Cyber Essentials certification – our first-hand experience (and how it helps)

Picture of a padlock

According to the UK government, 39% of businesses reported a cybersecurity breach in 2021. 21% lost money, data, or other assets. With ever-increasing dependence on technology, this critical business security risk is set to grow.

Without doubt, the recent pandemic accelerated the risk. As businesses rushed to work from the kitchen table, weaknesses appeared in IT networks. Vulnerabilities that cyber-attackers were quick to exploit.

Whilst most organisations have since worked hard to strengthen their digital infrastructure, the risk has evolved. Ransomware is now commonplace and incredibly sophisticated whilst phishing emails are an almost daily occurrence.

IT security is a serious challenge to business continuity. Whether your turnover is £100,000 or £100m it’s imperative to have robust IT policies in place.

That’s why we decided to achieve Cyber Essentials certification. Having recently passed our first assessment, this is a ‘fly on the wall’ account of what it took to become Cyber Essentials certified.

Picture of a padlock
A tablet screen showing the Redox Software Cyber Essentials certificate

What is Cyber Essentials certification?

Launched in 2014, Cyber Essentials is a government backed scheme available to all businesses. It’s designed to help you strengthen your security against cyber-attacks. By achieving certification, not only do you have documented evidence you’re taking IT security seriously, you also have policies in place to ensure this remains reality.

In fact, to bid for government contracts, you must now have Cyber Essentials certification. We think it’s only a matter of time before this requirement widens to businesses generally.

Take-up is growing from a small base and limited awareness. Currently, only 13% of 4.5 million UK businesses claim to know about Cyber Essentials. To that end, only 30,000 hold Cyber Essentials certification at this time. That’s a drop in the ocean.

The benefits of certification are significant:

  • Customer reassurance – you’re securing your IT (and their data) against attack
  • New business enabler – you’re a safer bet for prospective customers
  • Cybersecurity insurance – businesses turning over less than £20m receive an insurance policy on certification

A lesser considered benefit is the opportunity to improve your IT security policies and discover weakness you can overcome. Given the cost to certify starts at £300, it should become an obvious choice for most businesses.

How does it work?

Managed via government partner, IASME, you can choose between two types of certification:

  1. Cyber Essentials basic – you work through a self-assessment process
  2. Cyber Essentials plus – you self-assess prior to an independent audit

An online questionnaire helps you self-assess your business. You must supply evidence you’re controlling five key security areas:

  1. Secure configuration – such as passwords, software installation, device locking
  2. User access control – including control of user privileges and unique accounts
  3. Security updates – your software update policies and current licensing
  4. Malware protection – ensuring your protection covers all devices and updates daily
  5. Firewalls – correct configuration for software and hardware

Upon completing all questions, IASME review your information to ensure you meet the correct standard for certification.

If you complete Cyber Essentials basic, and then decide to apply for plus certification (with an independent audit), you won’t need to complete the questionnaire again if it’s within three months since your last assessment.

A web server showing multiple cables connected
Alan Churchward - Head of Operations at Redox Software

Our Cyber Essentials certification process.

Whilst our IT security was in good shape, we hadn’t documented every process. We knew we could do better, and it was important to practice what we preach.

ISO27001 or Cyber Essentials?

We first had to confirm Cyber Essentials was the right way to bolster our IT security, given some might consider ISO27001 an alternative.

Internationally recognised, ISO27001 goes further than Cyber Essentials. Not only does it cover device, network, and server security it includes offline (paper) and premises security too.

Redox doesn’t have an office. Our team works remotely all the time. Plus, our clients are UK-based. For us, Cyber Essentials was the perfect place to start.

Choosing our timeframe

It would be possible to complete the Cyber Essentials questionnaire in two weeks if someone devoted themselves to it and everything was in place. Instead, we chose to pace ourselves, learning and developing new policies as we progressed.

Led by Alan Churchward, our Head of Operations, he set time aside each week for five months. You can tackle the questionnaire (structured around the five sections) in any order, saving your entries and uploads whilst tracking your progress.

Some questions are easier to complete than others. Many require supporting evidence and documentation. Should a question be unclear, help is available from IASME (by phone and email). We found them quick to respond and incredibly supportive.

Our queries mainly concerned working remotely 100 percent of the time. This put a different perspective on certain issues, such as securing home networks and using personal devices for work activities. If you’re now taking a hybrid approach to your working practices, remote security will be relevant to you too.

The final part of the questionnaire concerns board sign-off. You cannot achieve certification without the entire business committing to the policies and protocols documented. With Cyber Essentials certification designed to become part of your business culture, it’s not a tick box exercise to gain a marketing logo.

Of course, certification doesn’t stop after year one either. To maintain our secure status, we must self-assess annually and mitigate new risks as the cyber landscape evolves.

Little known security tips IASME highlighted.

Discovering gaps in your security knowledge and IT processes is a huge benefit of Cyber Essentials. We’ve certainly noted many learnings which have now strengthened our IT practices.

Make passwords easier to remember and harder to guess

Cyber-attacks often make use of passwords. Previous advice has been to update your key passwords frequency. This can, in fact, present higher risk.

When you force people to change their passwords every few months, they become complacent. Many simply rotate a handful of passwords they can easily remember. Others set up easy to guess passwords using a simple sequence, such as password2022 or hello1235. These methods are much easier for hackers to overcome.

Thanks to Cyber Essentials, our approach to password management has now changed. In addition to our strong password policy we focus on NCSC guidelines, only using passwords when necessary. We also prioritise using other security methods when possible, such as SSO, MFA, hardware tokens, and biometrics.

Secure home routers

An entirely remote business, we’ve paid close attention to home networks and personal devices used for work access. Often overlooked, this creates an ideal opportunity for hackers to access your system.

Our remote working policy ensures every team member changes the default administrative password on their router. We’ve also checked for appropriate firewall configuration and secure personal devices.

When it comes to home-working, there’s a fine balance between business security and personal intrusion. Yet, it’s crucial to get everyone on board and secure all access points to your business network. Remote working changed the rules, including those for IT security.

This remote network focus also helps home workers though. They benefit from a more secure personal set-up at home.

A laptop showing a login screen with email and password fields
A man using a laptop frustrated that it doesn't work due to a hacker

Poor IT security can kill your business.

With the right mindset, you can quickly appreciate why certifications such as Cyber Essentials are so vital. Yes, they’re time-consuming to achieve, but they help to enhance your IT security immeasurably.

We thought we’d got this covered at Redox. And yet, the Cyber Essentials process highlighted where we could become more secure.

A cyber-attack can take down your systems in an instant. Downtime can cost thousands. Ransoms can be eye-watering. Today, IT security is (rightly) a core part of business continuity – for your business and those you serve.

Having achieved Cyber Essentials certification, we believe it’s worth its weight in gold. Should you want to learn more about the process, or how it’s helped us, please do get in touch.

Give us a call or fill in the form below and we will contact you. We endeavour to answer all enquiries within 24 hours on business days.