have a different day rate but cheap is not always the best.
14. What is the benefit of having Plus?
Cyber Essentials Plus shows that you have proven security controls in place. Part of achieving Cyber Essentials Plus is an Assessor from Certification Body visiting the site and double checking and testing that the security controls are in place.
A few of the MoD contracts are now asking for Cyber Essentials Plus for the suppliers. Cyber Essentials Level 1 is not enough. We would always recommend going with the Plus.
15. Do I need to buy extra software to go through Cyber Essentials?
It shouldn’t need to. The scanning and testing tools are provided by the hired expert or the assessor as part of the process. However, if you do like the software they are using and see the benefits you can most certainly purchase for the company. It will help you stay on top of the Security controls we discussed.
Why is Cyber Essentials Important?
More often than not customers ask us the question ‘Why is Cyber Essentials important?’ or ‘Why do we need Cyber Essentials Certification?’More
Deadline for the Cyber Essentials Voucher
Any Scottish registered SME can get up to £1,000 voucher towards their Cyber Essentials certification. It is available for first-time applicants. However, the scheme is now coming to close.More
Secure Your Supply Chain
You might take Cyber Security seriously, but how about your suppliers? Here is why you need to secure your supply chain, now.More
Case study: British Airways Fined £183.4million for Data Breach
The UK's Information Commissioner's Office has declared that it intends to fine British Airways a record total of £183.4m because of a data breach it suffered during the summer of 2018.More
FOR LATEST UPDATES SUBSCRIBE HERE: