Why every Welsh business should be Cyber Essentials certified




This month we invited the Chief Operating Officer of IASME – Chris Pinder - to answer a few questions on why Cyber Essentials IS so essential to Welsh businesses no matter what size, what steps a company needs to take to get certified and the benefits of achieving it.


IASME is an organisation committed to helping businesses improve their cyber security, risk management and good governance. Working alongside a network of over 280 Cyber Essentials Certification Bodies across the UK, IASME helps certify organisation of all sizes in both cyber security and counter fraud.


Why do small and micro businesses need Cyber Essentials?

Many small businesses do not see their business or their data as a target for cyber attack, yet they are still at risk of being attacked. Most cyber attacks are not carried out by criminal masterminds, nor are they targeted at any business in particular, instead, unskilled criminals are able to access freely available tools and randomly attack many thousands of businesses or individuals in one go.


95% of cyber-crime is indiscriminate and opportunistic.


These untargeted attacks exploit basic weaknesses that can be found in many organisations such as staff using administrative accounts for day to day tasks or not setting up two-factor authentication for online accounts. Cyber Essentials consists of five controls that will reduce the impact of common cyber-attack approaches by up to 80% and could reduce potentially large-scale damage from one phishing email.


Some of the most publicised attacks have been as a result of a breach in the business' supply chain, so even if a business has some basics in place, cyber criminals can find their way into a network by using the weakest link in the chain. Business to business assurance is now vital to winning new business within a supply chain, and more and more contracts are mandating cyber security.


A cyber attack could mean anything from a virus affecting how a computer operates, to loss of access to all data in a ransomware attack. The worst case for most businesses would be the theft of customer personal data which would not only result in an investigation and possible fine by the ICO, but the loss of reputation and trust. Reputational damage can have a long term impact on a company, affecting not only the number of clients, but also the relationship with its suppliers and the quality of its partnerships.


With Cyber Essentials certification, a small business can take control of its cyber risk and show responsibility towards its customers, supply chain and the information it is trusted with. Many small business owners say that working towards the certification acts as a useful checklist to ensure they have not overlooked anything, and describe the process as highly educational.


By certifying annually to an evolving Government approved scheme, small steps that are inexpensive and simple can become embedded into an organisation's every day working practises and this will develop a security conscious culture.


What benefits/ support does it bring?

Cyber Essentials is now widely considered as the minimum level of cyber security for all businesses. Certification to the Government approved scheme demonstrates to your customers and supply chain that you take cyber security seriously and are safe to do business with.


Free online Readiness Tool Many sole traders and small businesses know they need to address their cyber security, yet find it overwhelming and complicated and do not know where to start. This is a very common barrier for many businesses. To help businesses get started, IASME, in partnership with the National Cyber Security Centre has created a free online tool. The Cyber Essentials Readiness Tool is accessible in the form of a set of interactive questions on the IASME. The process of working through the questions will inform an organisation about their own level of understanding and what aspects they need to focus on. They will be directed towards guidance written in plain English and based on their answers, and at the end of the process, be presented with a tailored action plan and detailed guidance for their next steps towards certification.


Trained cyber security consultants all over the UK For in depth and bespoke support, businesses can contact one of the Cyber Essentials Certification Bodies located around the UK and Crown Dependencies. The Cyber Resilience Centre for Wales also works in partnership with many Welsh IASME certification bodies and can assist regional businesses in connecting with these organisations.


These specialists are trained and licenced to certify against Cyber Essentials and can offer consulting services to help businesses achieve certification.


Included Cyber Liability insurance If a business is UK-domiciled, has an annual turnover of less than £20m and the Cyber Essentials certification covers the entire organisation, a business can opt-into the included cyber liability insurance. This does not involve any additional cost or forms and the insurance cover includes a 24hr technical and legal incident response service. Many professional indemnity polices that used to protect businesses if they suffered a cyber breach are now changing their terms to restrict or exclude cover due to the high number of claims.


