Cyber Essentials for Small Businesses

Cyber Essentials for Small Businesses

You hear so much on the news and on social media about cyber attacks. But if you’re the owner of a business, what is the best way that you start your cyber security journey and get your business protected?

The one thing I recommend to all of our customers is to get the Cyber Essentials certification.

In this blog, you’re going to learn all about Cyber Essentials. We’ll cover what Cyber Essentials is, the two different certification levels and the approx cost of certification. We’ll also talk about the benefits that Cyber Essentials will bring to you business and some of the things to be aware of when it comes to the certification.

 

What is Cyber Essentials?

So what is the Cyber Essentials scheme?

Cyber Essentials was launched in 2014 and is a simple, yet effective Government-backed scheme that can help protect your business from a wide range of common cyber attacks.

The scheme is available to businesses of all sizes. So whether you have a couple of laptops or a few hundred computers in multiple offices, the scheme can still benefit your security.

 

Cyber Essentials Levels of Certification

Cyber Essentials has two levels of certification. These are; Cyber Essentials and Cyber Essentials Plus.

So what is the difference between the two?

The standard Cyber Essentials is an annual self-assessment certification. So what that means is that you, usually along with your IT provider will fill out the questionnaire about your IT setup and then send the completed questionnaire to a specialist Cyber Essentials assessor.

If the answers that you’ve provided are compliant with the scheme, then you will be awarded the Cyber Essentials certification.

Because the basic Cyber Essentials certification is a self-assessment, some people believe that it doesn’t hold much value.

The Cyber Essentials Plus certification on the other hand includes the self assessment but also includes an certified assessor testing your network to confirm the answers you have provided are correct.

So someone is actually going to test your IT network and policies to ensure that you really do have the controls in place.

That is why the Cyber Essentials Plus scheme is considered more valuable than the basic one.

 

How much does Cyber Essentials cost?

The cost for the scheme can vary depending on a few factors.

The Cyber Essentials self assessment questionnaire and certificate cost approx £350.00 per year.

For this fee, you will get access to your questionnaire.

If you’re a business without in-house technical knowledge, you will probably need the help of your IT company to complete the questionnaire on your behalf. There might be an additional charge for this consultancy.

For example, Integral IT usually charges approx £300 - £400 for the consultancy service.

For the Cyber Essentials Plus certification, you still need to go through the basic certification and pay those fees and then you would also need to pay for the assessor’s fees to test your network.

These fees will start from approximately £1200.00 + VAT. The actual cost might depend on the size of your business.

Having said all that, these charges only cover the certification itself. There might be a chance that you fail some of the controls and need to invest in hardware, software or an additional service to get you compliant.

 

What does Cyber Essentials test?

Without getting too technical with this blog post, Cyber Essentials consists of 5 basic controls:

Firewalls and Internet Gateways

This section looks at what firewalls are protecting your network. Cyber Essentials will test that you have a decent firewall and that it is set up and configured correctly to protect your network.

If you’re a business working from home, then it will be your home routers that will be tested.

Each computer will also be tested to ensure that they have a software firewall installed and working.

Real-world example. When a new router/firewall is purchased, it always has a simple default password so people can log onto it to configure it. This password is usually something like admin or 123456. It has to be changed when it is configured otherwise a hacker can easily log onto it. I have seen so many occasions when it hasn’t been changed.

 

Secure Configuration

The second control is called Secure Configuration and in this section, we’d be looking at the configuration of your Servers, PC, laptops and even mobile devices.

When computers are first installed, they are not secured. For example, they can contain lots of pre-installed software that isn’t required and can become a security risk. They can also contain user accounts that aren’t required.

Also, in this section, the quality of your passwords will be tested to ensure that they are strong enough.

Every member of your business should have a unique password with a minimum to 8 characters.

Real-world example. I recently completed a Cyber Essentials audit for a care home in Harrogate. Everyone used the same password to log onto each computer. In addition, a post-it note was attached to every computer with the password written on.

 

Patching and Updates

The third control is called Patching and Updates.

