top of page

About Cyber Essentials

Cyber Essentials is a simple and effective Government backed scheme, supported by industry experts and the Cyber Resilience Centre. 

 

The scheme helps you put measures in place to protect your organisation, regardless of size or sector, against a range of the most common cyber-attacks.

 

This includes protecting against threats such as malware, ransomware and phishing.

 

 Cyber Essentials can be achieved through two levels of certification:

IASME Logo
Cyber Essentials Logo

Cyber Essentials

The first tier is a self-assessment option against five basic security controls, which is then verified by a qualified assessor. 

 

This includes whether you are using firewalls, have a secure network, apply regular software updates and have secure user and administration accounts.

 

Achieving Cyber Essentials allows you to:

Demonstrate a commitment to cyber security to your customers and clients with a certificate and badge to display in your premises and website.

Make your organisation more resilient against the most common forms of cyber-attacks.

Peace of mind knowing that your data is protected and your security systems are robust, should a cyber-attack occur.

Further business opportunities, Cyber Essentials will enable you to tender for specific contracts.

Eligible for free cyber insurance cover which could save you up to £25,000.

Cyber Essentials certificates issued in the previous 12 months will be displayed on the NCSC website

Achieve more business with the assurance that you take cyber-security seriously.

You can achieve Cyber Essentials with the help of our partners

Our Cyber Essentials Partners are official providers of Cyber Essentials and Cyber Essentials Plus Certification

Cyber Essentials Plus

The second tier is Cyber Essentials Plus. This involves physical tests of your network and computers by independent professionals.

 

Successful accreditation of Cyber Essentials Plus provides a higher level of assurance that your organisation has a strong cyber resilience regime with correctly implemented controls in place to maintain a robust defence against cyber-attacks.

 

With Cyber Essentials Plus, you can:

Demonstrate a commitment to cyber security to your customers and clients with an enhanced certificate and badge to display in your premises and website.

Attract new business with the assurance you have cyber security measures in place.

Attract new government contracts that require Cyber Essentials Plus certification.

