What are Cyber Essentials and Cyber Essentials Plus?

In 2014 The UK Government worked with a number of Industry leading bodies to create Cyber Essentials – robust and wide-reaching guidelines that document the controls all organisations should have in place to mitigate IT based cyber-threats.

Since outlining the accreditation as an important piece of the jigsaw when small business bid for Government business, we’ve had a lot of enquiries about exactly what it is and what accreditation entails. With that in mind, we’ve decided to give you a little more information on Cyber Essentials and Cyber Essentials Plus – with a view to helping you decide if either would be beneficial to your business.

What does Cyber Essentials entail?

Cyber Essentials is a set of system controls – which, when put into place across an organisation’s IT infrastructure and practices offers protection against the most common forms of internet based cyber-attacks.

Rather than focus on the most sophisticated attacks – Cyber Essentials focuses primarily on the types of crime that make up the large percentage of online attacks, a wise move, considering the sheer number of malicious tools available and the ease with which even novice criminals can put those tools into action.

An overview

There are defined steps and system considerations that make up the Cyber Essentials requirements – they are:

• Threat Identification
  The organisation working toward accreditation takes an overview of all their systems, deciding which are most likely to be vulnerable to internet based threats.
• Self-assessment of systems
  The following system elements are assessed in-house:
• Boundary Firewalls and internet gateways – Your organisation should ensure that devices and/or software solutions are in place to protect unauthorised network access – and that such services are correctly configured for maximum effect.
• Secure configuration – The company network should be setup and configured in such a way that the maximum possible level of security is achieved while keeping in line with organisational needs.
• Access control – Beyond the hardware and software requirements, levels of user access should be assessed to ensure data and systems available on a ‘need to know’ basis.
• Malware protection – There should be appropriate anti-virus and malware protection in place and kept up to date.
• Patch management – The latest versions of all company applications should be in use – with all security and performance patches installed.

Verification

When these measures have been appropriately assessed a senior member of your staff team confirms that network infrastructure is up to standard. Shortly after, an external and independent verification company will visit and confirm your company’s level of adherence.

Cyber Essentials Plus

While the assessment and necessary criteria are the same for the Cyber Essential’s Plus certification, the process is performed entirely by an external Cyber Essentials Accreditation Body – thus offering a higher level of assurance, given the high level of IT expertise required to fulfil the role.

The cost of the Cyber Essentials Plus assessment and accreditation process is sometimes slightly more than that of the basic level certification – but carries a great deal more weight when approaching Government and businesses who require such accreditation to bring you onboard as a partner or supplier.

VectorCloud

The team here are proud to have achieved our status as a Cyber Essentials Certification and Accreditation Body in 2017. Our extensive experience in cyber-security has meant we can support Scottish small and medium sized businesses to achieve this prestigious award.

If you feel like Cyber Essentials would be a benefit to your business, your customers and your future partnerships – call us – we’ll explain the first steps and can support you all the way.