The government’s Cyber Essentials certification is a voluntary scheme aimed at helping thousands of UK businesses to improve their cybersecurity. It encourages firms to take a closer look at their systems, policies and procedures, providing a vital opportunity to make improvements to align them with current best practices. And it’s increasingly seen as an important sign of good governance and risk management; depending on the industry, we’ve seen customers, investors, insurers and supply chain partners demanding certification from businesses they’re involved with.
It is possible to tackle the requirements and work towards certification as an IT department or leadership team without outside help. But few would recommend it. Meeting the criteria can be complicated and time-consuming – not to mention involve fixing any issues identified along the way. For Neos-IT clients, the good news is we’re Cyber Essentials Plus and ISO27001 accredited and automatically choose to work in a way that aligns with their standards. So, most clients are likely to be Cyber Essentials compliant or very close to compliant anyway.
We’re getting asked more and more about Cyber Essentials and Cyber Essentials Plus, so here’s a handy guide to what your business needs to know, where the value usually is, and how we work with clients, so you’ve got everything at your fingertips.
What are Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a set of basic controls the Government says all organisations – regardless of size or sector – should have in place to protect against common cybersecurity threats. It also demonstrates a tangible commitment to good cybersecurity to customers, suppliers and other stakeholders. It’s also literally essential for any business bidding for government contracts that involve handling sensitive or personal information.
Backed by the Federation of Small Businesses, the CBI and a number of insurers, certification comes in two forms: Cyber Essentials and Cyber Essentials Plus.
Cyber Essentials is self-assessed, covering measures against common vulnerabilities, whereas Cyber Essentials Plus is verified by a third party. The protections you need to put in place are the same across both schemes; the difference is in how rigorously you are assessed against those protections. Because Cyber Essentials Plus is third-party verified, it can carry more weight for stakeholders.
Why is Cyber Essentials so valuable to businesses?
We recommend nearly every business we work with goes through Cyber Essentials certification because it reveals gaps in your defences – which we, as expert cybersecurity partners – can then work to close. More specifically, we see three issues crop up when we go through the process with Neos-IT clients, showing the clear value:
1. Procedures are in place, but there are no written policies
Cyber Essentials requires committing policies and procedures to paper. When we work with Neos-IT clients (who, as we’ve said, are likely to already be operating in a CE-compliant way), a common missing component to passing certification is documenting policies. That includes things like how you manage information, managing approvals and access rights, and account permissions. We follow best practice processes around those areas, but Cyber Essentials gives our clients an opportunity to look at internal behaviours and communication. Do internal teams know your password policy, for example? Do they know how you want them to manage devices? It’s a chance to document and enforce policies and procedures internally, as well as being baked into how we already manage systems.
2. Multi-factor authentication (MFA) may be missing on some applications
Another perennial gap that gets revealed in the Cyber Essentials process is missing MFA. The things we have access to on behalf of clients, such as Microsoft 365, are usually not an issue because we operate compliantly. But for other line of business cloud applications – things like CAD applications – we may not be as involved in managing access controls and policies. Cyber Essentials turns a spotlight on these kinds of gaps so we can decide together how to implement better security hygiene and make sure these kinds of vulnerability are dealt with effectively.
3. Role-based access controls are unclear
When we say ‘role-based access controls’, we operate the principle of only granting the lowest access needed for a particular job role. It tightens the business’ grip on who has access to what, limiting the reach of things like phishing attacks or staff errors. We help future-proof Neos-IT clients by mapping out what information and systems different roles across the business need access to. For instance, if you’re in finance, you need access to accounts data and applications; if you’re in HR, you probably don’t need access to customer and sales data, and so on. This helps with understanding your current position – how vulnerable you might be if access fell into the wrong hands – but also sets you up for the future. So, when you onboard a new starter, you don’t have to manually select what access they’ll need – you can look up what permissions should be granted based on their job profile.
Having this reference also saves time and simplifies management, as well as enhancing compliance towards Cyber Essentials standards. It also makes IT more scalable as the business grows or changes shape. This is also something we at Neos-IT offer as part of our Virtual CIO service, but assessing role-based access controls will come up as part of Cyber Essentials certification.
How does Neos-IT work with clients to achieve certification?
We can take on the responsibility of meeting Cyber Essentials requirements for our clients. This saves time and internal resources for certification that is renewed annually, but also makes sense because we can populate most of the criteria with our working knowledge of our clients’ network arrangements, password controls, etc. We try not to overly involve clients in the process because, if we manage their IT, we should know them well enough to fill everything out. But it also gives both sides a good opportunity to review and tighten up policies and processes. We look to put our clients in the best possible position – not just tick the boxes – so they’re as secure as they need to be, not just Cyber Essentials compliant.
We’ve also got the experience to advise on mitigation controls as part of Cyber Essentials. If you have an old application that’s no longer supported by the developer and patched (but you still need to be able to use it), you’d automatically fail Cyber Essentials. We can put the application in its own network – a VLAN – hidden away, overcoming what would otherwise be a point of failure and making its use more secure.
Cyber Essentials is constantly evolving to keep pace with the latest threats and emerging best practice. You can rely on Neos-IT to keep up with those changes and to redefine the scope of client work to match. Recently, for instance, cloud and remote working came into scope, and we’ve responded.
We’re also Cyber Essentials Plus certified ourselves and we’ve been successfully helping clients to get certified for some time now. Doing Cyber Essentials in-house means learning a lot – it can be incredibly time and resource intensive – to get a yearly certification. Why bother? With Neos-IT, you can get on with living and breathing the best practices it contains, rather than dealing with the admin burden of the process of achieving it. Get on with operating in a secure way and leave it to us. Contact us to find out more about Cyber Essentials.