Firstly, you’ll be tested to ensure that all of your devices are still under support. So, for example if you’re running any Windows 7 computers, you will fail the audit.

But also, if you’re running a Windows 10 version that is no longer under support, you will also fail the audit.

Secondly, are all of your servers and computers up to date with the latest patches. This is one of the areas that I see failing when we onboard new customers. Their devices have often not had any updates in months.

Also, if your team members use their personal mobiles for any form of work - for example their work email. Then these devices would fall under scope. So you need to make sure their mobiles have the latest Apple or Android software installed.

Real-world example. Lots of people know that Windows 7 shouldn’t be used in businesses because it’s end of life. However, just because you are using Windows 10, it doesn’t mean you are safe. Windows 10 has different versions and some of these versions are now end-of-life too.

 

Access Control

The fourth control is Access Control.

There are several things that will be checked here.

Firstly, when you are using your computer, you can have different levels of access. You can have a standard user account - that means that when you try and install software etc, you will be asked to enter some admin details.

On the other hand, your user account could be at admin level. That means you have full access to do whatever you want on the computer.

The problem is, if your user account has full admin access it will mean that if you are hacked, the hacker will also have full admin access and can cause much more damage.

So everyone inside of your business should use standard user accounts to perform their day-to-day activities. Admin accounts should only be used when admin tasks are needed.

In addition to this check, we would also look at your process for new starters and leavers.

A common thing that I see when I check businesses is that some users who have left the businesses months or even years ago, still have active user accounts on the network and a live email address. They could potentially be still accessing the company network remotely. This is not a good thing.

All that is covered under Access Control.

Real-world example. We recently conducted a cyber essentials audit for a law firm. Everyone in the business had administrator access to their computers. When we checked the ‘live’ accounts, there were people with network logins and email addresses who left the business over 3 years ago.

 

Malware Protection

The fifth and final control is called Malware Protection.

Malware is created by hackers in order to try and steal or damage your company data.

It’s important that every device in your organisation has robust anti-malware software installed and again, that it is configured correctly.

I’ve seen instances before where antivirus software was installed, but the license had expired so there wasn’t any protection against new malware threats.

Real-world example. Every device in the business needs to have antivirus software installed. In a cyber essentials audit we completed for a manufacturing plant, all of the PCs had anti-virus software installed, but the 6 servers didn’t have any software installed.

 

What are the benefits of Cyber Essentials?

There are so many benefits for your business to achieve the Cyber Essentials accreditation. Here are four great benefits:

  1. You are showing your customers that you take Cyber Security seriously. Make no mistake about it, a serious cyber breach in your business will lead to lost customers and lost revenue. If I used a law firm and found out that they’d had a ransomware attack, it would make me rethink my working arrangements with them.
  2. Secondly, if you are wanting to pursue new business opportunities in the government, local council or other public sector organisations, then you would have to have the Cyber Essentials certification.
  3. Another benefit is that you’re putting cyber essentials onto your business agenda. I always say that cyber security isn’t an IT problem, it’s a business problem. Cyber Essentials can be a way to get everyone in your organisation involved and knowledgeable about cyber threats.
  4. The fourth benefit is that you can get peace of mind that your IT is actually set up securely and that you’re not at risk. You might think that you already have an IT company that you trust and that is great - but IT is so important to your business that it makes good business sense to have independent verification. I think we’re moving towards a scenario where every business has an IT company/department and a cyber security company.

 

What Cyber Essentials is NOT?

I emphasised at the start of this blog that Cyber Essentials is a great starting point in your Cyber Security journey.

The key word here though is: Essentials. This certification covers the very basics to prevent an unsophisticated Cyber Attack.

Just because you achieve the accreditation, it doesn’t mean that you are immune from cyber attacks or that you have robust cyber security in place.

There are lots of controls that are missing from the Cyber Essentials framework. For example, backup of your data isn’t included.

Your business could have no backup in place at all and you could still pass the Cyber Essentials framework. However, backup is a key component to recovering from a cyber attack such as ransomware.