Cyber essentials why cyber essential certification is important for smbs.

Why Cyber Essentials certification is important for SMBs

Yann News, Services 15 minutes

In recent years, it has become increasingly important for businesses to secure their IT systems to reduce the chance of falling victim to a cyberattack. In the UK alone, 39% of businesses were targeted by a cyberattack in the last 12 months. Whilst most newsworthy cyberattacks target large businesses and enterprises, it is just as common for small businesses to be attacked as they are less likely to have invested in securing their IT systems. For this reason, all Cyber Essentials.

What is a Cyber Essentials certification?

Cyber Essentials is a UK Government-backed scheme designed to protect organisations against various common cyberattacks. There are two levels of certifications: Cyber Essentials and Cyber Essentials Plus. Cyber Essentials is a self-assessment, ensuring businesses have controls to protect against the most common cyberattacks. Cyber Essentials Plus is a more in-depth certification and includes hands-on technical verification.

The Cyber Essentials certification covers many areas, including firewalls, secure configuration, user access control, malware protection, security update management and more. The certification lasts 12 months and is regularly updated to protect businesses against novel attack methods.

Here are 4 Key reasons why you need to have Cyber Essentials:

  1. Protection – Cyber-attacks are on the rise, and your staff may not be as aware of cybersecurity as they should be. With things changing constantly, keeping them up to date is hard. Without a robust security solution, your data is vulnerable to criminals. The Cyber Essentials prevents over 80% of the most common computer security breaches. It aims to provide businesses with a strong base to reduce the risk from these prevalent but unskilled cyber-attacks.

  1. Assurance – Achieving Cyber Essentials certification demonstrates to your customers, suppliers and other partners that you take data security seriously. It is a quick way to show that you have done your due diligence and are putting controls in place to protect information. This gives them more confidence to trust you and encourages them to work with you. 

  1. Compliance – You are legally required to protect the data you hold within your business, particularly if it belongs to clients/customers, whether these are existing or previous. The introduction of The General Data Protection Regulation (GDPR) in May 2018 means that you must have solutions in place to protect that data and be able to demonstrate these.

  1. Opportunity – Achieving Cyber Essentials can allow you to bid for contracts that involve handling sensitive information and providing certain technical services. The UK Government has set a good example for UK businesses, highlighting the importance of a secure supply chain for ongoing business. Not only does this defend the integrity of government information, it could even give your company a competitive advantage when bidding for public sector tenders. Cyber Essentials is fast becoming a prerequisite for business because the certification provides third-party assurance of the company’s cyber security.

The importance of cybersecurity for SMBs in 2022

All small businesses risk falling victim to a cyberattack, with the most common cyberattacks being phishing, data breaches and ransomware attacks. All of these attacks can be devastating for businesses, both in terms of the cost of remediation and the costs associated with damages to a business’s reputation.

Thankfully, many of these attacks are carried out by relatively unskilled cybercriminals and, therefore, can be stopped by implementing basic security controls. With a Cyber Essentials certification, these attacks are no longer viable.

Benefits of a Cyber Essentials certification for SMBs

Reduce the chance of falling victim to a cyberattack

The overall goal of Cyber Essentials is to reduce a business’s cyber risk. As the assessment covers most attack surfaces and the associated technical security controls, Cyber Essentials covers all the bases to protect from 80% of common cyberattacks. Although cybercriminals use constantly changing methods, these technical controls will typically stop novel attack methods, especially if they are not highly targeted.

Gain a competitive advantage.

For small businesses within competitive industries, a Cyber Essentials certification can be a way to stand apart from the competition. The certification shows that your business takes security seriously, and any customer, either consumer or corporate, doing business with you is less likely to have their data leaked due to a customer data breach. After a business obtains its Cyber Essentials certification, it can also display the certification badge on their website and other marketing materials.

Find new business opportunities.

A Cyber Essentials certification is mandatory for businesses considering submitting a bid for a contract with the NHS, Ministry of Defence, and UK Government. Many private sector businesses also seek the Cyber Essentials badge of approval when seeking new suppliers.

Improve credibility and reputation.

The technical controls necessary to obtain a Cyber Essentials certification are relatively simple to implement, and the self-assessment is a quick and easy process. This simple and affordable certification can add significant value to a business as it improves credibility and reputation. Cyber Essentials shows that a business is committed to protecting its customer’s data and taking action to reduce the chance of falling victim to a cyberattack.

Free Cyber Liability Insurance

Once a business has obtained their Cyber Essentials certification, they are automatically entitled to free Cyber Liability Insurance to the total limit of £25,000 of indemnity. This also gives businesses access to a 24-hour hotline to report a cyber incident, which will provide crisis management and incident response. For businesses that do not already have cyber insurance, this is a perfect option to recover from a small breach or incident. Many cyber insurance providers will also give discounts to Cyber Essentials-certified businesses.


What are the five main controls in Cyber Essentials?

1. Firewalls

This control will apply to every business where employees can access the Internet. Internet gateways and firewalls will identify and prevent unwanted traffic from accessing your network, computers, and systems. The controls you need to apply include changing default/admin passwords, ensuring firewalls are properly set up, etc.

2. Secure Configuration

A new computer or software is rarely properly configured with its factory settings. This means if you carry on using a device on its default settings, it is open to cyber risks. All computers and network devices should be configured securely to reduce risk. This will include reducing or removing unnecessary software and changing default settings and passwords.

3. Access Control

Many data and cyber breaches occur from abusing administrative user accounts in a business. Organisations and businesses should aim only to let certain individuals have special access privileges according to their roles and responsibilities. Companies can manage this by performing several controls, such as having unique usernames and passwords and keeping all account information in a secure, protected location.

4. Malware

Where computers and systems are exposed to the internet, they must be protected from malware. Malware is a program or virus that has been coded with the intent to perform unauthorised actions on one or more computers. At a minimum, organisations should look to protect all computers connected to the internet via cable or wireless. Other actions include having up-to-date malware software and setting regular (daily) full scans to ensure early malware detection.

5. Patch Management

As with any software, regular updates are often released to address security issues, add more features and improve performance. If there are any vulnerabilities in software that haven’t been updated, this can become a weak spot that can be used to gain access to networks and computer systems. Organisations and businesses should ensure the following: remove out-of-date software and ensure all security patches are updated as soon as they are available and no later than 14 days after release. For our clients, we use a specialist software suite that keeps the patches up to date on all supported devices.

How we can help

For businesses not well versed in cybersecurity, it can be not easy to implement the technical controls necessary to obtain a Cyber Essentials certification. We can help your business implement the technical controls and provide additional security services to reduce the chance of falling victim to a cyberattack.

To achieve Cyber Essentials, we can assist your business in preparing and answering a questionnaire, which will be reviewed and verified by a Certification Body Assessor. 

Before filling out the questionnaire, we can assist in ensuring all devices are within the scope of the assessment (any PC, laptops, mobile phones, tablets or servers that handle company data) and compliant with the Cyber Essentials standard.

We also offer Cyber Essentials Plus (CE+), which builds on the entry-level CE certification. The protections you need to implement are the same, but CE+ goes a step further. While CE is a self-certified written assessment, CE+ includes a hands-on technical verification from our security auditors.

To find out more, contact us today.


You may also be interested in this article: