Why you need Cyber Essentials
Cyber Essentials is a government backed and industry supported certification for businesses run by National Cyber Security Centre (NCSC). Cyber Essentials helps you to guard against the most common cyber threats and demonstrate your commitment to Cyber Security. The stats show that more than 80% of the successful cyber attacks could have been prevented with the basic security controls in place. Cyber Essentials will help you with exactly that.
The scheme provides an accessible way for companies and organisations of all sizes to demonstrate their commitment to cybersecurity through a recognised and government-backed standard.
What is involved in achieving Cyber Essentials Certification?
There are two types of Certifications. Cyber Essentials and Cyber Essentials Plus. They both start with a questionnaire. The following areas are assessed in both levels.
1. Firewall Security
A firewall should be in place between the Internet and your organisation’s internal network. This firewall should be securely configured and be reviewed regularly.
2. Secure Configuration
Devices and software should be configured securely to prevent them from being compromised by a malicious user or malware. Default passwords should be changed, and all passwords should be suitably complex to prevent them from being guessed. All unnecessary software should be removed from end-user devices.
3. User Access Control
Access to your organisation’s data should be controlled through correctly assigned user accounts. Administration privileges should be tightly controlled, and administrative rights should only be granted to users who have a genuine, business need for this level of access.
4. Malware Protection
A robust anti-malware solution should be applied to prevent servers and end-user devices from being infected with malicious software. Cyber Essentials allows this to be achieved through conventional anti-virus software, application white-listing or by running applications in “sandboxed” environments.
5. Patch Management
All security updates and patches should be applied to devices and installed software. This ensures that security vulnerabilities are fixed and reduces the likelihood of devices and applications being compromised by a malicious user or malware.
Cyber Essentials Certification
The Cyber Essentials Level 1 is a self-assessment certification that combines the security questionnaire and an external vulnerability scan of Internet facing systems for your organisation. There is no onsite visit for Level 1.
Cyber Essentials Plus Certification
Cyber Essentials Plus combines a self-assessment security questionnaire, an external vulnerability scan of Internet facing systems as well as authenticated vulnerability scans of your internal workstations and mobile devices. We will review the self-assessment questionnaire and external vulnerability assessment results, then arrange an onsite visit to test your internal workstations and mobile devices. If all elements of testing pass you will be issued a Cyber Essentials Plus certificate and can use the certified badge.
Why do you need TechForce?
TheTechForce is an Approved Cyber Essentials Practitioner (ACE Practitioner). We are approved consultants to help your business go through the Certification process and achieve your goals.
We can take you through the whole process. From filling in your application to get the Scottish Enterprise grant (for eligible businesses), helping you understand and implement the cyber security requirements through to filling in the answers for your Cyber Essentials application.
TheTechForce will conduct the Cyber Essentials gap analysis and help you implement the missing controls. We will make sure your systems are configured properly before you go through the certification. After all, the whole point of Cyber Essentials is to identify the fundamental security controls that organisations should have in place to secure themselves against common cyber threats.
What you need to know about Cyber Essentials
Here is a quick guide to everything you need to know about Cyber Essentials
What is Cyber Essentials?
Cyber Essentials is a Government-backed, industry-supported certification and run by National Cyber Security Centre (NCSC). It helps businesses to put basic security controls in place to fight most common cybersecurity threats. By achieving the certification your business shows the commitment to Cyber Security.
There are two types of Cyber Essentials (CE) Certifications. Cyber Essentials Level 1 and Cyber Essentials Plus.
Why do you need Cyber Essentials?
By achieving Cyber Essentials your business is showing the commitment for Cyber Security. Your suppliers, partners and clients feel more confident in sharing data with you. If you are tendering for Government projects you must have Cyber Essentials. Some of the MoD projects and Local Authorities are asking for a minimum of Cyber Essentials Plus.
What is being tested in the process?
Cyber Essentials tests the following 5 areas of your IT infrastructure.
- Secure Configuration
- User Access Control
- Malware Protection
- Patch Management
What type of Cyber Essentials should you go for? What's the difference?
We would recommend you to go for Cyber Essentials Plus. The reason being, it involves an onsite visit and testing from the Certification body and ensures that you have the required security controls in place. Although it costs more to achieve CE Plus certification it is absolutely worth it.
Cyber Essentials Level 1 is a straightforward exercise where you answer the questionnaire from the certification body and they will evaluate your answers then perform an external scan on your IP address. If all goes well you will pass and certificate will be issued.
In layman terms, Cyber Essentials level 1 is you saying you have the security controls in place and Cyber Essentials plus is the Certification Body testing if what you said is right.
How much does the certification cost?