How and where can I access Cyber Essentials?

The Cyber Essentials assessment consists of a verified self-assessment questionnaire which can be downloaded for free from the IASME website. Organisations are encouraged to download the question set to help them prepare before registering for certification.

Once registered for certification, organisations log onto a secure portal to answer the questions which address the scope of the assessment and the five core controls. These include user access control, secure configuration, security update management, firewalls and routers, and malware protection.

A senior member of the board will sign a document to verify that all the answers are true and then a qualified external assessor will mark the answers. Organisations have 6 months from the date of application to pass the assessment and attain certification.


Is it free to access?

The Cyber Essentials verified self-assessment questions can be downloaded for free. Certification costs £300 + VAT for a micro-organisation (1-9) employees. Small, medium and large organisations will pay a little more, on a sliding scale that aims to better reflect the complexity involved in assessing larger organisations.


What is required to achieve Cyber Essentials certification?

Cyber Essentials is an online verified self-assessment questionnaire which relies on the applicant being able to understand the questions and know the answers. A board member from the organisation must sign a declaration to confirm that all the answers are true.


On average how long does certification take to complete?

If an organisation has downloaded the question set in advance and prepared the answers, filling out the self-assessment might only take a few hours. Once payment is received access is given to an online portal and an organisation is given six months to complete the assessment before the account is archived.


What's the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials Plus starts with the Cyber Essentials verified self-assessment questionnaire but also includes a technical audit of the organisation's systems to verify that the Cyber Essentials controls are in place. The audit focuses on a selection of user devices, all internet gateways and all servers which are accessible to internet users. The assessor will test a random sample of these systems (typically around 10 per cent) and then make a decision about whether further testing is needed.


The controls for Cyber Essentials and Cyber Essentials Plus are exactly the same but the level of assurance is different. Cyber Essentials Plus offers a higher level of assurance as the controls have been checked by a third party to ensure they are correctly implemented.


As the Cyber Essentials Plus assessment needs time from technical experts, it is more expensive than the basic level Cyber Essentials. The cost will depend on the size and complexity of the network. IASME has a number of Certification Bodies who are trained and licensed to do the Cyber Essentials Plus audit. A quote for Cyber Essentials Plus can be applied for via the IASME website, and the applicant will be emailed quotes from three different Certification Bodies.


When it comes to staying cyber resilient what is the best/ key piece of advice you would give SMEs and micro businesses

Cyber security reduces the risk of a cyber-attack or data breach. Many of the most robust cyber security measures are often the simplest and are tied to device settings and work processes. Technical security measures such as using strong passwords, having two factor authentication and separating user accounts help prevent many of the common attacks that companies face. Implementing all of the Cyber Essentials controls brings an organisation to the recommended minimum level of cybersecurity but if an organisation is struggling to implement them all at once, every additional control put in place makes a significant difference.


The Cyber Essentials scheme is based on defensive technical controls which will help prevent commodity cyber attacks. There are also a series of controls which in the event of a successful attack, will help organisations continue to do business and recover. One of the most important of these strategies is backing up data to multiple locations including an off-site, offline source.


It also makes good business sense to have a planned and practiced procedure in place in case of an event. In planning for an incident, the NCSC's "Exercise in a Box" is a very useful way to start considering what might be needed in the event of an incident. When an organisation performs exercises to practice and test their response to a variety of different incidents, they can be more confident that they are prepared. Practicing an incident response makes it more likely that good decisions will be made under pressure and lessons can be learned early.


The WCRC Trusted Partners is a group of expert cyber security companies in Wales who can assist you in the process of achieving Cyber Essentials and Cyber Essentials Plus accreditation.


To request help, then simply get in touch via our website and a member of our team contact you.




The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for Wales is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for Wales provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for Wales does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for Wales is not responsible for the content of external internet sites that link to this site or which are linked from it.