Basic Cyber Resilience for Business: The Cyber Essential Scheme Approach
Big or small businesses depend on technology to store customer information, send emails, manage finances online, and operate. Organisations are more connected today than ever, which comes with huge risks like cyberattacks. That’s why threats such as hacking, phishing, ransomware, and malware are on the rise, with the global average data breach cost reaching the highest at $4.88 million.
One of the most concerning issues is that one in three data breaches involves untracked or ‘shadow’ data. This observation shows how easily businesses can lose control of their information. Small mistakes can damage reputations, lead to legal issues, and result in the loss of money.
Fortunately, the UK’s Government-backed certification scheme, Cyber Essentials, helps deal with this. The Cyber Essentials certification scheme helps businesses protect themselves against the most common types of cyberattacks. It is simple, practical, and designed to set a basic standard for cybersecurity that organisations of any size or sector can follow.
Implementing Cyber Essentials’ five key security controls can help companies block up to 80-90% of basic cyber threats. As a result, businesses with Cyber Essentials in place make 92% fewer insurance claims than those without.
Due to its effectiveness in safeguarding against malicious actors, Cyber Essentials is a requirement for businesses handling personal or financial data seeking to work with the UK Government.
In this article, we provide an in-depth explanation of the Cyber Essentials scheme and its requirements. This can guide companies across all sectors in achieving the certification and help guard against the most common cyber threats.
Before exploring the Cyber Essentials scheme, it’s essential to grasp the concept of cyber resilience and understand its significance in today’s digital landscape.
Cyber resilience is the ability of an organisation to prepare for and respond to cyber events, incidents, or attacks. The UK Department for Science, Innovation, and Technology (DSIT) noted in the Cyber Security Breaches Survey 2024 that hackers successfully targeted 50% of UK businesses in the past 12 months. According to the report, phishing continues to top the list of attack vectors, with 84% of these businesses having experienced such an attack, followed by impersonation attacks (35%) and malware attacks (17%). Those numbers illustrate a significant demand for businesses to be increasingly more proactive in protecting themselves against cyber threats.
Meanwhile, cyber losses can also have a significant financial impact. According to insurance broker Howden, UK businesses have been hit with £44bn in cyberattack damages in the last five years, with an average loss of £1.9m when firms are hacked.
Despite these staggering statistics, many organisations still lack basic cybersecurity practices. For example, only 61% of companies have antivirus software, and 55% have network firewalls. Businesses’ failure to implement basic security controls and routines leaves them open to more advanced threats.
Worse still, the human side of the equation also remains a significant issue. According to Proofpoint’s 2024 State of the Phish report, 67% of UK workers made mistakes that put their organisations at risk. These factors emphasise why companies must invest in holistic cybersecurity training and awareness programmes.
The Cyber Essentials scheme is a government-backed certification that sets a good cybersecurity baseline suitable for all organisations. It is designed to guard against the most common cyber threats.
Cyber Essentials, produced by the National Cyber Security Centre (NCSC), concentrates on five technical controls covering core measures that organisations should be implementing as a priority. The standard controls include:
Figure 1: Cyber Essential Scheme’s Five Standard Controls
When consistently applied, the cybersecurity measures can stop 80% of low-sophistication but largely common threats.
Therefore, Cyber Essentials is a straightforward and pragmatic first step towards a high level of cybersecurity that your customers can recognise and trust. The certification demonstrates a strong commitment to security, which can instil confidence in customers, partners, and stakeholders. Additionally, bidding on many UK government contracts is often a mandatory requirement.
Certification in Cyber Essentials benefits UK businesses, including increased cybersecurity and real-world benefits in the current digital environment. We highlight some of the most crucial advantages of following the scheme’s recommendations.
Figure 2: Benefits of the Cyber Essentials Certification Scheme
Adopting the Cyber Essentials technical controls helps protect organisations against the most common cyber threats, such as phishing, insider threats, malware, and ransomware.
Through a simple view of the most critical security controls, including effective boundary firewalls and internet gateways, secure configuration, access control, and patch management, Cyber Essentials is an effective way for small businesses and more to help you battle back.
Businesses implementing these measures are 92% less likely to fall victim to attacks and make insurance claims. The scheme provides a proactive strategy that enables companies to protect themselves before they are exposed to vulnerabilities and promotes security awareness companywide.
