Project1_Layout 1 07/05/2013 CYBER SECURITY
Protecting your business with
Cyber Essentials Plus
As cyber-attacks become more persistent and cyber criminals become more sophisticated, companies face an increased security risk that could
end up causing serious financial damage, whilst permanently harming their reputation. Matt Rhodes, commercial services manager at Quiss
In the past 12 months, 875,000 small and
medium-sized businesses have been targeted
by cyber criminals, costing organisations
over £10,000 in damages.
With attacks on the increase and highprofile
security breaches often reported by global
media, it is no longer enough for companies to
simply claim they are proficient at dealing with
incoming attacks, instead they must prove it.
Whether its cyber fraud or ransomware attacks,
these breaches can cause serious disruption to all
businesses, which is why clients are now adopting
much stricter vetting processes when it comes to
choosing a supplier or partner to work with.
Procuring businesses are actively seeking
Cyber Essentials Plus certification as proof that a
company has strong security controls in place, and
can neutralise any incoming threats.
A seal of approval
There are currently two different certifications
available to businesses – the standard Cyber
Essentials and the Cyber Essentials Plus.
Cyber Essentials represents the most basic level
of cyber security, and requires organisations to
complete a short questionnaire regarding their
current security controls, before being sent to a
recognised body for review.
This basic level of certification only offers a
snapshot of the organisation at that time – it does
not provide assurance that systems are effectively
configured to defend against more sophisticated or
Cyber Essentials Plus, however, requires an
030 MAY 2018 RCIMAG.COM
Technology, explains more
organisation to undergo
a much more thorough
assessment, which is based on
internal security assessments of end-user devices.
Using a range of specialist tools and techniques,
the Cyber Essentials Plus assessment directly tests
that individual controls have been implemented
correctly, and recreates various attack scenarios to
determine whether a system is proficient in dealing
with potential threats.
The Cyber Essentials Plus certification requires
your organisation to have five technical controls in
place. These include:
• Boundary firewalls – these devices are designed
to prevent unauthorised access to or from private
networks, but require good setup to achieve
• Secure configuration – ensuring systems are
configured securely to suit the requirements of
• Access control – only allowing those with
authority to have access to systems
• Malware protection – ensuring the most up-todate
virus and malware protection had been
• Patch management – ensuring the latest
supported version of applications is used and all
the necessary patches have been applied.
Staying vigilant – remaining protected
If your business is serious about improving its
cyber security, Cyber Essentials Plus is the only
option worth considering.
The Cyber Essentials Plus scheme provides
a well-defined standard that is suitable for
organisations across all sectors, including charities,
schools, universities and local authorities.
With new data protection laws coming into effect
this month, the additional checks involved with
Cyber Essentials Plus make it the more effective
option, as it tests your security in more detail than
the standard Cyber Essentials certification.
Cyber Essentials Plus and the
Since 2014, Cyber Essentials Plus has been
a mandatory requirement when applying for
government contracts, and it looks as though we
are transitioning to a point where businesses must
hold a badge to be considered for most publicsector
Cyber Essentials Plus offers procuring
organisations greater levels of assurance that
require controls and checks are in place.
If your business is looking to grow and win new
business, specifically within the public-sector,
achieving compliance should be at the top of your
Achieving compliance – what to do next
If your company is serious about achieving Cyber
Essential Plus status, the first step is to visit
cyberaware.gov.uk, and select one of the official
accreditation bodies listed.
Once you have received Cyber Essentials
certification, you will need to start the compliance
process by introducing the appropriate controls to
When looking for support to help you
achieve Cyber Essentials Plus, it is important
you contact an IT specialist with plenty of
experience who are helping clients to achieve
compliance – they will then arrange for your
security controls to be thoroughly tested, which
will determine your effectiveness in defending
against potential cyber threats.
Although achieving Cyber Essentials Plus
certification can give you an important advantage
over your competitors, it should only be the start of
an ongoing quest to improve your cyber security.
More sophisticated assessments are available to
companies who are looking to push their security
further than the Cyber Essentials scheme, including
Penetration Testing and Simulated Targeted Attack
and Response, which assesses specialist business
functions with a market or country influence.
If you think your organisation could benefit from
these additional levels of assessments, contact an
IT specialist and achieve total security for your
business and clients.
Matt Rhodes, commercial services manager at Quiss Technology