CyberSecurity for SME’s – the “essentials” of Cyber Essentials Certification

By November 29, 2021 March 19th, 2024 No Comments

Many SMEs believe they are safe from the attention of cybercriminals and hackers. However, the hard truth is that small and medium-sized businesses are often viewed as low-hanging fruit to be exploited by Cyber hackers.

The latest government survey shows that roughly 46% of businesses have fallen victim to a Cyber-Attack. Between 2014 and the present, the average cost of an attack has also gone up from £115,000 to an astonishing £310,800.

With more and more companies increasingly switching over to remote and hybrid working, CyberSecurity is more important than ever. However, where should an SME start when developing their  IT Security strategy? What is CyberSecurity? Is there a benchmark that your business can follow for it? And how do you know when you’ve achieved a suitable level of security that meets your specific needs?

The Cyber Essentials Certification Scheme is a CyberSecurity framework that aims to help SMEs answer these burning questions. It’s a UK government-funded initiative spearheaded by the NCSC (National CyberSecurity Centre). While Certification is handled by the IASME (Information Assurance for Small and Medium Enterprises) an organisation which is committed to helping businesses improve their CyberSecurity and risk management – and improve governance. And delivered by accredited Cyber Essentials providers who work in partnership with small businesses to implement the framework.


So, what is Cyber Essentials? Below, we give you a guide to everything you need to know and how it can help your business.

How significant is Cyber Essentials to SME’s and why is it important?

Cyber Essentials is a crucial security benchmark for SMEs today, particularly those in the UK. So much so that it’s a mandatory requirement for doing business or securing tenders or contracts to work with the UK government.

However, its importance to your business goes way beyond that. Even before Cyber Essentials was introduced, businesses need to pursue some form of widely recognized and trusted security accreditation. Cyber Essentials itself is primarily based on ISO 27001, the international gold standard on managing information security.

It gives businesses a clear framework and target to harden their CyberSecurity based on current best practices. This helps foster trust with customers, staff and other key stakeholders that are essential to the health of your business.

What are the five key areas that Cyber Essentials focuses on?

The Cyber Essentials framework is built around five key controls:

  • Firewalls: Which police your incoming and outgoing network traffic. They establish a secure perimeter around your internal network and the outside world. A firewall can be configured only to allow traffic from specific ports or IP addresses. It can also be used to block unsecured traffic from suspicious or unknown sources.
  • Secure configuration: One of the main mistakes companies make is to use default security configurations for new hardware and software. Default settings are accessible for attackers to exploit and may not be optimal for your situation. For example, they might use default passwords, such as “admin”, and have various public sharing options turned on.
  • User access control: This involves putting controls in place so that only the right people can access the right things. Part of this is correctly verifying and authenticating identity. It also involves correctly assigning various permission levels following the principle of least privilege (PoLP) model.
  • Malware protection: Malware can take the form of viruses, trojans, ransomware, worms or any other type of malicious code. Businesses can protect themselves by installing and using effective anti-malware software to mitigate the threat. But this is just the beginning. It is also key to put in place the internal staff training, processes and controls to prevent and deal with malware infections. For example, whitelisting approved programs, sandboxing or isolating infected devices and avoiding downloading potentially malicious files. Very often businesses can benefit from the advice of a specialist IT security provider who can bring their expert knowledge to bear on your business.
  • Patch management: Outdated software or incompatibilities between software versions is also one of the most exploited security vulnerabilities. Vendors usually release patches or updates as soon as new security flaws are found. You should make sure that your devices are always correctly updated whenever possible.

What are the essential requirements of Cyber Essentials? 

You will apply for Cyber Essentials certification by way of self-assessment. The process involves filling out and submitting the Cyber Essentials Illustrative questionnaire available from the NCSC (it is also possible to enhance your level of protection with Cyber Essentials plus certification – which involves a hands-on authentication from an accredited supplier).

The questionnaire will ask a variety of questions regarding the following aspects of your security configuration:

  • Boundary Firewalls
  • Secure Configuration
  • Access Control
  • Patch Management
  • Password-Based authentication
  • Anti-Malware Software
  • Whitelisting
  • Sandboxing

Of course, the NCSC won’t just take your word for it. On top of providing in-depth explanations of your security controls, you will also need to submit evidence. This usually entails preparing documentation laying out your security controls in detail in terms of your:

  • Password policy
  • IT policy
  • Network diagram

Depending on your submission, the assessor might ask for further elaboration or proof.

What benefits do Cyber Essentials offer?

First of all, Cyber Essentials certification will give you confidence that you have implemented robust CyberSecurity measures. Considering the substantial risks posed by various cyber threats today, some peace of mind is priceless.

As mentioned, it will also open the door for qualifying for government tenders or contracts.

Beyond that, Cyber Essentials certification will provide the following benefits:

  • Reassure customers, clients, and partners that you take CyberSecurity seriously and that you can protect their information.
  • Your company will be listed on the IASME Consortium’s Directory of organisations awarded Cyber Essentials accreditation.
  • Confidently attract new customers and business opportunities with the assurance that you have CyberSecurity measures in place.

And as the awareness surrounding CyberSecurity grows, having some form of formal certification becomes a real competitive advantage for your business.

How long does it take to get certified? 

The actual certification process is relatively quick. IASME aims to process most applications within 1-3 business days. It may take longer or less time depending on whether you need to submit any additional proof or documentation.

However, it may take your company up to a fortnight to prepare for the assessment and consider the Cyber Essentials requirements in respect of your own business. This may include and doing an initial self-assessment, training your workforce and implementing security measures.

Why is CyberSecurity Awareness Training important? 

When talking to most people about CyberSecurity, malware such as ransomware is the first threat that comes to mind. However, the human element – and the potential for security related lapses and errors – is the greatest contributing factor to Cyber-attacks that are actually successful.

Most hackers still target individuals through spoofing, phishing or social engineering as an initial entry point to a company’s network. For example, by embedding a trojan in a corrupted Word document attachment or stealing credentials through a fake login portal.

This means that, unfortunately, any CyberSecurity perimeter is only as secure as its weakest link. If your employees do not have the necessary training or awareness, they may well be easy prey for CyberCriminals which means your business is vulnerable too.

That’s why education and CyberSecurity awareness training is a key component of Cyber Essentials certification.

How do CyberSecurity services help my business?

Simply put, CyberSecurity is not the primary business concern or even the core competency of most SMEs. However, it’s a critical safeguard for your business that demands the attention of a trained professional.

Staying up to date with the latest CyberSecurity news, trends and practices can be a time-consuming and resource-intensive task. Not to mention planning and implementing security measures and processes throughout your business. Especially when threats evolve so quickly now.

A Certified Cyber Essentials provider can help you by lending you their experience, expertise and knowledge to protect their business. They can also provide the guidance and leadership to implement ongoing CyberSecurity strategies or long-term goals.

For many SMEs, it’s a savvy investment bringing a trusted and experienced Cyber Essentials company on board to fill the gaps. If can help, then please feel free to contact us.