Cyber Essentials Training

Cyber Essentials Certification and Training.

Cyber Essentials is a UK government scheme designed to protect companies and organisations, whatever their size, against a range of the most common cyber attacks. Most of these attacks are basic and carried out by relatively unskilled people. They have been described as the digital equivalent of a thief trying a home’s front door to see if it is unlocked. The certification scheme was launched in 2014 by the UK Department for Business, Innovation and Skills and is operated by the National Cyber Security Centre (NCSC).

How can Cyber Essentials benefit your business?

The scheme can benefit your business in a number of ways:

1. Preventing cyber attacks:  If you fail to protect your computer systems, you’re at more risk of a cyber attack. An attack could result in your organisation losing vital data, disrupting cash flow and damaging your reputation.

2. Government contracts:  Organisations bidding for some contracts with the British Government will need Cyber Essentials certification.

3. Customer trust:  Becoming certified shows your customers that you take cyber security seriously and are taking the necessary steps to keep the data you hold about them safe. Displaying your credentials on your website, emails and other marketing materials shows your customers – and perspective ones – that you’re serious about cyber security.

The five controls of Cyber Essentials

There are five technical controls (a “control” is simply a way to address a risk) you will need to put in place, which are:

1. Firewalls: Secure your internet connection with boundary and host-based firewalls.

2. Secure Configuration: Settings, passwords and multi-factor authentication.

3. Security Update Management: Keep your devices and software up to date.

4. User Access Control: Protecting administrators and limiting access to data and services.

5. Malware Protection: Viruses, allow-listing and associated techniques.

Guidance from the UK National Cyber Security Centre breaks these down into finer details. These controls have been chosen as the highest priority ones from other, more detailed guidance such as the ISO27001 standard for information security, the Standard of Good Practice (from the Information Security Forum) and the IASME Cyber Assurance standard. Although, Cyber Essentials has a narrower focus, emphasising technical controls rather than more general governance and risk assessment.

Cyber Essentials and the GDPR

Cyber Essentials is also useful for those with an eye on the GDPR – the EU’s General Data Protection Regulation – which came into effect in May 2018. The GDPR is a far-reaching regulation, intended to protect the privacy of individuals and their personal data within the European Union. The regulation specifies that “controllers” must determine their own cyber security approaches based on the personal information they hold and process. Since Brexit, the UK now has its own data protection regime, heavily based on the GDPR.

While Cyber Essentials can help with this, it is not a complete solution for all GDPR obligations. But the Information Commissioner’s Office (ICO), whose job it is to uphold data protection law in the UK, recommends Cyber Essentials as “a good starting point” for the cyber security of the IT systems and networks you rely on to hold and process personal data.

Standard or Plus Certification?

Not everyone has the time or money needed to develop a comprehensive cyber security system, so the scheme has been designed to fit in with whatever level of commitment you are able to sustain. There are three main levels of engagement:

1. The simplest is to familiarise yourself with cyber security terminology, gaining enough knowledge to begin securing your IT systems, without becoming certified.

2. If you need more certainty in your cyber security (or you want to show others that you’re taking it seriously), you can apply for basic certification.

3. For those who want to take cyber security a bit further, Cyber Essentials Plus certification is also available. The five controls are the same as for the basic level, but Plus also includes a more detailed vulnerability scan from inside your network (tested onsite), to check your devices are configured correctly.

The self-assessment option (not going for certification) still gives you protection against a wide variety of the most common cyber attacks, so we’d encourage you to do this as a minimum. This is important because vulnerability to simple attacks can mark you out as a target for more in-depth unwanted attention from cyber criminals and others.

Certification gives you increased peace of mind that your defences will protect against the majority of common cyber attacks simply because these attacks are looking for “soft” targets which do not have the technical controls in place. If you would like to bid for central government contracts which involve handling sensitive and personal information, or the provision of certain technical products and services, you may need to have certification, at either the basic or Plus level.

Cost of becoming certified

The process of obtaining basic certification is relatively simple and budget friendly, depending on the size of your organisation. The scheme shows you how to address the basics and prevent the most common attacks. So far about 80% of companies and organisations with Cyber Essentials certification have chosen the basic version. It is often larger organisations that choose Cyber Essentials Plus due to the additional cost, which can be several thousand pounds