Unfortunately for businesses, cyber attacks are becoming more sophisticated as criminals frequently use a range of methods to breach IT security systems. It is for this reason, organisations of all sizes are now seeking government-endorsed Cyber Essentials Plus badges to show they are proficient in dealing with potential threats.   

Once upon a time, organisations could simply claim they had strong security controls in place, but now, potential clients are demanding that companies prove it with certifications such as Cyber Essentials Plus.  High profile cyber attacks regularly make headline news, and clients are adopting stricter vetting processes to ensure their company’s sensitive information and reputation is not at risk of being damaged.    

A seal of approval 

There are currently two different certifications available to businesses – the standard Cyber Essentials and the Cyber Essentials Plus.  

Cyber Essentials represents the most basic level of cyber security, and only requires companies to complete a short cyber security questionnaire. This basic level of certification does not provide assurance that systems are effectively configured to defend against more sophisticated or persistent attacks.   

Cyber Essentials Plus, however, requires an organisation to undergo a more thorough assessment, based on internal security assessments of end-user devices. Using a range of specialist tools and techniques, the Cyber Essentials Plus assessment directly tests that individual controls have been implemented correctly, and recreates various attack scenarios to determine effectiveness.   

• Boundary firewalls - these devices are designed to prevent unauthorised access to or from private networks, but require good setup to achieve maximum effectiveness;  

• Secure configuration - ensuring systems are configured securely to suit the requirements of an organisation;  

• Access control - only allowing those with authority to have access to systems;  

• Malware protection - ensuring the most up to date virus and malware protection has been installed;   

• Patch management - ensuring the latest supported version of applications is used and all the necessary patches have been applied. 

While the basic Cyber Essentials certification is a necessary starting point for businesses, the extra checks involved with Cyber Essentials Plus make it the best option, especially with GDPR coming into effect later in the year.   

Cyber Essentials Plus and the procurement process 

Since 2014, Cyber Essentials Plus has been a mandatory requirement when applying for government contracts, and it looks as though we are transitioning to a point where businesses must hold a badge to be considered for most public-sector work. Cyber  

Essentials Plus offers procuring organisations greater levels of assurance that required controls and checks are in place.   

Achieving compliance – next steps 

If your company is serious about achieving Cyber Essential Plus status, the first step is to visit the official www.cyberaware.gov.uk website, and select one of the official accreditation bodies listed.  

To successfully hold a Cyber Essentials Plus badge, you must have first completed the basic Cyber Essentials certification process. Once an independent assessor has reviewed your answers and performed the basic tests on your security controls, you will be awarded the certificate.  

Once you have received Cyber Essentials certification, you will then need to start the compliance process by introducing the appropriate controls to your system. When looking for support to help you achieve Cyber Essentials Plus, it is important you contact an IT specialist with plenty of experience in helping clients achieve compliance. Remember, different suppliers will offer varying levels of service and support, so make sure you select one that meets your company’s requirements.  

Finally… 

Achieving Cyber Essentials Plus certification is a very important first step in your ongoing mission to improving cyber security within your business. However, for those organisations who are serious about cyber security, Cyber Essentials Plus is only the starting point, and there are more in-depth tests that can help tighten security even further.  

More sophisticated assessments are available to companies who are looking to push their security further than the Cyber Essentials scheme, including Penetration Testing and Simulated Targeted Attack and Response, which assesses specialist business functions with a market or country influence.  

If you think your organisation could benefit from these additional levels of assessments, then contact an IT specialist and achieve total security for your business and clients.  

Matt Rhodes 

Matt is commercial services manager for Quiss Technology, an IT support company based in the West Midlands.  Matt’s primary role is to expand the company’s  hosted solutions division and to liaise with software vendors to help them develop their Software as a Service (SaaS) offering. He is a regular commentator on industry topics, covering subjects such as cyber security, hybrid cloud solutions, new technology and the Code of Connection (CoCo).