You can achieve Cyber Essentials Plus with the help of our partners

Frequently Asked Questions about Cyber Essentials

  • What is Cybersecurity?
    The protection of devices, services and networks — and the information on them — from theft or damage. Download the Small Business Guide to Cyber Security.
  • How much is the Cyber Security sector worth in the UK?​
    The UK’s cybersecurity sector is now worth an estimated £8.9 billion.
  • Where do I start with Cyber Security?
    It's important to understand the basics and why cyber security is important to all businesses regardless of size or sector. Download our Cyber Security Guide for Small Businesses and start your journey by becoming a free member of the Cyber Resilience Centre.
  • How do I protect my business from cybercrime?
    If you understand the basics of cyber security, but you're ready to learn more about the practical steps you can take next then we'd encourage you to become a member of the Cyber Resilience Centre or learn more about our affordable services.
  • What is a Cyber Incident?
    A breach of the security rules for a system or service - most commonly; Attempts to gain unauthorised access to a system and/or to data. Unauthorised use of systems for the processing or storing of data. Changes to a systems firmware, software or hardware without the system owner's consent. Malicious disruption and/or denial of service. We have created a Cyber Incident Response Pack, which contains documents to help support your business plan its response to a cyber incident. These documents are designed to complement any existing plans or assist you in creating one.
  • How do I respond to a cyberattack on my business?
    At the Cyber Resilience Centre, we have access to trusted specialist cybercrime investigators who can support you during an attack and recover digital forensic evidence to help identify who is responsible. We have created a Cyber Incident Response Pack, which contains documents to help support your business plan its response to a cyber incident. These documents are designed to compliment any existing plans or assist you in creating one.
  • What is a Vulnerability Assessment?
    A vulnerability assessment is a process of identifying existing weaknesses within your network. It can be host-based, network-based, wireless, application, or within your database.
  • How can I stay Secure from the Most Common Vulnerabilities?
    A Website Vulnerability Assessment (often referred to as Web Application Penetration Testing or Pentest) addresses the security of your website (Web application). Websites are mostly publicly available and are there to provide services for anyone with internet access. This makes them a primary target for attackers.
  • What are the biggest myths in Cyber Security?
    In the world of cybersecurity and cybercrime, there are a lot of myths, misconceptions and rumours shared between business owners and employees. The five biggest myths that we hear the most are: Small and medium-sized businesses aren’t targeted by hackers. Cybercriminals are more interested in larger companies. Businesses must buy expensive hardware or software solutions to implement effective cybersecurity. My business has nothing worth protecting from cyber-attacks. Password managers are unsafe and a risk to my business. Public Wi-Fi is safe to use. It’s just like any other wi-fi network. Read our Cyber Security Mythbusting Guidance
  • What cyber security risks does the recruitment sector face?
    Sensitive data management A lot of the data that is stored in the recruitment is Personable Identifiable Information (salaries, gender, contact information, job description, previous employers, references etc.). Therefore it is critically important that only those who are authorised to do so can access it. This means ensuring all accounts have strong, unique passwords and Multi-Factor Authentication enabled. The best practice would also be implementing a data classification tool to prevent sensitive data from leaving your organisation intentionally or accidentally. Phishing attacks / Malware (email attachments) As a recruiter, you will receive vast amounts of CVs as email attachments. As any one of these could be disguised malware, you need to stay vigilant in checking them. The same goes for hiring managers and finance staff or recruitment businesses, as these staff and departments are also more likely to receive malicious email attachments Remote working - lots of staff working remotely, high volume of client meetings A lot of staff working remotely brings a lot of cyber security risks as senior leaders will have less tangible control over where their employees work, meaning they could be working from unsecured public wifi, they could be working on a crowded train leaking sensitive data to anyone closeby who happens to be shoulder surfing, they could be leaving devices unattended in public working spaces. Learn more with our blogpost: The Cyber Security Dangers for Recruitment Agencies
  • What cyber security risks do you face when working from home?
    Sensitive Data Exposure - This applies to electronic devices, and physical paper documents/notes. Even family members should not be allowed to see Sensitive Data, and this would be a breach of GDPR. The best practice is to implement a Secure Storage Cabinet where all work items (devices, documents, notebooks etc.) can be kept. Unauthorised Device Access - Even when working from home, your device must be locked whenever you leave it. Even though it may “only be family” that can see your screen, it is still a Cyber Risk Using the correct device - BYOD (Bring Your Own Device) is a common strategy amongst SMEs and WFH culture, However, if it is implemented it is important to ensure that work data and personal data are kept completely separate - if an Attacker gets your device, they may be able to gain further access to all the company information if it is not secure. The best practice is to use separate work and personal accounts and ensure strong, and unique passwords are used, in combination with Multi-Factor Authentication.
  • Why do I need backups? How often should I be backing up my files?
    Backups are one of the most effective defences against Malware Attacks because if you are the victim of one, and your data is encrypted by an Attacker, you effectively “ignore” the attack by reverting to your Backed Up data and start restoring business continuity from there. There is no “one size fits all” approach for backups. The schedule will depend on business needs - some may require backups every 12 hours, but for others, it may be acceptable to back up every 24 hours. The most important aspect however is to make sure any Backups are stored separately from your business's network - either in the cloud or on a completely separate hard drive that is not network-connected.
  • Why is important to keep your devices updated?
    Do my apps need to be updated regularly? Yes, all of your devices (computers, laptops, mobiles and tablets, etc) should always be kept up to date with the latest software. This is because the companies who provide the software (e.g. Microsoft) have security teams that search for vulnerabilities in their apps, and fix them before Attackers can take advantage. The longer you go without updating your apps, the more vulnerable you will be to an Attacker Can I automate my device and application updates? Yes - inside the settings of your device there will be an option to automatically update, all you have to do is select “Yes”. However, if you don’t want your device to update in the middle of work, you can also select “Working Hours” and this will tell your device to only install updates outside of that time
