The differences between Cyber Essentials and Cyber Essentials Plus

The Cyber Essentials certification is designed to demonstrate that minimum levels of cyber security have been achieved within a business. It is a government-backed scheme that places the emphasis firmly on protecting an enterprise from cybercriminals. The original Cyber Essentials scheme was introduced in 2014, and there are two levels – Cyber Essentials and Cyber Essentials Plus. But what’s the difference?

Why do we have Cyber Essentials?

It is estimated that more than 70% of cyber attacks on UK businesses could have been prevented with basic security controls. That is the reason for the introduction of the Cyber Essentials scheme. With cybercrime on the rise and new techniques and technology being adopted to attack businesses all the time, it’s increasingly important for there to be some basic protection in place. While it’s not possible to entirely erase the potential for a cyber attack on a business, having basic controls in place can help to mitigate the damage that could be done in such an attack – or make it a less appealing prospect to a potential attacker.

What is Cyber Essentials?

It’s a government-backed certification available to any business that is designed to provide a degree of security against a cyber attack and to reduce the impact of any attack that does take place. There are two levels of certification – Cyber Essentials and Cyber Essentials Plus. While both certifications demonstrate a commitment by the business to cyber security and protecting data, Cyber Essentials Plus is an audited version of the certification. This means that the Cyber Essentials’ basics have been verified, taking the certification one step further.

What does Cyber Essentials require?

The basic Cyber Essentials certification requires a business to demonstrate that it has implemented the five technical controls of the Cyber Essentials certification. These are:

1. Boundary firewalls – essentially the outer protection against the web.
2. Malware protection – the ability to detect malicious software.
3. Secure configuration – which makes it difficult for others to access the business’ systems.
4. User access control – i.e. restricting access to certain data or installation of software, for example.
5. Patch management – to avoid basic flaws and vulnerabilities that would provide an easy way for a cyber-criminal.

By implementing these essential controls, any business can reduce some of the risks of cyber attacks. To ensure that the right measures are in place, the following are some examples of questions that are likely to be used to determine that:

• Does the organisation have a business-grade firewall, and have the passwords been changed since it was implemented?
• Are the business’ security packages updated regarding security fixes, and is there an account lockout policy to defend against brute force attacks?
• Do all users have to use secure passwords and have staff got the right permissions to do the required tasks?
• How does the business protect against malware?
• Is there anti-virus protection in place, and how often does it scan?
• Are security patches applied promptly?

What are the advantages of Cyber Essentials?

• The certification demonstrates that your business is taking cybersecurity seriously, which can reassure customers and staff.
• The scheme isn’t just backed by the government and several other organisations, including the CBI and the Federation of Small Businesses.
• Cyber Essentials works for any business in any sector.
• It is a recognisable level of cyber security.
• Some contracts may require it, for example, contracts with the government (since October 2014).
• It may help to demonstrate that your business has taken steps to protect data in compliance with the provisions of the GDPR. Although Cyber Essentials isn’t a requirement for complying with the GDPR, the five key steps that it requires for certification will go a long way towards meeting the criteria of the data protection regulation and helping your business to avoid potential action or penalties for failures.
• Investing in Cyber Essentials can help to prevent a cyber attack – the time and money it may require to get certified are small compared to the potential consequences of an attack being carried out when there aren’t even the most basic protections in place for the business.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Both certifications work based on the same five technical controls. Under the Cyber Essentials certification, the applicant company will need to answer a set of questions to show that the five technical controls have been implemented within the business. To achieve the Cyber Essentials Plus certification, an external assessor is involved in testing and proving that the five technical controls are in place.

The Cyber Essentials Plus technical audit

The audit process consists of several tests that are carried out on the website of the business. These include:

• A remote vulnerability assessment is designed to test whether hackers can hack into the website using basic, low-skilled methods, such as open ports on firewalls.
• Patch management, which is tested via an authenticated vulnerability scan that will identify missing patches and security updates.
• Ensuring at least a basic level of malware protection on all the end-user devices in scope.

Where the Cyber Essentials criteria have been effectively implemented, an audit like this should not present a problem for the business.

Both Cyber Essentials and Cyber Essentials Plus provide a way for businesses to implement a basic standard of protection against cyber attacks – and to demonstrate to third parties that these steps have been taken. This can reassure clients and customers and support the business in compliance with regulations like the GDPR. Whether the Cyber Essentials or Cyber Essentials Plus certification will be the right move for the business depends on the level of certification desired. Both will help ensure the business has key protections, but the Cyber Essentials Plus certification further verifies this.