Liam Joseph-Beckles is a Business Development Executive at Cyber Tec Security. They're one of the leading Certification Bodies for Cyber Essentials. I asked Liam to jump on a call to give us the lowdown on what Cyber Essentials is and why a business might get certified.
What is Cyber Essentials?
Sam: I know of Cyber Essentials peripherally - as a company as we’ve just been certified to Cyber Essentials Plus, but luckily I don’t have to get involved with compliance stuff as I’m sure there’s a lot of work to do!
Could you give me an overview of what Cyber Essentials is, and why a company might need it?
Liam: Cyber Essentials is a UK-based Certification scheme designed to show that your organisation has the minimum level of cyber protection.
It’s government-backed and overseen by the National Cyber Security Centre (NCSC) but delivered by The Information Assurance for Small to Medium Enterprises Consortium (IASME) and accredited Certification Bodies across the UK.
The reason companies get certified is to show they’re compliant with key controls like malware protection, firewalls, user access control.
It’s becoming more popular with companies because it’s a way to demonstrate a certain level of compliance.
It might even be a requirement from clients that a company works with for them to be certified as well.
Sam: What kind of tests do you have to go through? What criteria do you have to meet to become Cyber Essentials certified?
Liam: There are two levels of Cyber Essentials.
One element is the Basic standard certification, achieved by doing a self-assessment questionnaire.
It’s essentially a series of questions that tests your infrastructure against controls.
The company would fill it out based on what they currently have in place.
Once that’s completed, it gets assessed by a Certification Body like ourselves.
The assessor goes through your questionnaire to check that everything in scope is compliant with the requirements.
Each year the requirements usually update in line with changes in technology and the threat landscape, so the assessor will use the latest standard as guidelines to mark your SAQ (self-assessment questionnaire).
How do you get certified?
Sam: So if I’m a small-medium sized enterprise and I decide, perhaps for a certain client, that I need to get Cyber Essentials certified, what would be my first port of call?
How would I go about taking that first step?
Liam: The first step is finding a Certification Body that can do it with you. You can do that by going onto the IASME website, which has a list of CBs to choose from, or of course, you can go straight to the Certification Body.
Certification Bodies can offer different prices, so it’s a good idea to go through a few different ones to find the best price and process for your business.
Sam: And is it a difficult process to go through? How long does it take?
Liam: What we like to say in terms of timelines, is that it really depends on how quickly your company is ready to start the process and commit time and resources to it.
A Certification Body can be ready to mark as soon as possible so really it’s based on how long it takes you to fill out the SAQ.
Of course, if you’re doing Cyber Essentials Plus, that’s more comprehensive (I’ll go more into that later).
Sam: I suppose either level of certification can take a long time if your infrastructure isn’t ready to pass?
Liam: Definitely, that’s why lots of Certification Bodies, like ourselves, offer guided options which provide more support to companies that perhaps don’t have access to the IT resources they need.
Why do businesses get certified?
Sam: Great, so Beyond Encryption has just achieved C.E. Plus, what does that mean for our business?
Can we work with different suppliers now and what does it mean in terms of our cyber security resilience?
Liam: So Cyber Essentials Plus is the approval stamp that says you’re fully verified.
It’s the higher tier of certification because an IT environment is actually being tested against the requirements so, in comparison to the SAQ where you’re just filling it out yourselves and we’re assessing it.
We come in and do scans to check that what you’ve put in your self-assessment is actually correct.
It is a jump from the Basic assessment and takes a longer time to do, but there’s a 90-day window after passing the Basic assessment that you have to achieve Plus.
In terms of our own process, once we’ve done an initial scan for a company’s Plus assessment, we’ll get an idea of how long it’ll take, as we’ll know what kind of remediation needs to be done.
Plus is becoming more of the de facto standard for demonstrating your compliance with customers and suppliers, and it can also help you meet requirements for tenders, particularly with the MoD and NHS.
Sam: Obviously, there are other infosec standards like ISO 27001, but is this standard do you think, the first step a business should take in terms of cyber security and compliance?