Cyber Essentials accreditation provides more than technical safeguards – a powerful sign of trust to customers, suppliers, and partners. The certification lets you find your competitive advantage and foster innovation in cloud solutions and cybersecurity in a world where lost data sets can ruin a reputation forever. This is a massive differentiator in data professional circles.
A government impact assessment found that 69% of certified businesses had won new business, and more than half had increased their reputation and trust with customers thanks to the certification. This confidence level may enhance the client relationship and lead to more secure and profitable partnerships. With increasing organisations requiring cybersecurity accreditation from their suppliers, Cyber Essentials certification offers a great advantage.
The Cyber Essentials certification is rapidly becoming required for businesses seeking to engage with the UK public sector. Procurement Policy Note 14/15 states that all suppliers of contracts involving sensitive information should be certified by Cyber Essentials or Cyber Essentials Plus (Gov.uk PPN 09/14). This policy guarantees that all providers within the supply chain meet a base level of cybersecurity needed to secure public data and government services. Complying with the certification satisfies these conditions and provides the due care for an organisation to be more competitive and compliant in public acquisitions.
Not only does Cyber Essentials certification help to mitigate the risks of cyberattacks, but it can also lead to real financial savings through cyber liability insurance. Sometimes, there’s an easily accessible cyber liability insurance policy for all companies that become certified. That way, organisations can leverage the insurance policy to recover from damages such as data recovery, business interruption, and legal fees.
Insurers see Cyber Essentials as a good indication that an applicant for an insurance policy will have lower risk and is, therefore, more likely to offer savings or favourable policy conditions. This two-pronged benefit—over safety and financial incentives—demonstrates the importance of certification as a technical reference point and a reasonable investment. Certification gives a much-needed financial break as cyber insurance prices soar.
The UK’s National Cyber Security Centre (NCSC) Cyber Essentials scheme offers guidelines for organisations to protect themselves from everyday cyber threats. Infrastructures are built on the five core security techniques: boundary firewalls and internet gateways, secure configuration, access control, defending against malware, and managing patches.
Because these controls help protect known security gaps, everyone benefits, making them a key feature for all organisations. Consequently, companies that follow these recommendations can significantly minimise the risks of phishing, ransomware, and attacks caused by unauthorised access to systems and networks. What are these five cybersecurity measures?
Most businesses’ cybersecurity relies on firewalls as they defend against dangers from the Internet. As a protection between the trustworthy internal network and external networks like the Internet, a firewall uses a set of security rules to filter incoming data before it reaches the network. Using the security tools correctly guards the network against malicious and destructive communications, defending against possible attacks involving unapproved access, break-ins, and data loss.
The National Cyber Security Centre (NCSC) considers boundary firewalls fundamental to protecting network perimeters and ensures the confidentiality and integrity of data. They provide the network services you need, and all harmful connections are blocked. Firewalls are responsible for enforcing corporate rules and keeping operations running smoothly.
Secure configuration is key in cybersecurity because it reduces an organisation’s chances of being attacked by boosting the protection level of its systems and devices. Most hardware and software have settings that make using them simple, not necessarily safe. These defaults can be anything from open ports to a user’s admin with some weak pre-set password, and sometimes to some unnecessary bit of code that cybercriminals look to take advantage of.
The National Cyber Security Centre (NCSC) highlights risks found in new systems. The association recommends that companies assess and change these default settings to avoid becoming victims. Firms can achieve secure configuration by removing unnecessary options and user or system rights and creating reliable password policies. Turning off non-essential settings and removing default applications and APIs can significantly reduce future risks. In addition, frequent review and maintenance of configurations are necessary because threats and business conditions are not fixed. It helps to prevent unwanted use of the system and protect it from dangerous software.
Authorisation is essential to ensure that only the right people can access the right resources at the right time. Businesses minimise the possibility of insider and outsider attacks by controlling which people can see specific data or have the right to take action. The control defining the least privileged—what someone can do about the task they are given—is one of the basic thrusts. The NCSC reported that access should be reviewed frequently, particularly when staff move roles or leave a company.
Access control best practices include strong user authentication mechanisms, including multi-factor authentication (MFA), which is particularly important for administrator accounts. Access control also enables account management, like deactivating inactive accounts.
