What is Cyber Essentials Plus and 5 ways it benefits our customers?

Introduction

The threat of cyber attacks, from phishing scams to large-scale hacks of essential systems, is an ever-present issue for organisations of all scales and in all sectors. Breaches of cyber security can lead to fines, legal consequences, and even cause irreparable damage to an organisation’s public image and profits.

The importance of robust cyber security in preventing breaches cannot be overstated. Thankfully, the Cyber Essentials Plus scheme exists to provide top-quality cyber security to participating organisations.

In this blog post, we will explore what exactly Cyber Essentials Plus is and five of the ways it benefits you as a customer! With the protection confirmed by our recent Cyber Essentials Plus renewal, we have the assurance of having the appropriate security controls and meeting best practice as a whole—ensuring that your data and systems are in safe hands.

About Cyber Essentials Plus

What is Cyber Essentials?

The Cyber Essentials scheme was set up by the UK Government in 2014 to encourage the widespread adoption of cyber security practices that are advanced enough to combat modern cyber threats.

The principle behind the scheme is that defence is more effective when organisations collaborate using agreed-upon standards than when each organisation uses (or doesn't use!) individually chosen security methods.

As well as encouraging cyber security practices, Cyber Essentials offers an industry-recognised certification to any participating organisations within the United Kingdom. The certification is governed by IASME (Information Assurance for Small and Medium Enterprises) and is government-backed to ensure that best practice is followed to the standards required by the government.

Cyber Essentials ensures that organisations have the appropriate technical controls in place to protect against the most common cyber security threats faced in the current landscape. As cyber security threats evolve constantly, these requirements and controls are reviewed periodically.

Cyber Essentials enforces five key technical controls:

Firewalls: A firewall monitors incoming and outgoing network traffic alongside a standard network based firewall. A WAF—or Web Application Firewall—filters traffic to and from web applications, preventing web-based attacks, such as Clickjacking. Network Firewalls must be in place for any and all internet-connected devices, and their
applications, used.
Secure configuration of systems: All devices and systems must be configured using their settings to require sufficiently complex passwords, and unnecessary or insecure applications must be removed.
User access control: Access management privileges must be set and rules enforced, to prevent unauthorised access to data or systems.
Malware protection: Trusted and up-to-date malware protection must be installed on any and all internet-connected devices, with the latest signature updates applied.
Security update management: Updates and patches must be regularly applied to any and all applications and devices used.

These controls make up the essential cyber security framework for protection against common threats.

As a standard feature, Cyber Essentials also includes the addition of automatic cyber liability insurance for UK organisations.

What is the difference between being Cyber Essentials and Cyber Essentials Plus certified?

So, if Cyber Essentials enables protection and offers certification in cyber security, what is Cyber Essentials Plus?

The difference between Cyber Essentials and Cyber Essentials Plus is more than just the name. Cyber Essentials Plus covers all of the five Cyber Essentials technical controls, but also includes an additional feature—an assessment carried out by an IASME-governed certification body.

With Cyber Essentials Plus, a qualified assessor carries out a thorough technical audit to examine how the five technical controls are applied by a specific organisation, and how they can be applied most effectively. These assessors can also consult on bespoke security solutions for participating organisations, enabling the strengthening of cyber security beyond even what the standard Cyber Essentials can offer.

5 Benefits of being Cyber Essentials Plus certified

1. Assesses and reviews applied internal security controls

However strong your organisation’s internal security controls are, regular auditing, assessing, and reviewing of these controls is essential. Many security weak points have gone unnoticed for long periods of time due to controls simply not being checked often enough!

An audit of the five key technical security controls from Cyber Essentials is a perfect chance to review your organisation’s cyber security strategy, with the direct help of an expert assessor. With yearly renewals, this makes sure that you keep up-to-date with best practices.

2. Ensures you’re protected against common security vulnerabilities

Becoming Cyber Essentials certified provides your organisation with protection against common threats, whilst implementing the five technical controls established. These controls offer you assurance that your organisation remains prepared for, and protected against, constantly evolving cyber security threats.

Even reviewing the requirements in general can be an excellent way for an organisation to see where they could potentially be going wrong, along with addressing areas that may need to be reviewed.

3. Certification confirms security posture to clients

Cyber security is not just a concern of organisations—it is also a major concern of their customer base, and everyone in general! Breaches in security can result in customer data being accessed by threat actors, and many organisations have lost the trust of their customers due to this.

When your organisation is Cyber Essentials certified, this confirms to your clients that you take cyber security seriously and that you have sufficient security measures in place to protect their data. This gives your customer base peace of mind that their information is safe and increases the chances that they will remain loyal customers in the future.

4. Organisation is added to the NCSC database of Cyber Essentials candidates

Once an organisation is Cyber Essentials certified, it is added to the NCSC (National Cyber Security Centre) database of certified organisations. The information on this database is open to the public, which means that other organisations can verify whether or not you are Cyber Essentials certified.

Being on the NCSC database displays your commitment to cyber security, which can be excellent publicity! When it is on public record that your security measures are strong enough to deal with modern cyber threats, you have a higher chance of attracting new clients and customers.

5. Third-party assessment from a Certification Body approved by IASME Consortium

The standard Cyber Essentials certification involves a self-assessment of how well your organisation implements the five key technical security controls. Carrying this assessment out can be difficult if your company has a large and complex structure, or if you lack the high level of technical knowledge needed to carry out the assessment accurately.

With Cyber Essentials Plus, audits are carried out by an external party accredited by the IASME Consortium. This provides what is usually a more accurate assessment, as well as enabling you to benefit from bespoke advice for your specific organisation.

Where can you check if a company is Cyber Essentials Plus certified?

Are you wondering if a particular organisation is Cyber Essentials Plus certified?

The National Cyber Security Centre provides an open database for anybody to check and see which organisations are Cyber Essentials certified, as well as their scope and any further information.

This provides a way to ensure that an organisation is indeed compliant with the Cyber Essentials standard, along with making sure their certification is still in date. This is a much more reliable way of verifying certification status than checking an organisation’s website or promotional materials, as certification can sometimes be displayed there after it has expired—or even faked entirely!

If in doubt, check the NCSC database before partnering with a new organisation.

Overt Software is fully Cyber Essentials Plus certified

With the IASME Consortium based just down the road from us in Malvern, Worcestershire, renewing our Cyber Essentials Plus certification was no trouble!

Overt Software Cyber Essentails Certification 2023

Image Source: NCSC database

With many clients’ systems dependent on our products and services, robust cyber security is a top priority of ours. That is why Overt Software is proud to be fully Cyber Essentials Plus certified across the entire scope of our organisation.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
tve_leads_unique	1 month	This cookie is set by the provider Thrive Themes. This cookie is used to know which optin form the visitor has filled out when subscribing a newsletter.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
c3po.jpg	Session	This pixel tracker, set by metricool.com, collects data on the user’s navigation and behaviour on the website. This is used to compile statistical reports and heatmaps for the website owner.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook as part of their embedded services on our websites (likes, sharing etc.).
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
ClientId	1 year	No description available.
li_gc	2 years	No description
OIDC	6 months	No description available.
OutlookSession	session	No description available.
tl_1206_1206_4	1 month	No description
tl_544_544_1	1 month	No description