Cybercrime has been on the increase in recent years due to advances in technology. But, 80% of cyber-attacks are preventable through the implementation of basic security measures. Because of this, Cyber Security Certification was introduced by the United Kingdom government in 2014 under the National Cyber Security Centre (NCSC). Concerning this, Cyber Essentials (CE) is a program initiated by the government to protect businesses from cybercriminals and attacks. It states the basic measures that organizations should implement to minimise cyber attacks. When a business or organisation is Cyber Essentials certified, it shows its commitment to fighting and thwarting cybercrimes.
Levels of CE Certification
There are two levels of the certification:
1. CE Basic (level 1)
This certification assesses your ability to shield your business from common cyber attacks. Though some attacks may seem simple, cybercriminals use them to gauge your level of protection before they initiate larger attacks. Therefore, the CE Certification lets you relax with the knowledge that you have a shield against ordinary cyber attacks. The reason is that cybercriminals target systems that have not applied Cyber Essentials technical measures. When you apply Cyber Essentials, you will know how to alleviate common attacks and concentrate on the basics after self-assessing.
If you intend to do business in the public sector contracts, CE Certifications are a requirement as part of the minimum conditions. The technical controls listed below are tested on your Information Technology infrastructure.
• Malware protection
• Patch Management
• Secure Configuration
• User Access Control
2. CE Plus
The CE plus Certification is also a shield from ordinary cyber attacks but has a more practical technical verification. In this certification, business systems will be tested by a certifying body.
What differentiates the two CE's and which should I go for?
The best option would be to go for CE Plus certification. The reason is that CE Plus certification is given after an audit by the Certification body that establishes that all the necessary technical controls have been applied. However, it is more costly to be CE Plus certified but it is worth the extra expense. As its name suggests you have the extra protection of your system and any cybercriminal trying to conduct a malicious attack will have a hard time or will never succeed.
Alternatively, with CE certification, a self-assessment questionnaire is provided by the certification where they use the answers you provide to assess your security measures. If they are satisfied with the answers you provide, they issue you with the CE certificate.
In simple terms, CE involves you saying that you have initiated security controls while CE Plus is the examination of security measures by the Certification Body.
Why is CE certification necessary when you intend to do business in the public sector?
In early 2014, the United Kingdom government issued a directive that suppliers should fulfil new Cyber Essentials conditions when bidding for some contracts in the government.
The directive was seen to mainly target contracts that involve technical services and susceptible information. The directive was put into practice by the Ministry of Defence from 2016 targeting all suppliers although CE is now a necessity for most contracts.
Recently, tender documents originating from local authorities need you to possess CE certification as one of the minimum requirements if you want to work with them, that is, in the absence of CE certification, you are automatically disqualified for the tender.
It is safe to assume that it will be obligatory to be CE certified in the future when bidding for contracts. The reason is that the public sector cannot afford the risk of working with suppliers who have no CE controls in place.
What is the cost of certification?
• CE basic or level 1 costs £300 plus VAT
• CE Plus costs £1,900 plus VAT
It is important to note these costs only cover the certificates. You will incur extra costs depending on whether or not you have installed security controls and the state of your infrastructure. Also, it will cost you more if you hire an expert to assist you to install the security controls but all this is for the benefit of your business.
What is the validity of the Cyber Essentials Certification?
Certification is valid for one year where you need an annual re-certification to maintain the status. Although the process will be the same, it will not be as tedious as long as the technical controls are still in place and working as intended.