A business owners guide to Cyber Essentials

A business owners guide to Cyber Essentials

Use our handy Cyber Essentials buyer's guide to safeguard your business and discover why your organisation should consider becoming Cyber Essentials certified.
Since its launch in 2014, a total of 132,094 Cyber Essentials certificates have been awarded.  In this blog: A business owner's guide to Cyber Essentials, we investigate what Cyber Essentials is and what the benefit of gaining Cyber Essentials can have for your business.

What is Cyber Essentials

In today's digital landscape, businesses navigate a world fraught with cyber threats. The necessity to protect sensitive data and maintain robust cybersecurity measures has never been more critical. Cyber Essentials was created 10 years ago as a scheme backed by the government. Its aim was to support businesses, no matter their size, to defend themselves against the most common cyber threats and reduce their online vulnerabilities.

There are two levels of certification to become Cyber Essentials verified:

  • Cyber Essentials (CE):The basic verified self-assessment option
  • Cyber Essentials Plus (CE Plus): As above, but independent technical verification is also carried out by the Certification Body

  The Core Principles of Cyber Essentials

The core principles of Cyber Essentials revolve around five key areas essential for safeguarding businesses against common cyber threats:

1: Boundary Firewalls and Internet Gateways: Establishing and maintaining secure internet connections through firewalls and gateways to protect against unauthorised access from external networks. This principle ensures that only legitimate and necessary network traffic is permitted.

2: Secure Configuration: Ensuring that systems and devices are configured securely, minimizing vulnerabilities that cyber attackers could exploit. This involves setting up hardware and software to industry best practices and standards, reducing the risk of potential breaches.

3: User Access Control: Managing and controlling user access effectively, ensuring that individuals have appropriate access rights and permissions based on their roles. This principle restricts unauthorized access to sensitive data or critical systems, minimizing the risk of insider threats.

4: Malware Protection: Implementing robust anti-malware measures to defend against various forms of malicious software. This includes using antivirus software, anti-spyware tools, and other security solutions to detect, prevent, and remove malware threats.

5: Patch Management: Regularly updating and patching software, operating systems, and applications to fix known vulnerabilities and weaknesses. Timely patching ensures that systems remain up-to-date with the latest security fixes, reducing the chances of exploitation by cybercriminals.

Adhering to these core principles forms the foundation of Cyber Essentials, helping businesses establish strong defence mechanisms against prevalent cyber attacks. By focusing on these key areas, organisations can significantly reduce their susceptibility to common threats and enhance their overall cybersecurity posture.

Cyber Essentials (CE)

This is the more straightforward option of the two levels mentioned above in becoming certified. Obtaining the Cyber Essentials designation is done via a self-assessment form. This gives you protection against a wide variety of the most common cyber attacks. This is important because vulnerability to basic attacks can mark you out as a target for more in-depth unwanted attention from cyber criminals and others.

Certification gives you peace of mind that your defences will protect against the vast majority of common cyber attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place. Cyber Essentials shows you how to address those basics and prevent the most common attacks.

Those wishing to complete the self assessment option can use the Cyber Essentials readiness toolkit provided by the IASME Consortium to create a personal action plan which will help them meet the necessary requirements for achieving Cyber Essentials.

On average, it can take small businesses around 2 weeks to complete the self assessment.


  Cyber Essentials Plus (CE Plus)

Cyber Essentials Plus certification is more difficult to achieve and offers businesses an elevated level of assurance and security. Beyond the fundamental protection offered by Cyber Essentials, the Cyber Essentials Plus certification involves a more rigorous assessment, including internal scans and on-site audits conducted by certified cybersecurity professionals.

This thorough evaluation provides a deeper understanding of an organisation's security posture, uncovering potential vulnerabilities that might go unnoticed otherwise. Achieving Cyber Essentials Plus not only fortifies defences against common cyber threats but also showcases a higher level of commitment to robust cybersecurity practices. It enhances credibility, builds trust with partners and clients, and demonstrates a proactive approach to safeguarding sensitive data and critical systems, ensuring a more resilient and secure operational environment.

Your Cyber Essentials assessor will test user devices, all internet gateways and all servers with services accessible to unauthenticated internet users. The assessor will usually have to visit your main office location and potentially other offices you or your team may work out of in order to carry out the tests.

Depending on the time and size of your business, it can take up to 6 months to receive a Cyber Essentials Plus due to the additional requirements needed for certification.

Gather Technology are proudly an accredited Cyber Essentials Plus company.

How much does it cost 

There are several pricing structures that need to be taken into account for both the Cyber Essentials and Cyber Essentials Plus designations. In January 2022, Cyber Essentials adopted a new tiered pricing structure to reflect the increasing complex nature of assessments for larger organisations.

The new self assessment structure - which adopts the internationally recognised definition for micro, small, medium and large enterprises - is shown in the table:

Micro organisations (0-9 employees)

£300 +VAT

Small organisations (10-49 employees)

£400 +VAT

Medium organisations (50-249 employees)

£450 +VAT

Large organisations (250+ employees)

£500 +VAT

You can complete the IASME Consortium Cyber Essentials online self assessment form here.

Due to the Cyber Essentials Plus certification being a more detailed assessment and it needing to be carried out by a qualified technician, achieving this designation has a higher cost attached. Pricing for Cyber Essentials Plus can start from £2,000 for a micro-organisation.

 Why should my business become Cyber Essentials certified 

Becoming Cyber Essentials certified is a fantastic way to demonstrate to existing and potential customers that you take cybersecurity seriously. Which can also be instrumental in attracting new business. Furthermore, Cyber Essentials certification can help to improve an organisation’s reputation, credibility and paves the way for new business opportunities and even discounted cyber-insurance cover. If applicable, it may open doors to government contracts. Organisations who want to bid on government contracts are required to be certified under the Cyber Essentials scheme.

In short, obtaining certification helps to protect your organisation against 80% of the most common types of cyberattacks, such as social engineering, which helps you reduce the risk of business disruption due to downtime caused by cyberattacks. As we’ve discussed earlier in this blog, being certified under the Cyber Essentials scheme shows your commitment to protecting your data and that of your partners and customers. Certification enhances your organisation’s reputation and shows that you are actively taking action to reduce the threat from cyberattacks.


Final thoughts

Obtaining Cyber Essentials or Cyber Essentials Plus certification is advantageous for your business in bolstering your security against cyber threats, enhancing your business’s credibility as well as building trust with partners and customers.

It is worth noting that both Cyber Essentials and Cyber Essentials Plus certifications expire after 12 months. If you do not renew your certification, your organisation will be removed from the government’s list of certified organisations. Unfortunately, there is not a discount for either the Cyber Essentials or Cyber Essentials Plus renewal, so the assessment process will need to be fully undertaken again.

If you'd like to arrange a conversation with one of our IT experts about how your business can obtain Cyber Essentials certification, book a meeting with us.


Enjoyed these tips?

Click Here

If you found this blog helpful, we have lots of other useful downloads with tips on using technology to improve your business. Browse our white papers, guides and free policy templates below.

View Resources