Cyber Essentials Guide – 2022

Cyber Essentials Guide for 2022

Welcome to the definitive cyber essentials guide for Cyber Essentials in 2022. With this guide you will understand what is expected from the Cyber Essentials assessment and what your assessor will be looking for.

What is the Cyber Essentials Scheme?

Welcome to the cyber essentials guide for 2022. Cyber Essentials is the UK governments Cyber Security assurance scheme. The Cyber Essentials and Cyber Essentials Plus scheme is run by the UK’s National Cyber Security Centre and encourages organisations to adopt reasonable data security practices within their organisations. Cyber Essentials was designed by the government in 2014 primarily for small to medium-sized businesses to make it easier to protect against common cyber threats and start to put an end of the ever increasing number of small to medium-sized businesses that were getting digitally compromised by criminals.

The simplest way to think of the Cyber Essentials scheme is to think of it as a Cyber Security MOT for your business or organisation. You have to fulfil specific requirements to pass successfully, and your assessor will confirm whether you meet these.

For Cyber Essentials, that ‘assessor’ is called a Certification Body. Hedgehog Security is one of those certification bodies approved by IAMSE to deliver Cyber Essentials and Cyber Essentials Plus., as well as the maritime version of Cyber Essentials, the Maritime Cyber Baseline. They have the official qualifications needed to certify you for Cyber Essentials – that is, as long as your organisation ticks all the boxes. A large portion of the assessment is a self-assessment questionnaire, and it is these answers will determine whether you pass or fail. The questionnaire is updated annual, so if you already have your Cyber Essentials certification and you are renewing, don’t expect to be able to simply submit the answers from the previous year either.

Once you show you have all the necessary processes, policies, and controls (we have a lot of free to use templates here), you’ll achieve the Cyber Essentials certification so you can demonstrate you commitment to Cyber Security to your clients, partners, and suppliers. Most importantly, you’ll feel more confident that you’re secure and protected. That is what this cyber essentials guide is all about.

Certification Bodies are an essential part of achieving your Cyber Essentials certificate. But what exactly are they, and how do you find one? Certification Bodies operate under the IASME Consortium, which became the sole accreditation body on the 1st of April 2020. Before, there were five accrediting bodies with varying methodologies, but the government decided to appoint only one.

IASME works with and oversees several Certification Bodies across the country, including Hedgehog Security, and each Certification Body has qualified assessors who can certify businesses and organisations for Cyber Essentials. You can visit IASME’s website to see a complete overview of all the Certification Bodies.

What Are the Benefits of Cyber Essentials?

Cyber Essentials is run by the UK government and has become the standard by which the UK government holds all of its supply chains to account. You will therefore be aligning your business with the most recognised national standard.

Time, Money and Resources

With a high-level view of your Cyber Security, you can iron out any inefficiencies in your practices and maximise productivity as your team will have more time on their side.

Government Tenders

Cyber Essentials can help you get there if you pursue government tenders and contracts. Cyber Essentials is a minimum certification level requirement for any organisation looking to obtain government contracts (including the Ministry of Defense and Health), especially in the private sector.

Marketing Through Security

Obtaining Cyber Essentials can make a big difference when your organisation tries to get cyber insurance. The brokers will likely be more inclined to offer you a reduced premium as they can see your organisation is cyber safe and making every effort to protect its data.

As much as your business provides a service, you’ll also utilise them yourselves – you are a client to someone. With that in mind, think how reassured you’d feel if that service was able to demonstrate to you that they care about looking after your data and keeping it secure. You’d likely appreciate their work even more than you do currently.

You want your clients to know that you take Cyber Security seriously. This begins with letting them know that you’re making a conscious effort to protect their information. Before you know it, you’ll have built a tremendous amount of trust in your client relationships and enhanced your reputation in your industry. When your clients are happy, they’ll tell people about it – and who knows, those people might want to come to you for your services too.

Some organisations do not care about Cyber Security, and they believe it is not a priority or even a concern altogether. It’s an unfortunate way of thinking and doesn’t stand in this day and age.

With the Cyber Essentials certification, you can quickly demonstrate that you care about data and differentiate yourself from competitors who have yet to prioritise their Cyber Security. By showcasing the Cyber Essentials logos on your website and collateral, you put your organisation among businesses that can demonstrate they care about their data.

