glowing padlock symbol

What Is Cyber Essentials Certification and Does Your Business Need It?

If you have been researching cybersecurity for your business, you might have seen people boasting about being ‘Cyber Essentials certified’. You might have also come across the phrase if your business has been trying to win government contracts. But what is the cyber essentials scheme and why would your business need it?  

Cyber Essentials Explained

Cyber Essentials is a government-backed scheme to certify which organisations meet its minimum cybersecurity requirements. It was created by the Information Security Forum (ISF) and the Information Assurance for Small and Medium Enterprises (IASME). The steps to get certified take the form of a detailed checklist. This lays out the safeguards you should put in place to protect your organisation from cyber-attacks.  

What Are The Benefits Of Cyber Essentials?

  • You can demonstrate to your customers, suppliers and partners, that you take cybersecurity seriously.
  • For many businesses, the process of Cyber Essentials certification is the first time they have fully audited their systems’ security.
  • You will be able to tender for UK Government contracts.
  • If Cyber Essentials becomes a requirement for your sector, you will already have an advantage over your competitors.
  • You can use the Cyber Essentials logo on your marketing materials.
  • You will have a clearer picture of the threats to your business and the steps you are taking to prevent them.
  • Some business insurance providers will offer rebates to customers with Cyber Essentials in place.  

Which Businesses Need Cyber Essentials?

If your organisation wants to secure central government contracts, you must have Cyber Essentials certification. This applies not only to the private sector, but also to public sector organisations, charities, or universities. Many local councils will also require proof of Cyber Essentials from their partners.  

Beyond the government, specific industries are slowly adding Cyber Essentials to their requirements and regulations. For example, law firms are required to have Cyber Essentials certification as of the introduction of the Lexcel 6.1 guidelines. Other industries are soon to follow.  

What Does Cyber Essentials Include?

The full checklist of Cyber Essentials requirements is too long to detail here, but it focuses on these 5 key areas. 

  • Firewalls and Secure Internet Gateways
    When properly configures, firewalls give a baseline level of safety for all internet users on your network. All network traffic is monitored, and potentially hazardous activity is identified and blocked.  Cyber Essentials certifies that your firewalls and up to date and properly configured.  
  • Access Control
    You need to properly control which users on your network are able to access which resources. You should also be able to track that access over time. With access control in place, suspicious activity or unauthorised access requests can be flagged and investigated. This helps you prevent data breaches. The Cyber Essentials scheme certifies that you have effective data security in place and that only authorised personnel have access to critical systems. 
  • Configuration
    Devices and software in your organisation should not use default user accounts or passwords. This might seem like common sense, but unfortunately that’s not always the case. Cyber Essentials certifies that your systems are configures in the most secure way.  
  • Malware/Ransomware Protection
    Ransomware and other malware like Trojans and Spyware are the biggest threat to businesses. To combat this, anti-malware software should be installed on every device in your business which connects to the internet. Cyber Essentials certifies that you have effective malware protection in place and that it is up to date.  
  • Patch Management
    This relates to how up to date your software and operating systems are. You are far more vulnerable to attack if you still use operating systems like Windows XP or Windows 7. This is because these operating systems are no longer receiving security updates.Cyber Essentials certifies that all your software and operating systems are up to date with the latest security patches. You should also have a patch management plan in place. Ideally one which makes use of automation to reduce the risk that a future update will be missed. 

How Can Carden IT Help?

Using automated vulnerability scans and our expertise, we can audit your systems and find areas where your security falls short. We then work with you to improve your security. We bring it up to and above the level required for Cyber Essential certification. As part of our comprehensive cyber-defence services, we can continue to manage your organisation’s security over the long term.  

Get in touch to book a consultation with our cyber-defence team.

Author: Dave King

Dave King is the Co-Founder and Director of Carden IT Services and the wider Carden IT Group. Dave has over 18 years’ experience in business IT networks with a focus on IT consultation and disaster recovery planning/testing.