Liam: In terms of requirements covered by the Basic cert and the time and effort it takes to achieve a pass, Cyber Essentials is a great first step for businesses.
Other compliance frameworks like ISO can be very time-consuming, so for an SME (small-medium-sized enterprise), this can often feel out of reach.
Cyber Essentials really focuses on the absolute fundamentals for your business’ security to help protect it from common cyber attacks.
Sam: And for a business that perhaps doesn’t need that Cyber Essentials stamp of approval right now but still wants to make sure they’re shoring up their defences in terms of cyber, what would you say the advantages are of making sure that you get certified?
Liam: I think being recognised by clients and suppliers is the most important thing - they’ll see that you’ve got the C.E. badge on your website and know that you’re a company that takes security seriously.
If you’re bidding for tenders, it’s more likely you'll win.
That’s a crucial element, which, by extension, will help you to bring in more revenue for the company, being seen as a secure and trusted provider.
That’s why a lot of people are getting it now because it’s being more recognised and can often be required.
Of course, the infrastructure requirements you need to have in place are vital, and doing the work to make sure these are in place boosts business resilience if it's not already up to scratch.
Anything to watch out for?
Sam: Do you see many people fail C.E.?
Liam: To be honest, yes, for those new to certification and renewing.
I often see companies that have just filled out the assessment using their answers from last year, but this copy-and-paste technique doesn’t work.
Each year’s assessment should be treated as a new one.
As I said, the standard can be updated and your company’s infrastructure may well have changed too, so it can’t be a copy-and-paste job - and that's also when you're likely to fail.
Sam: If I'm already Basic C.E. certified, when would you say is the right time for my business to take the next step to Plus?
Is there anything technically that might hold a business back from going for it that they often fail on?
Liam: With the way we do things, if they’ve passed their Basic, it’s very unlikely they’ll fail Plus, as we don’t actually do the final assessment until we’ve done some practice scans and we’re pleased with what we see.
In terms of why a business might not go for Plus, it can often be a price issue - it’s quite a jump from Basic to Plus.
One of the services we offer actually, which others may do too, is a one-off scan for Cyber Essentials Plus, so if a company’s not quite ready to fully commit, they can at least see what remedial work needs to be done, and decide from there whether they’ll go for the certification itself.
That’s a good way for a company to get some reassurance and see how far away from complying with the standard they actually are.
Sam: Do you guys work with a certain size of organisation typically?
Liam: Based on the new tiering structure that has been put in place by IASME, companies will fall into bands from micro to large, so we might work with a company that has 1-10 employees or one with 200+.
It doesn’t really affect the process - companies will still fill out the same SAQ, but this might be quicker with a larger company if they have more people working on it.
Equally, a big company's infrastructure may be more complex, so that’s worth bearing in mind too.
Sam: Do you find that some companies going through the process are already aware of the requirements and ready to pass almost immediately??
Liam: If it’s a company that is doing it for the first time, there will always be vulnerabilities, there’s never not.
And even if it’s a company that has done it the previous year, there will still be things that need to be looked over, because as I mentioned earlier, the assessment may have changed and things need to be put in place.
It’s better not to go in with the mindset that everything’s going to be perfect and there will be no remedial work needed, because that’s very rarely the case.
Sam: Are you seeing some vulnerabilities more than others? What are you advising businesses to do that remedial work on most often?
Liam: A lot of the time it’s to do with the changes implemented this year to the standard.
So there were some new questions around home working, cloud security and password security, and companies may not have had the right things in place, so our assessors will work more closely with them to make sure they have those sorted.
Another issue we see is end-of-life software still being used. This is what we call software that is no longer supported by the manufacturer and isn’t getting security updates.
It’s a commonly exploited vulnerability by hackers, so eliminating this if you have them is necessary to pass the assessment.
The state of the market
Sam: Our flagship product, Mailock, is a secure email solution.
We work primarily with financial services and financial advisers, the latter in particular having been forced to work more remotely.