  • Why is a Password Manager a safer way of storing passwords whilst working remotely?
    Password managers take all of your passwords and store them in what is called a vault. However, when each password is put into the vault, the password manager will heavily encrypt its value so that it cannot be read by the naked eye. Then, the Password Manager will have you set an incredibly complex Master Password to access this vault (if you want to add/remove credentials from it). Finally, Password Managers have Two Factor Authentication (2FA) enabled by default, adding another layer of security by requesting you to input a code any time you want to access your secure vault. Read more with our FAQ guide to Remote Working
  • What is a Bring Your Own Device (BYOD) policy?
    BYOD is the concept of employees using their personally owned device(s) for work purposes. With BYOD, an organisation has ownership of the corporate data and resources that may be accessed or stored on a device, but the device itself is the property of the user.
  • If you’re using your own device for work, why could a Bring Your Own Device (BYOD) policy be useful for a business?
    When employees use their own devices, if your budget is tight you don’t need to buy any extra computers, screens, mobile phones, and tablets. Using personal devices is a preference for people who want to stay connected to both personal and work life and with home commitments such as childcare. If staff are working remotely, your BYOD policy will ensure your team can stay connected without needing to carry multiple devices. Within a well-structured BYOD policy, employees should feel more at ease with their day-to-day work and help to keep them working in your organisation. Read more with our FAQ guide to Remote Working
  • What are the benefits of a Working from Home (WFH) or Remote Working policy?
    Giving employees access to a hybrid working environment will give them the option to work comfortably from their home office. This may be especially useful when offering remote work on a flexible basis for employees with childcare needs, medical appointments or when having work done at home. Spending long periods travelling to work each day can be a strain for all of us, especially with train strikes and cold, wet weather during the autumn and winter months. Remote workers can often feel more motivated and organised when working without a commute, with many workers using their commute time to talk walk and exercise before and after work. With more staff working remotely many businesses in the UK have made cost-savings through reduced reliance on large offices and reduced staff turnover. Staff can often find increased motivation in a role which has introduced flexible hours and then be more comfortable to stay in a job and progress. Did you know? Members of the Cyber Resilience Centre get access to several Cyber Security Policy and Procedures Templates to help staff you put the right measures in place to ensure your business has clear security strategies and can respond efficiently if an incident occurs. Learn more about our Membership options for your business. Read more with our FAQ guide to Remote Working
  • What key things should be covered in a Working from Home (WFH) or Remote Working policy for a business?
    Explain why you’ve created the policy and which members/teams it applies to. For example, you may want to clarify whether the remote worker policy is in effect only temporarily or if your business has decided to offer all staff flexible working contracts. Specify whether your contractors, part-time employees, interns and new hires are covered by this policy, or if it only applies to existing full-time employees who have been with your company for at least six months. If your business is entirely remote, there may be some eligibility criteria you’ll want to include; will employees need to live within a certain distance or can they move anywhere in the UK? Outline who is working from home and when. For instance, your remote work policy may state that people in client-facing roles can only work from home three days per week. You can also create other criteria rules, such as those who have passed their probation can work remotely. Some roles aren’t suited for remote work; employees who need certain equipment that can’t be replicated at home, access documents available only in the office or regularly interact in person with clients. If there are broad categories of positions that are not eligible for remote work, remember to list them in your policy.
  • What is a Virtual Private Network (VPN)?
    Virtual Private Networks (VPNs) allow businesses and organisations to provide secure connectivity between devices, especially useful if staff work remotely.
  • Is public wi-fi more secure than a mobile hotspot?
    The biggest threat to free Wi-Fi is for a hacker to position themself between you and the wi-fi point. So instead of talking directly with the wi-fi router, you'll be sending your data to the hacker, who might exploit this data. Using a phone hotspot can increase your security, your mobile connection is secured and private as you would be making a phone call or using your phone to browse the internet. Most phones now are using 5G networks which use 256-bit AES encryption, this blocks fake mobile network transmission sites (referred to as stingrays) and encrypts your phone’s ID during transmissions.
  • Why isn’t public wi-fi secure when working remotely?
    You may be unaware that an innocent trip to a coffee shop may have threats lurking in the background of their public Wi-Fi network. Public wi-fi is common in most locations when working remotely, we all frequently connect to them to check our emails or social media without thinking twice. Whilst your local cafe owner may believe they’re providing free wi-fi to try and keep you in-store to buy that extra slice of cake, chances are the security on these networks is minimal or nonexistent. A Man-in-the-Middle (MitM) attack is a form of eavesdropping. When your laptop or phone connects to the Internet, data is sent from your device to the website, and security vulnerabilities can allow an attacker to get in between these transmissions and “read” them. Your data could be no longer private and shared amongst a criminal network. If a public wi-fi router hasn’t got encryption, the information being sent from your laptop/phone to the wi-fi router could be intercepted. There’s also no way you can tell if a public wi-fi spot has got the necessary encryption. Attackers way look to slip malware onto your computer without you even knowing through public wi-fi. If attackers know of a software vulnerability they may use a busy public location to write code and target a specific vulnerability, and then inject the malware onto your hundreds of devices through a public wi-fi network. Wi-Fi snooping is what it sounds like. Cybercriminals can buy special kits and devices to eavesdrop on Wi-Fi signals. This technique can allow the attackers to access everything that you are doing online — from viewing whole webpages you have visited (including any information you ma