What is Cyber Essentials Plus?

Cyber Essentials Plus is a certification scheme backed by the Government. It is designed to help businesses uncover risks that they may not otherwise be aware of and guard against the most common threats.

Why do I need Cyber Essentials Plus?

Cyber criminals can target any business at any time exploiting weaknesses in online security often for financial gain.

Cyber Essentials Plus shows that your business has established strict guidelines and processes to keep sensitive data secure, for example, financial records and personally identifiable information. You can demonstrate to clients and other businesses that you take cyber security seriously.

Budgets are tight. Is this service value for money?

In 2018, 32% of UK businesses had reported that they had experienced a cyber security breach. It is estimated that £190,000 a day is lost to cyber criminals. Having robust policies and procedures in place will prevent your business falling foul to online criminals. The small outlay at the beginning is worth it when you look at what could potentially be lost without it.

How does my business become Cyber Essentials Accredited?

The process is simple and is completed in four easy steps.

Firstly, to get started our expert team will guide you through the process by sending documentation which you can use to prepare yourself for the online assessment.

Secondly, you’ll log on to an online portal where you’ll be asked to fill in your assessment. This isn’t meant to be daunting, and if you need any advice or help are experts are on hand to guide you through.

Thirdly, one of our experts will come and visit your office to complete an audit of your self-assessment questionnaire. Whilst they’re there they will conduct a vulnerability scan of your network and externally facing services.

Finally, your assessment will be looked at and marked. If you pass, you will be officially Cyber Essentials Plus Accredited and you can publish a badge on your website showing clients and suppliers you take cyber security seriously.

If you fail the assessment, our experts will talk you through the next steps.

How much detail do I need to provide on each answer of my assessment?

There is a notes field for each question. You must provide a couple of sentences of information in the notes field for all of the questions to support your yes/no answer.

Your assessment is marked by an assessor who is an information security professional and has to make a judgement on  your situation. The more relevant information you can provide, the more likely it is that the assessor will understand your particular situation and will be able to mark accordingly.

How is my assessment marked?

All your answers must satisfy the assessor that the controls for all the aspects of risks to your system are in place and addressed to achieve Cyber Essentials Plus certification.

Does the “scope” need to be my whole company?

The scope should cover your whole organisation and doing so makes it much easier to answer the questions. However, we recognise that some organisations are complex and so you can describe a scope that relates to a particular subsidiary or business area of an organisation if necessary. It is important that it is a coherent entity that is logically separate from the wider organisation. It must also be technically isolated from the wider organisation, normally by using separate servers, applications and networks with boundary firewalls. If you choose a scope that is not the whole organisation, it is up to you to provide a clear scope description that is acceptable to the assessor. The scope description will appear on the certificate you receive.

If I use a mobile phone just for work emails, does it have to be in scope for assessment?

Yes. Any mobile devices, whether owned by staff or the business, that can access business information are in scope. Email accounts (whether hosted internally or in a cloud provider such as Office365) contain a lot of important business information and are the gateway to many online services so should be carefully protected.

Do I need anti-malware software on my mobile devices (smartphones and tablets)?
You have multiple options to prevent malware infection on mobile devices:
  1. You can choose to install anti-malware software – this is only available for Android mobile devices and some Blackberry devices. Many other devices, in particular iPhone and iPad and devices using Windows Phone operating systems, do not have anti-malware software available.
  2. Alternatively, you can stop malware by restricting the installation of software only to applications available in the devices App Store. If you choose this option you must create a list of approved applications that users are allowed to install on their device. You can use tools such as mobile device management software to assist with this but it is not a requirement to achieve compliance
Do I need anti-malware on my Apple Mac computer?

Yes you do. There are fewer viruses that affect Mac computers than Windows, but those that do exist are just as damaging. There are many anti-malware packages available for Mac OSX including Sophos, Kaspersky, McAfee and so on.

Our home users don’t want us to check their home router firewall settings. Why is this necessary?

Wherever they are present, firewalls offer a line of defence between your devices and the wider internet. Home router firewalls are an important layer of protection and can help prevent hackers and malware entering the home network. In the majority of situations, most routers provided by the home users broadband provider will have their firewall already
configured securely but this does need to be checked, as well as any default passwords used to access the router changed.

Our home users use a Virtual Private Network (VPN) to connect to the office network. Does this exempt them from the requirement to check their home router firewall settings?

In some cases, if home users are set up with a VPN which is set to force all internet traffic to route via the VPN to your office network and they are suitably trained, this may be accepted as a “compensating control” which would reduce the need for users to check their home router firewall settings. However, it is up to you to prove to our satisfaction that your setup offers an equivalent level of protection and that this protection will continue to exist going forward.

What is a software firewall? How can I change its password?

The questions about software firewalls refer, on a basic level, to the built-in firewall within your computer operating system (such as Windows Firewall and Mac OSX Firewall). Often it’s a case of just turning this on using Control Panel or System Preferences.

The password for a software firewall is the password of the Windows or Mac user account of the device (ie your login password to Windows or Mac). If you already change this regularly, great! Just let us know in the notes.

Do I need to use two-factor authentication for my administrator accounts?

Two-factor authentication is a second method of confirming that a user of a system is who they claim to be. It is usually used alongside a password and could involve a fingerprint scanner, a text message with a unique code or a token that generates unique codes. Most Mac, Linux and Windows systems do not have two-factor authentication available by default.

Cyber Essentials Plus does not require you to pay for additional hardware or software to enable two factor authentication. So, in most cases, two-factor authentication for administrator accounts will not be available on your system. Some laptops have built-in fingerprint scanners or other bio metric devices that can be enabled to allow two-factor authentication. If these are available on your devices, they must be enabled for administrator accounts.

Will I get some sort of badge to place somewhere to demonstrate that the business has Cyber Essentials Plus?

Once you pass the assessment you will be given a Cyber Essentials Plus Badge to publish on your website. You’ll also be able to take advantage of our free cyber insurance up to the value of £25,000

Does it mean you have to come and visit my company?

One of our experts will come and visit your office to complete an audit of your self-assessment questionnaire. Whilst they’re there they will conduct a vulnerability scan of your network and externally facing services.