Cyber Essentials is now a sufficiently old scheme that you’ve likely heard of it. Introduced in 2014 by the UK Government in collaboration with the National Cyber Security Centre (NCSC), the principle of the scheme is to “level up” the baseline cyber security footing of small businesses. Despite its government roots, its in reality a very good, sensible, and pragmatic scheme.
The design approach with Cyber Essentials is roughly the equivalent of saying to someone who owns a factory: “If you put CCTV on your building, people are more likely to break into your neighbour’s factory”. The Cyber Essentials website even says as much stating: “[Cyber Essentials] gives you peace of mind that your defences will protect against the vast majority of common cyber attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place”.
Why have Cyber Essentials
The primary reason why people buy Cyber Essentials accreditation for their business is (perhaps sadly) because customers demand it. Customers are becoming increasingly worried their own cyber security and asking for Cyber Essentials is a very easy way for them to ask a supplier whether they are, if not necessarily on the same page, then at least reading the same book that they are.
What customers are able to do is back off a lot of their risk simply by adding a bullet point into an invitation to tender document – it costs them absolutely nothing to do, but delivers real benefits to their business.
As a side note, it’s relatively unusual for customers to ask for Plus certification – most of the time if you’re asked to demonstrate Cyber Essentials, it will just be the basic “mark your own homework” standard.
Cyber security hygiene
This is not to say that Cyber Essentials doesn’t have value – it does, and it’s important to look at Cyber Essentials as something more than just a box ticking exercise to keep customers happy.
The reality of Cyber Essentials is that it is a very good “starter for ten”, but it needs to be embedded within a proper cyber security strategy within your business – i.e. Cyber Essentials should be a basic standard that sits in the middle of your business, but you need to “wrap around” extra work around the outside to give your business a proper, well-thought-through, and effective cyber security footing.
Cyber Essentials get you 80% of the way to good cyber security, but it’s down to you to add in that additional 20%.
What’s missing from Cyber Essentials?
Cyber Essentials is scored on your adherence to five “technical controls”, these being “topics” or “subject areas”. What the standard is trying to do is get your business up to a baseline standard of best practice, but does so without being particular onerous or complicated. The standards look to:
a) make sure that your work network is itself secure from external attack, that
b) the devices on your network are locked down to be less exploitable, that
c) the accounts that you give to your users are limited in what they can do (this boils down to not allowing regular users administrative or “super-user” access), that