Unfortunately, poor access control practices can result in data breaches or other unwanted activities. Therefore, this security measure is among the most important for regulatory compliance and overall organisation security.
Malware prevention explicitly targets protecting systems from malicious software created to damage or gain unauthorised access to a computer system. Viruses, worms, spyware, and ransomware are widespread malware that cause data breaches, financial loss, and operational disruption. The National Cyber Service Centre (NCSC) advises using trusted anti-malware software.
Moreover, from an in-depth defence perspective, the security strategy should include preventing the installation of unauthorised applications through app allowlisting and training staff to spot phishing emails and company downloads.
Notably, there are many ways in which a customer can get malware, such as through infected email attachments, malicious internet sites, or USB thumb drives. That’s why proper staff training and strong usage policies are essential.
Companies that have taken the time to protect themselves with malware protection measures are much less vulnerable to system infiltration. In case of a cyber incident, a plan for quickly isolating and recovering from malware attacks should be activated.
Patch management is acquiring, testing, and installing patches (code changes) to an administered computer system or software application. Old software will be one of the most popular cyberattack vectors.
According to the NCSC, patching known vulnerabilities can nullify the risk of many dormant threats that can develop into full-blown attacks.
One step towards successful patch management is to keep enumerating the digital assets, categorising them by importance, and applying updates when they are due, particularly for internet-facing systems. Organisations should also phase out software products vendors have stopped supporting, since they will no longer receive security updates.
As a recommendation, automating patch management to the extent possible can streamline the process and increase its reliability. Additionally, testing of patches is an area of business continuity that should not be overlooked. Indeed, for all their strength, cybersecurity measures cannot stand effectively where there is little or no patch management; a strong organisation will provide them as a baseline in its IT network.
Applying these five technical measures in the Cyber Essentials scheme will help firms build resilience to the most common cyberattacks. By following these guidelines, organisations can strongly decrease their exposure to many common cyber risks and show their commitment to securing sensitive information.
Business stakeholders must comprehend the Cyber Essentials before applying for certification. That means understanding the five technical controls—firewalls, secure configuration, access control, malware protection, and patch management—set out by the National Cyber Security Centre (NCSC).
It is essential to realise how vital these controls are and how they help overall cyber resilience. Business leaders can start with the official Cyber Essentials introduction, instructions, and checklists from the NCSC. Scrutinising these materials enables stakeholders to understand the scheme’s intentions and determine if certification suits their company.
At the same time, entities without significant IT support or small organisations can discuss with an IT security service provider or a Cyber Essentials Certifying Body. Understanding what is required helps firms finish the certification process easily and efficiently.
After the initial review of the Cyber Essentials scheme, organisations should check if they meet the programme’s requirements. Based on the five technical controls, business management and IT should check the IT policies, procedures, and systems to decide how to meet the needs.
Notably, a gap analysis aims to determine if there are weaknesses, such as old software, weak access points, or poorly configured firewalls. Deciding on a clear action plan and ranking the tasks to enhance your security posture is necessary.
Organisations with limited cybersecurity resources can effectively use tools or specialist services offered by many certification bodies and IT companies to help conduct the gap analysis. The results of this analysis will clearly outline the activities needed to ensure your company is Cyber Essentials compliant. Identifying gaps through a detailed analysis allows companies to stay compliant, keep their certificates from being rejected, and build better cyber hygiene.
Figure 3: The Cyber Essentials Certification Roadmap
After weaknesses are found, firms should make the proper changes to their practices, policies, and technology to comply with Cyber Essentials. As a result, they may need to update their software, use strong passwords, set up firewalls, add MFA, and develop a way to apply patches regularly.
At the implementation stage, IT staff are expected to communicate closely with business leaders to design and enforce changes that support and align with the company’s operations and cybersecurity strategy. Adhering to the new policy could involve a few system adjustments or a need for network redesign. Advice from the NCSC and certified certification bodies may assist the organisation in understanding the technicalities and best practices for security at this stage.
Moreover, it can also help keep a list of all the changes so business stakeholders can review them later when they review their progress. Organisations with strong cybersecurity controls are ready for certification and can prevent cyber threats over time.
