Cyber Essentials – gain peace of mind with your information security

August 2021

Data breaches are endemic with 2,552 reported to ICO between April and June 2021. Some of these are self-inflicted problems whilst others are malicious attacks on an organisation.

For many small and medium sized businesses, it’s not entirely obvious how they should be addressing the increasing cyber security threats that present themselves on a virtually daily basis. The phishing emails and other attempts to access your networks feels like an endless war of attrition.

It therefore makes sense to ensure you’ve got some basic security arrangements in place to address the most obvious threats. This is where Cyber Essentials can help.

What is Cyber Essentials?

Launched in 2014, it is information assurance scheme operated by the National Cyber Security Centre (NCSC). Today over 30,000 organisations are accredited.

The intention is to provide an assurance framework for organisations to carry out a simple review of their security arrangements. It also helps you to ensure that basic controls are introduced to protect networks/systems from threats from the internet. There are two versions:

1. Cyber Essentials

A self-certification scheme which needs to be signed by a company director and costs £300 plus VAT to be independently verified.

2. Cyber Essentials Plus

Like Cyber Essentials, but with the addition of independent validation by an accredited third party. The cost will depend on the complexity of the organisation but is typically £1,400 plus VAT.

What does the scheme cover?

1. Use a firewall to secure your internet connection

  • Protect your internet connection with a firewall. A firewall is essentially a buffer between you and external networks.
  • It’s possible to have an organisational firewall for your company network as well as a personal firewall on your device. Make sure both are enabled.

2. Choose the most secure settings for your devices and software

  • Check your device settings and ensure that they are providing a higher level of security.
  • Always password protect your devices and change any default passwords.
  • Wherever it’s available, always use Two Factor Authentication of Multi-Factor Authentication on your accounts.

3. Control who has access to your data and services

  • Minimise the access levels for individual employees in an organisation. Only give them what they need based on their role.
  • Separate administrative accounts from accounts which are also using email or browsing the web to minimise the damage caused by an attack.
  • Only use software from official sources and control who can install software.

4. Protect yourself from viruses and other malware

  • Introduce anti-malware measures such as Windows Defender.
  • Create an allowed list of applications available to install on a device.
  • Use versions of software that supports sandbox and keeps applications separate with restricted access.

5. Keep your devices and software up to date

  • Make sure that all software is up to date with the most recent version – known as patching.
  • If software becomes obsolete/is no longer supported, upgrade to a more modern version.

Why bother?

  • Procurement: Increasingly organisations are being asked about their security arrangements when they are bidding for work. Already, the central government procurement has specified that any supplier is required to be certified if they are handling certain types of sensitive and personal.
  • Insurance: Beyond that, insurance companies are starting to recognise that accreditation can have an impact on insurance premiums although this isn’t quantified.
  • Peace of mind: Many data breaches and malicious attacks can be deflected using the basic security measures recommended by Cyber Essentials. The cost of the exercise is trivial compared to the cost and reputational damage if there has been a breach.

What next?

The National Cyber Security Centre has published a wide range of resources to help understand Cyber Essentials and become accredited. Take a look now and put your mind at rest by becoming accredited – Cyber Essentials Overview.


Data protection team over-stretched? Our experienced team can fill the gaps with our no-nonsense advice and support. For more information CONTACT US.