The UK must comply with GDPR (General Data Protection Regulation), and businesses must abide by this and the UK’s own Data Protection Act. It’s vital to comply with both of these for numerous reasons. Most importantly, though, your business or organisation could be liable to pay up to 4% of your turnover if breached.

If you are not Cyber Essentials Plus certified, the Information Commissioner’s Office (ICO) can very quickly conclude that you did not implement enough measures to protect the data you hold. By having the Cyber Essentials Plus certification, you could be prevented the fine, as they would have been able to see you were trying to protect your data.

Cyber Essentials vs Cyber Essentials Plus

Even by achieving Cyber Essentials Basic, you’re taking an essential step to show your clients and stakeholders that you are serious about your Cyber Security and protecting their data. However, since Cyber Essentials Plus officially verifies this, it is even more impact. Achieving Plus demonstrates that you are going the extra mile to ensure you handle all your essential data in a secure environment.

Many government contracts, including MOD and NHS, require Cyber Essentials Plus, which is likely to pick up even more over the next few years. We recommend that you try and go to Cyber Essentials Plus to make it worth your while if you embark on your Cyber Essentials journey!

Cost of Cyber Essentials

Cyber Essentials is priced on the number of people in your organisation. Cyber Essentials is priced at:

£295.00 for micro businesses (0-9 employees)
£345.00 for small businesses (1-49 employees)
£395.00 for medium businesses (50-249 employees)
£425.00 for large businesses (250+ employees)

Understanding the threat to your organisation

Although most organisations spend 5.6% of their overall IT budget on information and Cyber Security and risk management, many still don’t understand Cyber Security. They still do not know how to keep hackers out.

Over the last ten years, we’ve seen exponential growth in cybercrime. According to the UK Government, 39% of UK businesses reported a cyber breach in the previous 12 months. These numbers continue to rise as we become increasingly reliant on technology within our organisations and hackers become more sophisticated. With over 65,000 cyber-attack attempts daily in the UK, the message is clear: Cyber Security must be a priority for every business owner.

A significant number of organisations wish they could go back and make amends. Sadly, “It’s never too late” does not usually apply to Cyber Security.

Who is a Threat to Your Organisation?

We often get told, during early conversations, that company x doesn’t need any Cyber Security because no one will ever attack them. But attacks happen, and it might be an accidental error by one of your employees or a criminal attempting to gain unauthorised access to your data halfway around the world. There are five common sources of cyber threat, which are below:

Hacktivists

  • Agenda or ideology.
    – Examples are Anonymous, LulzSec, and the Syrian Electronic Army.

Hackers

  • Status and technical challenge.
  • Hackers can be good, or they can be harmful. It all depends on their actions.

State-Sponsored

  • National advantage.
  • Well-funded and targeted.
  • Designed to gather information.

Insiders

  • Privileged access to data.
  • Insiders can be malicious or, more commonly, accidental.

Criminals

  • Often driven by financial gain.
  • Theft of data ransomware cyber-enabled or dependent

What are cybercriminals trying to do?

Cybercriminals, or criminals as they are correctly known, may have many ways to get your data:

  • Criminals may infect your systems with malware to disrupt, damage, and gain unauthorised access to your computer systems.
  • They may use Social Engineering techniques to manipulate your employees into divulging confidential and personal information subsequently used for fraudulent purposes.
  • If your patching regime is not very good, they will exploit vulnerabilities and weaknesses in your systems to gain access to your network.
  • An old but widespread attack is overloading your systems with DDoS (Denial of Service). The criminals use multiple techniques to flood and target the bandwidth and resources of your systems and then hold you to ransom. A DDoS attack uses one or more control servers that issue commands to all the compromised systems simultaneously send requests to your website or system.

Is there a solution to the cyber threat?

In 2020, 39% of UK organisations suffered a data breach or attack. We know that sounds uncomfortably high. The good news, however, is that the trend is changing. Businesses prioritise their Cyber Security programs, with 77% now saying it is a high priority for their senior management boards.

So how are these businesses responding to this cyber threat? Many companies are looking to recognise standards that will give them a baseline for good Cyber Security. One of the UK’s most recognised standards is Cyber Essentials, and with the ever-growing push from the government, clients and suppliers, you’ve likely heard that name knocking around. Some organisations have gone further with monthly vulnerability scanning and quarterly or six monthly penetration testing of their internal and external networks.

Organisations around the world are seeing the benefit of aligning their security to the requirements of Cyber Essentials, and these efforts, in combination with regular security testing and sold are primarily responsible for the decline in successful breaches.