With over 700,000 cyberattacks on UK businesses in 2024, getting Cyber Essentials certification is now more important than ever. This certificate provides a clear, practical framework, ensuring your organisation follows fundamental cybersecurity best practices.
To achieve this certification, businesses must complete a self-assessment form and tick all the boxes regarding their cybersecurity measures.
It not only strengthens your defenses but also boosts your credibility, helps you meet compliance requirements, and even enables you to secure government contracts.
So, use the checklist ahead to assess your current security posture and close any gaps.
Source: Kent Invicta Chamber of Commerce
What is Cyber Essentials?
In simple terms, Cyber Essentials is a government-backed cybersecurity certification that helps businesses protect themselves from the most common cyberattacks. These certifications have two levels: Cyber Essentials Basic and Cyber Essentials Plus, the latter of which is a more rigorous assessment.
The Cyber Essentials Basic focuses primarily on fundamental security measures businesses implement through a self-assessment. Cyber Essentials Plus includes a detailed audit of your system by highly trained assessors.
Both certifications strengthen cybersecurity and protect businesses from attacks, which nearly half of UK businesses faced in 2024.
Two Levels of Cyber Essentials Certification
The Cyber Essentials scheme offers two levels of certification, depending on the depth of security measures a business wants to implement.
1. Cyber Essentials – The Basics
This is the entry-level certification that focuses on essential security controls every business should have. For this, businesses must self-assess their security measures against five key areas (included in the questionnaire):
- Secure internet connections
- Secure devices and software
- Access control and password security
- Protection against malware
- Keeping devices and software up to date
Certificate Processing Timeline: For a small business, this certification costs around £440 with a standard processing time of 5 working days. You can also fast-track the review process within 48 and 12 hours, but that would cost you an additional £200 and £300, respectively.
2. Cyber Essentials Plus
For businesses requiring stronger security validation, Cyber Essentials Plus adds an independent audit to the standard Cyber Essentials package.
It includes:
- A technical audit of your systems.
- Vulnerability scans to identify security weaknesses.
- Penetration testing to check how well your systems hold up against real threats.
- Malware protection testing to check whether your anti-malware defenses are effective against known threats.
- User access and password security validation to confirm that your business enforces strong password policies and restricts unauthorised access to sensitive data and systems.
Certificate Processing Timeline: On average, Cyber Essentials Plus takes 1–2 weeks. This includes around 5 days for Cyber Essentials (Basic), 1–2 days for the technical audit, and 24–48 hours for certification processing. Businesses have up to 30 days to fix and retest if vulnerabilities are found. It costs approximately £2,000 for a small business.
Requirements for Cyber Essentials Plus include:
- Pass Cyber Essentials (Basic) test.
- Devices must run supported, up-to-date operating systems.
- Enforce strong password policies and limit user access.
- Use firewall protection and anti-malware software.
- Apply critical security patches within 14 days.
Cyber Essentials Basic vs. Cyber Essentials Plus
A quick comparison between Cyber Essentials (Basic) and Cyber Essentials Plus:
| Feature | Cyber Essentials (Basic) | Cyber Essentials Plus |
| Assessment Type | Self-assessment questionnaire. | Independent technical audit. |
| Security Controls | Secure connections, devices, access control, malware protection, and software updates. | Includes all Cyber Essentials controls plus hands-on testing. |
| Testing Process | No external verification. | Certified cybersecurity experts conduct vulnerability scans and security testing. |
| Cost | Starts at £699 + VAT | Starts at £1,499 + VAT. |
| Certification Time | 1 to 5 working days. | 1 to 2 weeks. |
Cyber Essentials Checklist: What You Should Know?
Here’s a checklist to help you understand the key security measures needed to keep your business safe and comply with UK standards.
1. Secure Configuration
Poorly configured systems create security loopholes that attackers can exploit. Any unused applications or default system settings can be potential entry points for hackers. Therefore, make sure to:
- Remove Unnecessary Software and Services: Misconfigured settings cause the majority of security breaches, making this step critical.
- Regularly Update Passwords: Weak passwords make things worse. That’s why professionals always use strong passwords and multifactor authentication (MFA), as 81% of hacking-related breaches are due to weak or stolen passwords.
Source: Demand Sage
2. User Access Control
Uncontrolled access increases the risk of insider threats and unauthorised data breaches. The best way to prevent such incidents is:
- Implement User Access Control Policies: Research suggests that 74% of security breaches happen due to human error. This is why implementing user control of access is crucial. It ensures that employees only have access to the data and tools necessary for their role.
- Apply the Principle of Least Privilege (PoLP): You can also apply PoLP to reduce risks and use Role-Based Access Control (RBAC) to help prevent unauthorised access to critical systems.
Source: SoSafe
3. Malware Control
Keeping malware, such as Zero-click malware, in control is crucial as it can steal data, lock files, and disrupt business operations. To avoid such a situation:
- Use Reputable Anti-Malware Software: Install anti-malware software on all devices to prevent malicious software from executing. Businesses that use multi-layered security solutions reduce malware infections by 40% compared to those that don’t.
- Enable Real-Time Scanning and Automatic Updates: Keep your security tools up-to-date to detect new threats.
Moreover, software installation permissions should be restricted to prevent employees from installing unauthorised programs. Only IT professionals should be allowed to download third-party software. Email filtering is also essential, as most malware infections originate from phishing emails.
4. Software Updates and Patch Management
Source: PTG
With 60% of breaches caused by unpatched security flaws, outdated software is one of the easiest ways for hackers to break into systems. A couple of things you can do about such issues are:
- Enable Automatic Software Updates: It’s crucial to set auto-updates for all operating systems, applications, and firmware. Use patch management tools to track and update your software automatically.
- Regularly Check for Updates: Keep your software up to date. This ensures that security gaps are resolved before attackers can exploit them.
Apply security patches within 14 days of release, as delays give hackers time to exploit vulnerabilities.
5. Firewall and Network Security
A firewall is the first defense against external threats, as it blocks malicious traffic before reaching your systems. Here’s how you can make the most out of its capabilities:
- Install and configure firewalls: Without a firewall, your system is more likely to be hacked.
- Use network segmentation: Separating networks (e.g., guest Wi-Fi vs. internal systems) limits the spread of an attack if one segment is compromised.
- Disable unnecessary open ports: Always disable unnecessary ports, leaving them open can increase the risk of unauthorized access.
6. Data Backups
Cyberattacks, hardware failures, or human errors can wipe out critical business data in seconds. So, make sure to:
- Use a Combination of Cloud and Local Backups: Ensure you use this combination, as 93% of businesses that face a data outage and don’t have a backup, go out of business within a year.
- Enable Automated Backups: Automate the process to ensure your files are consistently protected.
- Test Backups Regularly: Don’t overlook this step, as a backup might be useless if it doesn’t work when needed.
Secure Your Business with Rejuvenate IT
A breach can cost your business in the UK more than just money—it risks your data, reputation, and client trust. This is why it’s important to incorporate Cyber Essentials into your business operations, giving your business stronger security, enhanced credibility, and a competitive edge.
The good news is we have what you’re looking for. At Rejuvenate IT, we make cybersecurity simple and accessible for businesses of all sizes.
So, book your free, no-obligation IT Consultation today!