The business must complete the Cyber Essentials questionnaire when appropriate mechanisms are in place. The questionnaire acts as a formal certification that the organisation complies with the technical needs of Cyber Essentials. It assesses how the five security controls were implemented within the company’s IT infrastructure.
The questionnaire is usually administered via an online self-assessment portal administered by a licensed certification body. It must be signed off by a senior member within the company, such as a director or equivalent. The replies should be unambiguous, uniform, and based on correct data collected during the implementation. Responses with errors or omissions may be returned for correction or rejected.
Some certifiers also provide pre-checks or advisory services to analyse responses before you submit them and make any necessary corrections and recommendations. Completing the form demonstrates the organisation’s dedication to cybersecurity and paves the way for certification.
The last stage of getting Cyber Essentials certification is to submit the complete self-assessment questionnaire to an appointed Cyber Essentials certification body for assessment. After submission, the certification body reviews the answers.
If the questionnaire is passed, the company will receive the Cyber Essentials certificate, which is valid for 12 months. This accreditation shows the government and suppliers that the organisation takes the minimum basic standards seriously and is part of, or may become part of, supply chain assurance.
In case the submission fails, the certification body generally reviews and provides feedback, and the organisation has an opportunity to remedy issues in a resubmittal. Sometimes, an organisation may prefer Cyber Essentials Plus when a technical audit is added to the self-assessment. At any level, certification demonstrates that an organisation takes its cyber hygiene seriously, potentially increasing customer confidence, helping meet regulatory requirements, and even using it to secure lower insurance premiums, representing an investment worth considering.
Cyber Essentials Plus is also available for organisations that need greater cyber assurance, providing a higher certification level. Where the standard Cyber Essentials is based on a self-assessment questionnaire, Cyber Essentials Plus requires an independent assessment of the security (technical) controls provided by the certification body. This audit applies vulnerability scans and direct on-site or remote systems tests to ascertain that the five critical technical controls are deployed and functioning appropriately.
The testing is conducted against common threat scenarios, including phishing simulations, configuration testing of endpoints, and patch attestation. According to the UK National Cyber Security Centre (NCSC), Cyber Essentials Plus also certifies that an organisation has taken the necessary security precautions to reduce the cyberattack risk and mitigate the effects should an attack occur, and an independent assessor attests to the measures.
Cyber Essentials Plus benefits businesses in high-risk industries or those that handle large amounts of sensitive data, including those in healthcare, banking, or the government supply chain. PPN 09/14 has mandated Cyber Essentials certification for suppliers handling certain types of sensitive information, and Cyber Essentials Plus is increasingly considered the standard for critical contracts. Furthermore, Cyber Essentials Plus-accredited businesses may receive a discount on cyber insurance premiums, with insurers interpreting the certification as a sign of mature security hygiene.
What’s more, organisations taking the Cyber Essentials Plus audit find more vulnerabilities and receive a more detailed plan for enhancing their cybersecurity, as stipulated by IASME. More than 31,000 UK companies were certified in Cyber Essentials in 2023, and an increasing proportion complemented this direction by more recently obtaining protection to help establish trust in security. Essentially, Cyber Essentials Plus offers a straightforward yet more advanced approach to strengthen your overall cyber resilience and trust across your supply chain.
Cyber threats are increasing and becoming more complex, jeopardising small and large enterprises in the private and public sectors. By following Cyber Essentials practices, a company can be better prepared to resist frequent and threatening cyberattacks.
Properly setting up firewalls, maintaining a secure configuration, controlling access, using malware protection, and patching rapidly protects a company and reduces the risk of ransomware, phishing attacks, and costly data breaches. Along with technical benefits, Cyber Essentials certification proves to customers, partners, and investors that maintaining strong data security is essential for the organisation. Receiving this credential gives a business more credibility and adds to its trustworthiness. Moreover, it allows companies to follow rules related to cybersecurity and participate in government contracts that require Cyber Essentials certification. When cyber threats can easily destroy a business and its reputation, the Cyber Essentials certification offers a tested and reliable safety scheme for enhancing your cybersecurity posture.
Advantages of Following the UK Cyber Essentials Rules and Guidelines
System Force IT provides 24/7 IT support and engineering help with all our services. Our IT infrastructure management team are responsible for the backbone of your business. Monitoring and maintaining both physical and virtual services in real-time.