Secure your business with Cyber Security Essentials accreditation

Business people with a laptop and papers on the desk in front of them

Businesses of all sizes increasingly face cybersecurity risks that threaten their operations, reputation, and revenue. And, with so much customer data now stored online in the cloud, cybercriminals are taking advantage of vulnerabilities in security defences to launch attacks like ransomware and phishing.

According to a recent study, over half of Small and Medium Businesses (SMBs) have experienced a cyber attack, with 60% of them going out of business within six months of the attack.

To mitigate these risks and protect your business, you should prioritise cybersecurity and take proactive measures to secure your networks, devices, and data. One effective measure is through the Cyber Security Essentials accreditation, a government-backed scheme that provides a baseline of cybersecurity best practices for SMBs. 

In this blog post, we’ll explore the importance of Cyber Security Essentials accreditation for UK businesses, as well as its benefits, costs, and how to obtain and maintain the accreditation.

Contents

About the Cyber Security Essentials accreditation

The Cyber Security Essentials accreditation is a certification program created to help individuals and organisations develop a basic understanding of cybersecurity. The accreditation is primarily aimed at businesses that are either new to cybersecurity or need to refresh their knowledge of the subject. There are two levels of certification:

Cyber Essentials

This self-assessment option gives you protection against a wide range of the most common cyber attacks. Cyber Essentials shows you how to address any vulnerabilities your business might have to basic and common attacks, helping you to prevent them.

Cyber Essentials Plus

Cyber Essentials Plus goes beyond the Cyber Essentials certification to include a hands-on technical verification. Organisations seeking a higher level of security should consider this option.

What’s covered in the Cyber Essentials program?

The Cyber Security Essentials program covers various topics related to cybersecurity, including network security, malware, social engineering, data protection, and incident management. The program is designed to provide individuals with the knowledge and skills to protect themselves and their organisations from cyber threats.

How is the Cyber Essentials program delivered?

The Cyber Security Essentials program is typically delivered through online training and in-person workshops. Participants must complete a series of modules and pass an exam to receive the accreditation.

Why Cyber Security Essentials accreditation is critical for businesses

Cyber Essentials helps to guard your business against the most common cyber threats and demonstrates your commitment to cyber security.

Cyber attacks can have severe and far-reaching consequences for businesses, including:

Financial losses

Cyber attacks result in an ongoing financial hit if you are unable to provide your usual services to customers and, in the case of ransomware, can require payment to cyber criminals to release valuable devices and data or prevent data destruction. You may also need to repair or replace affected systems – an additional and unexpected expense

Operational interruption

An attack on your systems could paralyse your network. It could force you to close off parts of your business to ensure cybercriminals can no longer access your data

Loss of productivity

Cyber attacks disrupt normal business operations, making it difficult or impossible to carry out day-to-day tasks, leading to lost productivity, missed deadlines, and low staff morale

Reputation damage

In some industries, the fact that you’ve fallen victim to a cyberattack could erode trust and drive customers away permanently

Legal and regulatory consequences

Depending on the nature of the cyber attack and the data involved, your business may face legal and regulatory consequences, including fines, lawsuits, and other penalties

Cyber attacks in numbers

The statistics on cyber threats to UK businesses* make for concerning reading:

  • 39%: The number of UK businesses reporting a cyber attack or data breach in the previous 12 months
  • £4,200: The average reported cost of cyber attacks across all sizes of business in the UK
  • £19,400: The average reported cost of cyber attacks on medium and large businesses across the UK
  • 31%: The number of UK businesses that estimate they were attacked at least once a week
  • 19%: The number of UK businesses that have a formal incident response plan
  • 6%: The number of UK businesses that have the Cyber Security Essentials certification

While all these statistics are startling, the last statistic is especially concerning, given the benefits of the Cyber Security Essentials accreditation. We’ll cover these next.

* Source: UK government’s Cyber Security Breaches Survey 2022

Benefits of Cyber Security Essentials accreditation

There are many benefits to achieving the Cyber Security Essentials accreditation, including:

Improved security

Taking on the Cyber Security Essentials accreditation is one of the most comprehensive ways to fully assess and review your security controls and processes. A robust approach to IT security means you can detect cyber attacks earlier, and their impact won’t be as devastating as it could have been.

Protection of sensitive data

While no security scheme is ever 100% effective, Cyber Essentials helps protect your business against around 80% of cyber attacks, significantly reducing your risk as a result.

The Cyber Essentials scheme tells you what actions to take to reduce the threat of cyber attacks on your business through five technical controls:

  • Boundary firewalls and internet gateways: Identifying and preventing unwanted traffic from accessing your network, devices, and systems
  • Secure configuration: Changing default device settings and passwords to reduce cyber risks
  • Access control: Managing administrative access to vital data, systems, and apps and improving password management
  • Malware protection: Locking down all systems and devices that are connected to the internet to prevent unauthorised access using malware (malicious software)
  • Patch management: Removing out-of-date software and applying security patches as soon as they become available to address common weak spots and improve performance

Reduced risk of financial loss

Focusing on cyber security through the accreditation process will ensure your business is much less likely to experience a data breach. You also avoid any potential costly GDPR fines, which can be up to 4% of your global turnover.

Lower insurance premiums

Cyber Essentials accreditation provides you with free Cyber Liability Insurance as long as the following is true:

  • Your business is based in the UK
  • It has a turnover of under £20 million
  • You get certified with an IASME (Information Assurance for Small and Medium Enterprises) body

The Cyber Insurance policy covers extortion demands, business interruption, loss of electric data, event management costs in the case of an attack or breach, regulatory fines, and liability up to a limit of indemnity of £25,000. However, this is only enough to cover minor breaches. You may need to seek additional cyber insurance.

