Cyber Essentials is an effective, government-backed and industry-supported scheme to help organisations protect themselves against common online threats.
Cyber-attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. Cyber Essentials looks to guide you to better understand these threats and help to keep that metaphorical front door firmly shut.
What are the differences between different Cyber Essentials Accreditations?
There are two levels of Certification: Cyber Essentials Basic and Cyber Essentials Plus, which I have expanded on in some more detail below to help you decide what’s right for you and your business.
Fundamentally the Cyber Essentials framework was designed to provide a security baseline for every business in every industry against the following 5 key areas:
- Access control
- Firewalls and routers
- Malware protection
- Secure configurations
- Software updates
What’s new to Cyber Essentials for 2022?
Due to the COVID-19 global pandemic, businesses operational models have drastically changed and adapted over a relatively short amount of time.
To continue operating, most businesses were forced to adopt a fully digital model and allow remote or hybrid working. This transformation and rapid adoption of cloud services that has prompted these changes to the existing Cyber Essentials scheme to ensure organisations uphold the basic level of cyber resilience which reflect the current working environments and cyber security risks.
Some of the key updates to Cyber Essentials will specifically cover changes to cloud services and web applications, bring your own device (BYOD), and security updates including password management and multi-factor authentication (MFA). Other changes include, but are not limited to the below:
- Some questions have been expanded upon with more details needed in your answer.
- Cloud services are now in scope of your basic and Plus assessments.
- The Cyber Essentials Plus test will include local admin rights checks and a MFA test for each workstation tested.
The Two Levels Certification
Cyber Essentials Basic is obtained by completing and independently verified Self-Assessment. This option gives you protection against a wide variety of the most common cyber-attacks. This is important because vulnerability to basic attacks can mark you out as target for more in-depth unwanted attention from cyber criminals.
Certification gives you peace of mind that your defences will protect against most common cyber-attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place
Cyber Essentials Plus is a little more involved and to achieve Cyber Essentials Plus, a business must also first complete the online Cyber Essentials assessment as part of the Cyber Essentials Plus certification or have received the basic Cyber Essentials certification a maximum of 90 days prior to applying for the Cyber Essentials Plus
Unlike the Self-Assessment method for the basic certification, a hands-on technical verification is required to be carried out. Similarly, however, a qualified assessor examines the same five controls, testing that they work through a technical audit.
Another benefit of a Cyber Essentials plus certification includes automatic cyber liability insurance for any UK organisation who certifies their whole organisation and have less than £20m annual turnover.
So, is it Essential?
The threat landscape to businesses is changing rapidly, with modern working practices always evolving. More and more businesses and IT professionals placing a higher level of emphasis on the security strategy, and this is where the new changes to Cyber Essentials, will help to strengthen businesses overall cyber security stance.
Not only is Cyber Essentials cost-effective and easy to implement but it will ensure businesses deter hackers from targeting their infrastructure once the necessary Cyber Essentials technical controls are in place.
You will also give your customers and partners the reassurance that you are working to secure your IT against cyber-attacks. In an ever-competitive landscape these certifications will also display the emphasis your business is placing on security and may even help attract new business with the knowledge of these cyber security measures in place.
If you would like to discuss with myself or any of the Technical Architecture team at Planet IT about how you can get ready for a Cyber Essentials certification you can reach us using the contact details below.
Contact me at –
LinkedIn Message: Thomas Packer