Frequently Asked Questions
Why Do We Need Cyber Essentials?
We live in a world where cyber-attacks are now a lucrative business model and used by criminals and states. This is partly due to speed of growth and our increasing reliance on connected technologies, both personally and professionally.
The risks keep on growing and each year Cyber-attacks have consistently grown around 40%. With attacks becoming more sophisticated the need for businesses to invest and take cyber security seriously has never been greater, and the repercussion for getting it wrong huge.
It was to help address this situation that the National Cyber Security Centre (NCSS) and leading experts created a security standard that businesses could apply to help protect themselves. The result was ‘Cyber Essentials’ a certification that helps businesses to understand and deliver the right security in the right areas and even helps to protect against 80% of common cyber threats.
Cyber Certification – Areas of Focus
Cyber Essentials certification was designed around 5 key pillars of security
Your Security Configurations and Settings
Patch Management and Updates
Boundary Firewalls and Internet Gateways
Access and Administrative Controls
Protecting the business from Malware
By addressing vulnerabilities in each of these areas, you can reduce your risk to the majority of common security threats.
What Does It Involve?
Cyber Essentials Basic is a series of self-assessment questions that when answered will highlight and provide visibility of areas of cyber risk your business is exposed too. This allows you to make changes and become a Cyber essentials certified business.
You will need to work through all the questions and these will subsequently be assessed by the awarding body and you will pass or fail.
The basic level of Cyber Essentials (CE) does not require any require any vulnerability or third-party testing like the higher Cyber Essentials Plus certification which required an audit of your answers.
Why Bother with Certification?
Being apathetic about security may work for a time, but threats are increasing and the risks to SME businesses (who are now the target for attack) are greater than ever as well as the fines! Cyber Essentials provides this blue print for applying security standards to a business and will become the standard required for all businesses in the future.
We now have the General Data Protection Regulations (GDPR) and being able to demonstrate you take data security and protection seriously is crucial. The Information Commissioners Office (ICO) hold the CE Certification as a solid example of working to secure data.
If you are in healthcare and work in supplying any public-sector contacts or supply chain, you will soon need to have Cyber Essentials to keep working. The government is making it mandatory for anyone working in public contracts to have Cyber Essentials Certification.
What are the Benefits of Cyber Essentials?
Re assure customers that you take security seriously
Attract new business by demonstrating your commitment to security
Marketing materials to promote your certification
Combat up to 80% of common cyber threats
Helps your business to get GDPR ready
Recognised by the ICO as a step to GDPR compliance
Allows working in Government contracts/Supply chain
Provides assurance that your basic cyber security controls have been implemented
Free Cyber Liability Insurance
Reduce business costs as some insurers discount CE certified companies
Secures your business reducing potential downtime and cost
Types of Questions
As mentioned earlier, the certification focuses on five key pillars of security and the questions have been designed around these.
The very strict pass criteria is set by the UK Government, and you will need to get nearly all the questions right (compliant) to pass Cyber Essentials.
When answering some questions, if you find you are not compliant our recommendation would be to change your process/security to meet the requirements and certainly add notes to explain why you are not complaint and what measure you can take to control the risk.
“Do you formally track which users have administrator accounts in your organisation?”
“Are your internet routers or hardware firewalls configured to allow access to their configuration settings over the internet?”
How Do I Complete Cyber Essentials?
We have a couple of options to suit your needs and these give you a bespoke online portal for you to complete the questions and add notes to confirm compliance.
For each answer you need to add brief notes, this allows us to understand your company and controls better, makes the assessment process faster and makes it more likely we will be able to understand your systems
How Long Does Cyber Essentials Take?
The short answer is how long is a piece of string! The time it takes is dependent on how well you know your systems and how much time you have to complete the answers. For some customers e have completed certifications within 24 hours and others have taken a few months. It is all about you and the level of effort and resource you can apply. You do however have to complete the certification within 6 months.
What happens if I fail?
If you complete the basic DIY self-certification and fail, you are allowed two working days to examine the feedback from the assessor and change any simple issues with your network and policies.
You can then provide the updated answers to the assessor who will review. If you still fail the certification after these two days, you will have to reapply and pay the assessment fee again.
For customer on our supported options, we will pre-asses you answer so before final submission can ensure everything is in order so you don’t have to pay any additional fees. This also helps to ensure you can pass Cyber Essentials on your first attempt.
How long does certification last?
Your certification lasts for 12 months at which point you will need to reapply for certification. Your Previous answers will be stored so you will only need to address those that have changed since you were previously certified.