Off the back of this, we’ve seen huge growth in the use of the Mailock system and new business - did you guys see a similar thing?
Liam: Yeah, the remote or hybrid work set-up definitely brings about new kinds of vulnerabilities, so companies making sure they've got those crucial controls in place became particularly important.
There was a huge increase in cyber attacks over the pandemic, and that was largely because people were forced into remote working environments without being fully prepared in terms of their security.
It’s so important for businesses to stay one step ahead.
I can tell you about a situation I had with a client recently, for example.
Part of my job is managing the expired renewals area, people that have missed their renewal date and are no longer certified to Cyber Essentials.
The actual certification is yearly, so your renewal date will be 12 months from when you achieved your Basic.
The client had an expired certificate by just 3 days and had actually been the target of a cyber attack during just that time!
This is why we really try and get people started with their renewal with time to spare because we want to avoid that kind of situation.
Sam: So do you find companies stick with you for years, doing their renewal each time with you?
Liam: Yes we’ve got a large number of returning clients that we renew year-on-year so customer success is really important.
This is why, for us, it’s really important we avoid just using bots and AI when guiding our clients because most people, especially if they aren’t technical-minded, need that human touch.
Getting to know Cyber Tec
Sam: That relates to my next question, really. If I started a business tomorrow and I came to you, why would I choose Cyber Tec?
Liam: We’re proud to price very competitively and beat other providers’ quotes, which is why we’re one of the leading Certification Bodies.
In terms of customer satisfaction, as I said, we try to involve as much human interaction as possible to ensure you’ve always got that support.
The guided options we offer allow you to work one-to-one with one of our assessors and go through your assessment in detail - if it's your first time doing it, it’s especially important to have that educational aspect.
Sam: With cyber products and services, repeat business is high because once you have security why would you ever get rid of it, but it's often hard to convince people it’s a top priority at the start of a relationship.
As with the customer you talked about earlier, unless they feel the pain of something going wrong, they may not see the need for it.
What’s the best way to persuade someone that this is something you should do earlier rather than when it’s too late?
Liam: I think it can be helpful to offer examples so they can really appreciate what might go wrong in the long run.
For someone who doesn’t know about Cyber Essentials, you don’t want to be too technical and overwhelm them with information.
I quite like the analogy of a driver’s test - everyone needs to do it to be verified as a safe driver.
Cyber Essentials Basic can be your provisional license or theory test, then the Plus audit is your full licence.
Sam: That's great - our sales team often talk about cyber security as seatbelts in cars - something people found really annoying when first introduced, but they would never imagine not doing now!
Liam, it's been great to chat. Anything you’d like to say to finish off?
Liam: I suppose I’d just ask you, from your perspective, do you see Cyber Essentials becoming more mandated for businesses in the future?
Sam: I think any company that has IT infrastructure should have the security requirements in place.
In terms of the certification, it’s always going to be a challenge of priorities in those smaller businesses.
As an entrepreneur, it’s unlikely to be the first thing I do when I’m starting up a business.
So, it’s gauging that point where you really need to transition from a small business to a slightly more developed one that has that infrastructure and does those certifications, and deals with those bigger clients.
Liam: Exactly, you want to do it when you’re ready to do it.
You can actually look through the requirements on the IASME website, so that’s quite a good thing to go through to see what’s needed.
From there you can make a decision about whether it’s feasible for you to attempt to achieve the certification.
Sam: Liam - where can we find Cyber Tec Security?
Liam: So you can check out our services at cybertecsecurity.com, there’s a handy live chat on there which will go straight through to one of us, so feel free to send any questions our way.
Our main social is LinkedIn so you can follow us there too.
Originally posted on 19 10 22
Last updated on July 27, 2023
Posted by: Sam Kendall
Sam Kendall is an expert researcher, editor, and marketing specialist. He has worked with B2B brands for almost a decade helping them to refine their digital strategy and streamline ground-level implementation. Sam is passionate about new developments in user experience, demand generation marketing, and customer communications.
Get live updates
Subscribe to our exclusive secure communications content for professionals in regulated sectors.