The threat of cyber attacks, from phishing scams to large-scale hacks of essential systems, is an ever-present issue for organisations of all scales and in all sectors. Breaches of cyber security can lead to fines, legal consequences, and even cause irreparable damage to an organisation’s public image and profits.
The importance of robust cyber security in preventing breaches cannot be overstated. Thankfully, the Cyber Essentials Plus scheme exists to provide top-quality cyber security to participating organisations.
In this blog post, we will explore what exactly Cyber Essentials Plus is and five of the ways it benefits you as a customer! With the protection confirmed by our recent Cyber Essentials Plus renewal, we have the assurance of having the appropriate security controls and meeting best practice as a whole—ensuring that your data and systems are in safe hands.
About Cyber Essentials Plus
What is Cyber Essentials?
The Cyber Essentials scheme was set up by the UK Government in 2014 to encourage the widespread adoption of cyber security practices that are advanced enough to combat modern cyber threats.
The principle behind the scheme is that defence is more effective when organisations collaborate using agreed-upon standards than when each organisation uses (or doesn't use!) individually chosen security methods.
As well as encouraging cyber security practices, Cyber Essentials offers an industry-recognised certification to any participating organisations within the United Kingdom. The certification is governed by IASME (Information Assurance for Small and Medium Enterprises) and is government-backed to ensure that best practice is followed to the standards required by the government.
Cyber Essentials ensures that organisations have the appropriate technical controls in place to protect against the most common cyber security threats faced in the current landscape. As cyber security threats evolve constantly, these requirements and controls are reviewed periodically.
Cyber Essentials enforces five key technical controls:
- Firewalls: A firewall monitors incoming and outgoing network traffic alongside a standard network based firewall. A WAF—or Web Application Firewall—filters traffic to and from web applications, preventing web-based attacks, such as Clickjacking. Network Firewalls must be in place for any and all internet-connected devices, and their
- Secure configuration of systems: All devices and systems must be configured using their settings to require sufficiently complex passwords, and unnecessary or insecure applications must be removed.
- User access control: Access management privileges must be set and rules enforced, to prevent unauthorised access to data or systems.
- Malware protection: Trusted and up-to-date malware protection must be installed on any and all internet-connected devices, with the latest signature updates applied.
- Security update management: Updates and patches must be regularly applied to any and all applications and devices used.
These controls make up the essential cyber security framework for protection against common threats.
As a standard feature, Cyber Essentials also includes the addition of automatic cyber liability insurance for UK organisations.
What is the difference between being Cyber Essentials and Cyber Essentials Plus certified?
So, if Cyber Essentials enables protection and offers certification in cyber security, what is Cyber Essentials Plus?
The difference between Cyber Essentials and Cyber Essentials Plus is more than just the name. Cyber Essentials Plus covers all of the five Cyber Essentials technical controls, but also includes an additional feature—an assessment carried out by an IASME-governed certification body.
With Cyber Essentials Plus, a qualified assessor carries out a thorough technical audit to examine how the five technical controls are applied by a specific organisation, and how they can be applied most effectively. These assessors can also consult on bespoke security solutions for participating organisations, enabling the strengthening of cyber security beyond even what the standard Cyber Essentials can offer.
5 Benefits of being Cyber Essentials Plus certified
1. Assesses and reviews applied internal security controls
However strong your organisation’s internal security controls are, regular auditing, assessing, and reviewing of these controls is essential. Many security weak points have gone unnoticed for long periods of time due to controls simply not being checked often enough!
An audit of the five key technical security controls from Cyber Essentials is a perfect chance to review your organisation’s cyber security strategy, with the direct help of an expert assessor. With yearly renewals, this makes sure that you keep up-to-date with best practices.
2. Ensures you’re protected against common security vulnerabilities
Becoming Cyber Essentials certified provides your organisation with protection against common threats, whilst implementing the five technical controls established. These controls offer you assurance that your organisation remains prepared for, and protected against, constantly evolving cyber security threats.
Even reviewing the requirements in general can be an excellent way for an organisation to see where they could potentially be going wrong, along with addressing areas that may need to be reviewed.
3. Certification confirms security posture to clients
Cyber security is not just a concern of organisations—it is also a major concern of their customer base, and everyone in general! Breaches in security can result in customer data being accessed by threat actors, and many organisations have lost the trust of their customers due to this.
When your organisation is Cyber Essentials certified, this confirms to your clients that you take cyber security seriously and that you have sufficient security measures in place to protect their data. This gives your customer base peace of mind that their information is safe and increases the chances that they will remain loyal customers in the future.
4. Organisation is added to the NCSC database of Cyber Essentials candidates
Once an organisation is Cyber Essentials certified, it is added to the NCSC (National Cyber Security Centre) database of certified organisations. The information on this database is open to the public, which means that other organisations can verify whether or not you are Cyber Essentials certified.
Being on the NCSC database displays your commitment to cyber security, which can be excellent publicity! When it is on public record that your security measures are strong enough to deal with modern cyber threats, you have a higher chance of attracting new clients and customers.
5. Third-party assessment from a Certification Body approved by IASME Consortium
The standard Cyber Essentials certification involves a self-assessment of how well your organisation implements the five key technical security controls. Carrying this assessment out can be difficult if your company has a large and complex structure, or if you lack the high level of technical knowledge needed to carry out the assessment accurately.
With Cyber Essentials Plus, audits are carried out by an external party accredited by the IASME Consortium. This provides what is usually a more accurate assessment, as well as enabling you to benefit from bespoke advice for your specific organisation.
Where can you check if a company is Cyber Essentials Plus certified?
Are you wondering if a particular organisation is Cyber Essentials Plus certified?
The National Cyber Security Centre provides an open database for anybody to check and see which organisations are Cyber Essentials certified, as well as their scope and any further information.
This provides a way to ensure that an organisation is indeed compliant with the Cyber Essentials standard, along with making sure their certification is still in date. This is a much more reliable way of verifying certification status than checking an organisation’s website or promotional materials, as certification can sometimes be displayed there after it has expired—or even faked entirely!If in doubt, check the NCSC database before partnering with a new organisation.
Overt Software is fully Cyber Essentials Plus certified
With the IASME Consortium based just down the road from us in Malvern, Worcestershire, renewing our Cyber Essentials Plus certification (number IASME-CEP-007055) on 20/12/21 was no trouble!
Image Source: NCSC database
With many clients’ systems dependent on our products and services, robust cyber security is a top priority of ours. That is why Overt Software is proud to be fully Cyber Essentials Plus certified across the entire scope of our organisation.