Enhanced customer trust and loyalty

Certified cyber security will reassure customers that you are actively working to secure your IT against cyber attacks. Cyber Essentials is a great way to inform your customers that you know their data is valuable and you are taking steps to protect it.

Attract new customers

The promise of cyber security measures being in place is another reason for a potential customer to get in touch with you or to decide to become a customer. And, if you wish to offer your services to the UK government or Ministry of Defence, you will be ready for contracts that require Cyber Essentials certification.

Globally recognised

The Cyber Security Essentials accreditation is recognised by organisations and government agencies worldwide as a standard for cybersecurity awareness and training.

Once your business is officially certified, it will be added to the NCSC (National Cyber Security Centre) database of certified organisations.

Peace of mind

The Cyber Essentials certification will give you peace of mind that your defences are good enough to protect against the majority of common cyber attacks. Why? Because most common attacks search for targets that don’t have the Cyber Essentials technical controls in place.

You need a clear picture of your organisation’s cyber security level, and that’s exactly what this accreditation will give you.

Cyber Security Essentials costs

The cost of Cyber Essentials accreditation depends on which level of certification you choose, how ready your business is before you apply, and any remedial work required during the process of securing the accreditation.

Preparing to apply

In addition to the costs for the certification itself, you should also account for the costs of preparing for the evaluation and the work required to align your activities with the five controls of the scheme.

You will need to hire an external assessor or consultant to provide the external verification required as part of the application process. They will review your security policies, procedures, and controls and perform a vulnerability scan that is required before applying for the accreditation.

If there are any changes required to get your business ready for the accreditation, such as updating firewalls, deploying anti-malware software, or patching systems, you will also incur costs from your IT provider.

This work will greatly reduce the risk of failing the Cyber Security assessment and having to start over. The Cyber Essentials questionnaire can be retaken for free within two days. However, you will need to pay the fee again if you fail for the second time or resubmit after the two-day time period has ended.

Costs for applying for Cyber Essentials

The pricing for Cyber Essentials (the self-assessment option) ranges from £995 to £1,200, excluding VAT, depending on the number of employees in your business.

Costs for applying for Cyber Essentials Plus

The cost of the Cyber Essentials Plus assessment depends on the size and complexity of your network. The certification fee typically ranges between £1,900 and £4,000, excluding VAT.

Full pricing information can be found on the NCSC website.

Costs for any remedial work

There may be remedial work required to pass the Cyber Essentials assessment. Depending on what the assessment reveals, this could be where your business incurs the most costs as part of the process. However, any work that increases your security and helps to prevent any kind of cyber attack should be viewed as a worthwhile investment.

Renewal costs

Cyber Essentials certificates are valid for 12 months, so you are required to review your practices and renew your certification annually. The costs of this renewal will depend on the size of your business and which level of certification you require.

An IT services provider like RAD Group can provide a fully managed Cyber Security service that includes handling your renewal for you.

Costs of not certifying your business

The cost of stolen data, fines and lost business would be much more significant in comparison to those required to gain the Cyber Security accreditation.

And remember that the accreditation increases your competitiveness and can bring business opportunities, including potential government projects. So think of these costs as a positive investment in your business.

How to obtain Cyber Security Essentials accreditation

Overview of the accreditation process

There are four steps to becoming Cyber Essentials certified:

  • Choose an IASME certification body
  • Work together with your certification body to meet the Cyber Essentials standard
  • Complete the questionnaire and wait for your certification body to make their assessment
  • Receive your Cyber Essentials certification

Steps to prepare for accreditation

There are some steps you can take to get your business ready for Cyber Essentials accreditation:

  • Understand the requirements, which are based on the five key controls we mentioned earlier
  • Establish the scope of the accreditation by identifying the systems and networks that will be included in the assessment
  • Conduct a self-assessment questionnaire to identify gaps in your security controls that need addressed before applying for accreditation
  • Implement any required changes from your self-assessment (for example, updating firewalls, deploying anti-malware software, or patching systems)
  • Obtain external verification through an external assessor who can verify that you have met the requirements through a review of your policies, procedures, controls and a vulnerability scan
  • Apply for accreditation by submitting the results of your assessment and paying the accreditation fee

Maintaining Cyber Security Essentials accreditation

Once you have successfully attained Cyber Security Essentials accreditation, you will, of course, want to ensure you can maintain that high standard of security and protection over the long-term. This makes the initial investment of time and money worthwhile and will help solidify your reputation as a responsible business that protects its data.

Importance of ongoing security awareness and training

Employees can be a weak link in the security shield you place around your business, so it’s essential to provide regular training to ensure they understand their role in maintaining that security. This may include training on password hygiene, phishing attacks, and social engineering.

Contact us about security training.

Regular assessments and updates to security controls

Cyber threats are constantly evolving, so monitoring network traffic and reviewing your security controls to ensure they remain effective is critical. This may involve regular vulnerability scans, penetration testing, and risk assessments.

Contact us about assessing and maintaining your IT security.

Stay up-to-date with best practices

By reading industry publications and newsletters, attending conferences, and following cyber security news (including our own newsletter!), you can stay informed about new threats and emerging trends in cyber security.

Request the RAD Group insights newsletter.

Conclusion

By now, you will have a clear understanding of why Cyber Security Essentials accreditation is critical for securing your business and how to get started on the path to accreditation.

Contact our team today to learn more about Cyber Security Essentials accreditation.