Cyber Essentials: Improving Your Cyber Security as an SME

Cyber Essentials is a Government-backed scheme aimed at helping organisations protect themselves against common Internet-based cyber attacks.  Certification to Cyber Essentials provides reassurance that your organisation’s security controls will protect against the vast majority of common cyber attacks, and will act as a significant deterrent to cyber criminals.

The scheme centres around 5 basic security controls, which are: user access control, security updates, secure configuration, malware protection and firewalls and routers. The implementation of these controls is then verified by a qualified assessor, who will review your completed self-assessment questionnaire (SAQ) to determine whether you are compliant with the scheme and can be awarded certification.

To go on to achieve Cyber Essentials Plus certification, your organisation must already be certified to Cyber Essentials.  The requirements are the same, however gaining the additional qualification will involve a technical expert conducting an on-site or remote audit on your IT systems to confirm the 5 basic security controls are effectively implemented.  Further information can be found in our blog on Cyber Essentials: Frequently Asked Questions.

For many SMEs, Cyber Essentials provides a means of gaining external assurance for their cyber security, without having to take on a significant cost that other standards or certifications come with.  In addition to this, the guidance for achieving Cyber Essentials is free, with a dedicated Knowledge Hub.  The scheme is also designed to be achievable by organisations of any size, but it is especially applicable for SMEs – often more so than it is to large enterprises.

Cyber Essentials enables you to gain clarity over your cyber security posture and build a strong starting foundation for protecting your organisation against cyber attacks.  In their study, DSIT found that 91% of Cyber Essentials users reported that the scheme directly improved their confidence in being protected in the event of an attack.

‍

‍

Cyber security is a constant cycle of improvement, and it is much more straightforward to effectively improve your organisation’s cyber security when working from a solid, established framework – this, perhaps, is part of the reason that 76% of Cyber Essentials users successfully took additional steps, beyond the Cyber Essentials technical controls.  Without initially following a scheme such as Cyber Essentials, it would be difficult to ensure that resources are being effectively applied.

Further to the above, the scheme enables you to verify that you have effective cyber security measures in place, thus allowing you to provide customers and third parties with external assurance of your cyber security practices from a respected source (i.e., the National Cyber Security Centre (NCSC), which developed the scheme and stipulates its requirements).  In their survey, DSIT found that 33% of respondents were actively considering mandating Cyber Essentials of their suppliers in the future, and that 61% were more likely to select a supplier that uses Cyber Essentials.

‍

Certification to Cyber Essentials is perhaps one of the most effective first steps your organisation can take in its cyber security journey, helping you to establish strong security foundations whilst also providing external validation of your cyber security practices.  If you are not taking your first steps, but instead feel you are already ahead your cyber security journey, certification to Cyber Essentials can provide you with the opportunity to review your essential cyber security controls and check how they compare against an established framework.   With increasing numbers of businesses requiring Cyber Essentials certification from their suppliers, and with the high rate of companies reporting improved security confidence following implementation, the scheme represents a valuable investment for SMEs looking to enhance their cyber security posture.