- The certificate cost for Cyber Essentials Level 1 is around £300 + VAT.
- The certificate cost for Cyber Essentials Plus is around £1550 + VAT.
The costs are for certificates only. There will be an extra cost depending on your infrastructure and if you have security controls in place. If you are hiring an expert to help with this then costs will increase. In most cases, Cyber Essentials will cost you more.
Do I need Cyber Essentials Level 1 to get Cyber Essentials Plus?
The short answer is no. You can apply for either Cyber Essentials or the Plus. Not both. Cyber Essentials Plus involves going through level 1 where you would do the self-assessment questionnaire then external scan and the onsite visit by the Certification Body. You don’t need to pay for the certification twice.
What is the Voucher Scheme and how do you get it?
The Scottish Govt has introduced the Cyber Essentials Voucher Scheme to help SMEs achieve the certification. You can claim up to £1,000 towards your certification. How do you that? Register your interest here, choose a provider that can help you with the CE or CE Plus, achieve the certification, pay for the invoice and send the invoice to the voucher scheme admins at the Scottish Enterprise. It’s that simple.
What are the criteria for Voucher Scheme?
The criteria to claim the Cyber Essentials Voucher Scheme is simple. Here it is
- Your business must employ less than 250 people
- Business must be registered in Scotland
- You access the internet to perform business activities
Does the certification expire and if so how often do I need to renew and how much does it cost?
Yes. Certification is only valid for a year and needs to be renewed every year to keep the status. The process will be same again but not as tedious as the first time as long as you are keeping up with security controls that were put in place.
Does it work for Mac's/Linux? How is the testing carried out?
The way the testing works is, you will need to pick one build per group. For example, if you use Mac, Linux, Windows 7 or 10, etc… you will need to pick one per build and they will be tested.
How about if we have multiple offices or remote workers?
Any system or the user that is accessing the company’s data comes under the scope for Cyber Essentials. If you are going for Cyber Essentials Plus then the assessor needs to visit all locations. There might be extra charges for expenses and extra days of work.
If we fail, can we try again and how much does it cost?
If you fail you need to go through it again. The costs will be the same. However, we recommend you work with a Cyber Essentials consultant who makes sure you have the required controls in place and hence you will achieve the certification without any hiccups. TechForce is an Approved Cyber Essentials Practitioner and we can help with that.
Why do I need a consultant? And how much do you cost and what money do you save me/value do you add?
The need for a consultant depends on how good your infrastructure is and if you have internal resources to help. For example, if you are going for Cyber Essentials Level 1 it is a straightforward process for an IT literate person. You need to know what controls you have in place for the company. If you don’t know or don’t have the required controls then you will benefit from having a consultant help you. The whole exercise is to make sure you have security controls in place to ensure your business is not impacted by most common cyber threats. A good consultant will keep you right. If you do have an IT department and they need an extra hand or they don’t know where to start you will also benefit from a consultant service.
If you are going for Cyber Essentials Plus I would definitely recommend bringing an approved practitioner/assessor onboard. They will help you save time, hassle and make sure you have the controls in place to achieve the certification. They will also help you with the pre-audit scan. It will save you from failing the certification and going through the process again.
Consultancy services for Cyber Essentials Plus usually work on a day rate basis. Each company might have a different day rate but cheap is not always the best.
Feel free to get in touch if you would like more advice, here.
What is the benefit of having Cyber Essentials Plus?
Cyber Essentials Plus shows that you have proven security controls in place. Part of achieving Cyber Essentials Plus is an Assessor from Certification Body visiting the site and double checking and testing that the security controls are in place.
A few of the MoD contracts and other public sector organisations are now asking for Cyber Essentials Plus for the suppliers. Cyber Essentials Level 1 is not enough. We would always recommend going with the Plus.
Do I need to buy extra software to go through Cyber Essentials?
It shouldn’t need to. The scanning and testing tools are provided by the hired expert or the assessor as part of the process. However, if you do like the software they are using and see the benefits you can most certainly purchase for the company. It will help you stay on top of the Security controls we discussed.
Cyber Essentials Demystified
As part of Cyber Scotland Week we are hosting an event to help businesses understand the importance of Cyber Security and how getting Cyber Essentials Certification can benefit your business.More
6 Top Tips to Prevent Cyber Attacks
6 simple things you can implement in your business to help prevent cyber attacksMore
10 Steps to Cyber Security
Here are our 10 Steps to Cyber Security to keep your business safeMore
6 Quick and Easy Email Security Tips for Dummies
More than 91% of the successful cyber attacks start from an email. Email is the source of (nearly) all cyber problems and people are the weakest link! Here are 6 basic security measures to keep your digital life secure.More