Cyber Essentials Explained
What is Cyber Essentials?
Cyber Essentials is a globally recognised baseline standard for IT security and Certification Europe is the first organisation outside of the UK to be approved to deliver this service. The Cyber Essentials scheme was developed as a baseline health check covering 5 core areas of IT and IT Security Controls. The scheme focuses on attacks originating from the internet aimed at an organisation’s IT structure. These attacks can be targeted at organisations from the internet perimeter to the end point user interface. The Cyber Essentials scheme is used to “give assurance” to wider industry and interested parties that the certified organisation is applying basic levels of IT related security to address the threat of cyber attacks.
Implementation of Cyber Essentials can significantly reduce the risk of the most common low level cyber attacks. Cyber Essentials can become a practical component of a wider ranging cyber security infrastructure. A complete description of the core areas and the controls can be found in the Cyber Essentials requirements, scheme summary and assurance framework documents available on our resources page.
Why do you need cyber essentials?
Implementing a recognised best practice framework like Cyber Essentials can help to prevent common breaches occurring. There are many other benefits for organisations that adopt Cyber Essentials:
- Focus on your core business objectives knowing that you are protected from the majority of common cyber attacks
- Drive business efficiency, save money and improve productivity through streamlining processes
- Reduce your insurance premiums and Increase your resistance to cyber threats
- Demonstrate to clients, insurers, investors and other interested parties that you have taken the precautions necessary to reduce cyber risks
- Bid for UK Government contracts that involve the handling of personal and sensitive information
Cyber Essentials is unique as there is no other recognised scheme for baseline IT security controls which can be readily understood and adopted by the SME (and Micro) sector at a very competitive cost. It can also be the first step of the evolution of an effective long-term Cyber Risk Strategy which could lead to adopting international standards such as ISO 27001. Insurance agencies also look favourably upon organisations achieving recognised certifications and standards.
Trading and Compliance
Do you trade or wish to trade with UK organisations? If so, Cyber Essentials is a mandatory requirement for all government contracts and increasingly a requirement from the private sector. Cyber Essentials can also help to address existing and looming compliance requirements such as the Data Protection Act, the EU General Data Protection Regulation and the EU Directive on Network and Information Security.
Threat and Risk Reduction
According to the most recent survey carried out by PWC in the UK 74% of smaller organisations were victims of security breaches in 2015 up from 60% in 2014. The average cost incurred by smaller organisations for the most significant single breach has increased dramatically. In 2015 the average cost increased to €87,700 from €75,785 in 2014 and at the top end of costs incurred by small businesses more than doubled in 2015 to €362,370.
By implementing a system like Cyber Essentials you will:
- Greatly reduce the chances of your organisation experiencing a data breach
- Prevent the financial losses that can occur
Frequently Asked Questions
If you are in need of assistance you are in the right place. We realise a little information can go a long way so we have collected our most insightful, informative content in one place for you. However, if you need of any further assistance please contact us directly.
Who is Cyber Essentials for?
Cyber Essentials is for organisations of all sizes and across all sectors. This is not just limited to companies in the private sector, but is applicable to universities, charities, public sector, government bodies and not-for-profit organisations.
What are the benefits of the scheme?
The Cyber Essentials scheme provides organisations with clarity on what essential baseline IT security controls they need to have in place to reduce the risk posed by common threats on the internet. Organisations that achieve certification can demonstrate to their customers, through the Cyber Essentials badge, that they are proactively taking steps to mitigate cyber security risks
When can I apply for Cyber Essentials certification?
You can apply right now. Simply click here to apply and start your assessment for Cyber Essentials..
How much is Cyber Essentials?
Cyber Essentials will cost €599+ VAT (other payment processing charges may be incurred). Additional charges may apply if an organisation needs assistance in completing its application or providing the evidence required to achieve certification.
How much is Cyber Essentials Plus?
Cyber Essentials Plus is more complex and involves internal and external vulnerability scanning and an on-site visit. The audit is priced on a case by case basis. Costs will depend on a number of factors including size of organisation, scope and time needed to conduct the Cyber Essentials Plus audit.
How can I show that I have been certified?
Organisations that have successfully been assessed against Cyber Essentials will receive:
- Cyber Essentials Certificate
- Marketing materials such as logos and badges
- Branding guidelines
- Inclusion in online register of certified companies (optional)
Being able to advertise that you have met the Cyber Essentials standard will give you an edge over competitors in the same market.
How long is certification valid?
As a minimum, to retain certification organisations must recertify annually prior to the expiry date. The assessment process is a ‘snap shot’ in time and it can only be sure to be effective on the day of assessment, similar to an NCT on a car. Like the car will not remain roadworthy without regular maintenance between NCT inspections, the organisation must maintain and update its IT security controls over the certified period to guard against cyber attacks.
Are there benefits to achieving Cyber Essentials certification in addition to other certifications?
Yes, Cyber Essentials complements many other cyber and information security frameworks and certifications. You can gain certification in other schemes such as ISO 27001, PCI DSS, SOX, SSAE, SOC ISO 20000 etc in tandem with Cyber Essentials. . Detailed examples can be seen in Annex A of the requirements document HERE.
Is implementing Cyber Essentials enough to protect my organisation?
Cyber Essentials should be seen as a first, vital step of your Cyber Risk Strategy. Its aims are to mitigate approximately 80% of known internet based attacks. Additional frameworks or standards may be needed to address other risks.
Why does Cyber Essentials focus on five control areas and how were they chosen?
CESG (the information security arm of the UK Governments’ GCHQ) has carried out an analysis of successful cyber attacks on a wide range of organisations. This analysis has helped identify the basic technical controls which most effectively mitigate cyber attacks by unsophisticated attackers using tools that are widely available on the internet. Cyber Essentials comprises the core actions necessary to mitigate the majority of these threats. You can find out more on these five controls here.
I have a secure website; do I still need to use Cyber Essentials?
A secure website may provide a secure link between you and your customer. Cyber Essentials aims to protect the data once it is stored within your systems.
Will Cyber Essentials stop me getting hacked?
Cyber Essentials offers a sound foundation of basic IT security controls that all types of organisations can implement and potentially build upon. Implementing these controls can significantly reduce an organisation’s vulnerability. However, it is not designed to address more advanced, targeted attacks and hence organisations facing these threats will need to implement additional measures as part of their Cyber Security Strategy.
What do I need to do if management of my IT service is outsourced?
You may need to engage with your service provider to work with you to achieve certification to Cyber Essentials.