Cyber Essentials is a government backed scheme which was launched in 2014 to allow enterprises to protect themselves against cyber-attacks. It shields businesses within various industries, against prevalent online threats and security compromises. The scheme improves cyber security by building a solid framework upon which businesses can operate securely without any obstacles.
Acquiring Cyber Essentials is essential in protecting your business against phishing, malware, hacking and malicious invasion from intruders. The program helps mitigate your business from all the above concerns for efficient operations.
How it helps with GDPR Compliance
The Cyber Essentials scheme, which consists of a set of fundamental technical controls, acts in parallel to GDPR (General Data Protection Regulation), which was introduced through the UK Data Protection Act on May 25, 2018. The European Union (EU) backed GDPR laws places tough restrictions on organisations within its jurisdiction and beyond to adhere to data privacy and security standards.
Companies are heavily governed by the GDPR set of rules which outline certain guidelines that should be followed for the collection of personal information within the EU. Additionally, it is to ensure that companies follow the right guidelines in handling sensitive and personal information from clientele.
Getting a Cyber Essentials certification positions your enterprise in the appropriate framework to adhere to the regulations needed for safeguarding data. By obtaining Cyber Essentials, you can avoid malware and other online breaches through the identification of loopholes that could place your company at risk of a data leakage.
Changes to note
As of Monday, 24th January 2022, there was a price change to Cyber Essentials. This coincided with the revision of the technical controls of the program. The new tiered pricing structure which has taken effect, reflects the rapid changes in the cyber landscape.
With the digital needs of enterprises constantly evolving, the price changes will reflect the complexities in handling larger companies. Micro businesses will continue to pay the £300 assessment fee, with a slight increase for small, medium and large-scale businesses.
According to the NCSC (National Cyber Security Centre), the new prices which adheres to the international standards for defining the size of an organisation are as follows:
- Micro organisations (0-9 employees): £300 +VAT
- Small organisations (10-49 employees): £400 +VAT
- Medium organisations (50-249 employees): £450 +VAT
- Large organisations (250+ employees): £500 +VAT
Pricing structure: ISAME
Anne W, Head of Commercial Assurance Services at NCSC, commenting on the adjustments stated, “This price change reflects the increasing levels of rigour that go into every assessment. While Cyber Essentials is designed to help any organisation attain a minimum level of cyber security, the assessment process can be quite complex. We want to continue to ensure this important scheme remains accessible to every business, no matter their size.”
Home Working Devices Redefined:
Routers at home provided by Internet Service Providers (ISPs) or home workers will be out of scope. However, a router supplied by the applicant company will be within scope. Devices owned by home workers will also be within the scope of Cyber Essentials, with corresponding firewall controls transferred.
This means that home workers can now rely on the firewall of their devices for work, instead of “Always on VPN” to head office or a “Branch Office Managed Firewall”.
People working from home for any amount of time will be considered as home workers.
All Cloud services are in scope:
Every type of cloud service that is used by your enterprise is within scope. Cloud services in this context can be defined as Infrastructure as a Service, Platform as a Service and Software as a Service.
Any type of cloud solution accessed by your business must be integrated within Cyber Essentials. Some examples include Microsoft, Google, Dropbox or other hosted email and data services.
Multi-factor authentication must be used for access to cloud services:
For added protection, MFA (Multi Factor Authentication) is a requirement for accessing cloud services and solutions. Businesses would have to enforce this control to curb the increasing attacks in the cyber space. All staff accounts including administrators would require a second layer of protection to cloud hosted company data and email systems.
Passwords that are used in the MFA process should have a length of at least 8 characters, without any maximum length restrictions. This two-layer approach will serve as a barrier against the increasing spate of password theft and attacks on cloud accounts.
Smartphones and Tablets are in scope:
Mobile phones and tablets that are connected to company data and services are now in scope. These are only for devices that are connected to corporate networks or 4G/5G internet. However, smartphones or remote devices used only for voice calls, text messages or multi-factor authentication applications are out of scope.
Two additional tests added to Cyber Essential Plus Audit:
The further tests comprise of the following-
- Test to confirm MFA is required to access cloud services
- Test to confirm account separation between user and administrator accounts
What does this mean for you?
Cyber Essentials is key in the security and protection of your business online. The proliferation of web attacks on companies within the technology front needs to be addressed. Obtaining the certificaticon for your business will prevent any unforeseen attacks on your IT systems and cloud infrastructure. You can then leverage the operations of your enterprise for upward growth.
Whether you are new to Cyber Essentials or seeking to renew your certification, Infinity’s certified assessors are available to assist with the implementation of the technical controls and device asset management in accordance with the new Cyber Essentials requirements.
Get in touch with our Cyber Essentials experts today for guidance on certification.