The five controls of Cyber Essentials can help Welsh businesses of all sizes protect themselves against cyberattack.
What will Cyber Essentials do for me?
There are more than 220,000 businesses across Wales. Many do not see their business or their data as a target for cyber attack, yet they are still at risk of being attacked. Most cyber attacks are not carried out by criminal masterminds, nor are they targeted at any business in particular, instead, unskilled criminals are able to access freely available tools and randomly attack many thousands of businesses or individuals in one go.
95% of cyber-crime is indiscriminate and opportunistic.
These untargeted attacks exploit basic weaknesses that can be found in many organisations such as staff using administrative accounts for day-to-day tasks or not setting up two-factor authentication for online accounts. Cyber Essentials consists of five controls that will reduce the impact of common cyber-attack approaches by up to 80% and could reduce potentially large-scale damage from one phishing email.
Some of the most publicised attacks have been as a result of a breach in the business' supply chain, so even if a business has some basics in place, cyber criminals can find their way into a network by using the weakest link in the chain. Business to business assurance is now vital to winning new business within a supply chain, and more and more contracts are mandating cyber security.
A cyber attack could mean anything from a virus affecting how a computer operates, to loss of access to all data in a ransomware attack. The worst case for most businesses would be the theft of customer personal data which would not only result in an investigation and possible fine by the ICO, but the loss of reputation and trust. Reputational damage can have a long term impact on a company, affecting not only the number of clients, but also the relationship with its suppliers and the quality of its partnerships.
With Cyber Essentials certification, a business can take control of its cyber risk and show responsibility towards its customers, supply chain and the information it is trusted with. Many business owners say that working towards the certification acts as a useful checklist to ensure they have not overlooked anything, and describe the process as highly educational.
By certifying annually to an evolving Government approved scheme, small steps that are inexpensive and simple can become embedded into an organisation's every day working practises and this will develop a security conscious culture.
Included Cyber Liability Insurance
If a business is UK-domiciled, has an annual turnover of less than £20m and the Cyber Essentials certification covers the entire organisation, a business can opt-into the included cyber liability insurance. This does not involve any additional cost or forms and the insurance cover includes a 24hr technical and legal incident response service.
How do I certify to Cyber Essentials?
The Cyber Essentials assessment consists of a verified self-assessment questionnaire which can be downloaded for free from the IASME website. Organisations are encouraged to download the question set to help them prepare before registering for certification.
Once registered for certification, organisations log onto a secure portal to answer the questions which address the scope of the assessment and the five core controls. These include user access control, secure configuration, security update management, firewalls and routers, and malware protection.
A senior member of the board will sign a document to verify that all the answers are true and then a qualified external Assessor will mark the answers. Organisations have 6 months from the date of application to pass the assessment and attain certification.
What are the costs?
The Cyber Essentials verified self-assessment questions can be downloaded for free. Certification costs £300 + VAT for a micro-organisation (1-9) employees. Small, medium and large organisations will pay a little more, on a sliding scale that aims to better reflect the complexity involved in assessing larger organisations.
How long does certification take to complete?
If an organisation has downloaded the question set in advance and prepared the answers, filling out the self-assessment might only take a few hours. Once payment is received access is given to an online portal and an organisation is given six months to complete the assessment before the account is archived.
What's the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials Plus starts with the Cyber Essentials verified self-assessment questionnaire but also includes a technical audit of the organisation's systems to verify that the Cyber Essentials controls are in place. The audit focuses on a selection of user devices, all internet gateways and all servers which are accessible to internet users. The Assessor will test a random sample of these systems (typically around 10 per cent) and then make a decision about whether further testing is needed.
The controls for Cyber Essentials and Cyber Essentials Plus are exactly the same but the level of assurance is different. Cyber Essentials Plus offers a higher level of assurance as the controls have been checked by a third party to ensure they are correctly implemented.
The cost will depend on the size and complexity of the network. IASME has a number of Certification Bodies who are trained and licensed to do the Cyber Essentials Plus audit. A quote for Cyber Essentials Plus can be applied for via the IASME website, and the applicant will be emailed quotes from three different Certification Bodies.
Where to get help and support
Free online Readiness Tool
Many businesses know they need to address their cyber security, yet find it overwhelming and complicated and do not know where to start. The Cyber Essentials Readiness Tool was developed to help businesses get started; it is accessible in the form of a set of interactive questions on the IASME. The process of working through the questions will inform an organisation about their own level of understanding and what aspects they need to focus on. They will be directed towards guidance written in plain English and based on their answers, and at the end of the process, be presented with a tailored action plan and detailed guidance for their next steps towards certification.
Trained and assured cyber security consultants
Some of the Cyber Essentials self-assessment questions can be difficult to understand if you do not have a technical IT background or have a complex company structure.
Cyber Advisors work for a National Cyber Security Centre Assured Service Provider to provide small and medium sized organisations with reliable and cost effective cyber security advice and practical support. Advisors can apply their technical knowledge and provide hands-on support with the specific needs of an individual business in mind, to help them take recommended actions.
Cyber Essentials Assessors works for a Certification Body. They are trained and licensed by IASME to assess whether an organisation meets the criteria required for Cyber Essentials certification and issue that certification. They will also be able to help you understand the assessment questions and how they relate to your company.
The Cyber Resilience Centre for Wales also works in partnership with many Welsh IASME Certification Bodies and can assist regional businesses in connecting with these organisations. These include Stable, Capital Network Solutions, Astrix, excellenceIT, Morgan & Morgan, Knox Cyber Security, Jovasi, Arcanum, Boyns Information Systems, Seiber and PureCyber.
You can download the Cyber Essentials requirements and self-assessment question set in Welsh here
In 2023, Cyber Essentials certification in Wales increased by 20% and Cyber Essentials Plus by 42%. The Cyber Essentials certification badge signals to customers, investors and those in the supply chain that an organisation has put the government approved minimum level of cyber security in place and can be trusted with their data and business.
Apply for Cyber Essentials here.
You can also watch the ‘Introduction to Cyber Essentials’ webinar that the WCRC did in partnership with IASME which provides details about the scheme, as well as the follow-up workshop delivered by the WCRC’s Head of Cyber and Innovation, Paul Hall. This offers guidance on how to prepare for the accreditation, tips for completing the process and to have commonly asked questions answered.