Is Cyber Essentials essential for your business?

Blogs

Is it worth implementing Cyber Essentials in your business?
We think so — and here’s why…
Cyber Essentials is now a sufficiently old scheme that you’ve likely heard of it. Introduced in 2014 by the UK Government in collaboration with the National Cyber Security Centre (NCSC), the principle of the scheme is to “level up” the baseline cyber security footing of small businesses. Despite its government roots, its in reality a very good, sensible, and pragmatic scheme.
The design approach with Cyber Essentials is roughly the equivalent of saying to someone who owns a factory: “If you put CCTV on your building, people are more likely to break into your neighbour’s factory”. The Cyber Essentials website even says as much stating: “[Cyber Essentials] gives you peace of mind that your defences will protect against the vast majority of common cyber attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place”.

Why have Cyber Essentials
The primary reason why people buy Cyber Essentials accreditation for their business is (perhaps sadly) because customers demand it. Customers are becoming increasingly worried their own cyber security and asking for Cyber Essentials is a very easy way for them to ask a supplier whether they are, if not necessarily on the same page, then at least reading the same book that they are.
What customers are able to do is back off a lot of their risk simply by adding a bullet point into an invitation to tender document – it costs them absolutely nothing to do, but delivers real benefits to their business.
As a side note, it’s relatively unusual for customers to ask for Plus certification – most of the time if you’re asked to demonstrate Cyber Essentials, it will just be the basic “mark your own homework” standard.

Cyber security hygiene
This is not to say that Cyber Essentials doesn’t have value – it does, and it’s important to look at Cyber Essentials as something more than just a box ticking exercise to keep customers happy.
The reality of Cyber Essentials is that it is a very good “starter for ten”, but it needs to be embedded within a proper cyber security strategy within your business – i.e. Cyber Essentials should be a basic standard that sits in the middle of your business, but you need to “wrap around” extra work around the outside to give your business a proper, well-thought-through, and effective cyber security footing.

Cyber Essentials get you 80% of the way to good cyber security, but it’s down to you to add in that additional 20%.

What’s missing from Cyber Essentials?
Cyber Essentials is scored on your adherence to five “technical controls”, these being “topics” or “subject areas”. What the standard is trying to do is get your business up to a baseline standard of best practice, but does so without being particular onerous or complicated. The standards look to:
a) make sure that your work network is itself secure from external attack, that
b) the devices on your network are locked down to be less exploitable, that
c) the accounts that you give to your users are limited in what they can do (this boils down to not allowing regular users administrative or “super-user” access), that
d) there is proper malware/antivirus protection on devices, and finally that
e) that the devices are patched and kept-up-to-date.

Most businesses, even large businesses, today use very commodity hardware and software. Whereas ten years ago an office might have some laptops/desktops, at least one server, a network printer, and a router, today because so much of what we do is in the cloud, those networks have become very stripped back so that we find a typical network has some laptops/desktops, a router, and maybe a network printer.
If you run your business off of Microsoft 365 or Google Workspace (like virtually every business does), and use Windows 10, Windows 11, or macOS you get most of Cyber Essentials for free. It’s not a given that a two-person business with a Microsoft 365 subscription and two laptops bought from Currys will automatically be Cyber Essentials ready, but they are likely not far off.
What is missing from Cyber Essentials is an actual understanding of the threats that businesses face. Cyber Essentials does not talk about password management, for example, but without a doubt everyone whether an individual or business should use a password manager and practice proper password hygiene of having properly random passwords without using them for different sites and services. Another example is that every device should be encrypted to protect your business against privacy breaches and potential finds under GDPR, yet Cyber Essentials does not mandate this.

What you need to do within your business is implement a proper, layered, cyber security strategy that extends on the basics of Cyber Essentials. Whether or not you pay to get accredited under Cyber Essentials is secondary – and there is an argument that businesses time this based on demand from their customers – Cyber Essentials should form the central core of your approach, but as mentioned above, you’re responsible for adding the extra 20% on top of the 80% that Cyber Essentials provides.

We do have a detailed ebook downloadable from our website called Cyber Security & Your Business that goes into far more detail about how you actually do this.