What is cyber essentials

Every business in the UK is a potential target for cybercriminals. Why? Because every organisation, regardless of size, industry, product or service offering, possesses valuable assets that are attractive to attackers. Whether it’s customer data, credit card details, intellectual property, to less obvious items such as operational documents or client work, the consequences of lost, corrupt, or stolen information can be devastating – ranging from revenue loss and diminished customer trust to, in the worst cases, closure of the business.

This article explores what Cyber Essentials certification is, why it is crucial for every organisation to safeguard against cyber threats, and how Cyber Essentials helps businesses protect their data, enhance resilience, and unlock opportunities for growth.

So, what is Cyber Essentials certification?

Cyber Essentials is a government-backed certification designed to help businesses protect themselves against 80% of common cyber threats. By implementing the scheme’s essential controls, organisations can significantly reduce their risk of falling victim to cyberattacks.

Why does Cyber Essentials matter?

Every business is a target because every business has something to lose. In the past, cybercriminals focused on large organisations in industries like financial services or pharmaceuticals, where the potential payoff – banking details or intellectual property –was substantial.

Today, the threat landscape has shifted. Attackers have become more sophisticated, and tools for initiating attacks are widely accessible. Small and medium-sized enterprises (SMEs), often with weaker security measures, have become prime targets. Why target a massive corporation with top-notch security that would require substantial skill and sophisticated tools to get around when you could target an SME with less impressive security? Infect their systems with malware, encrypt their documents and spreadsheets, putting a stop to them trading and then demanding payment for the encryption key?

The reality of the cyber threat

The need for cyber resilience is backed by the facts – according to the Cyber Security Breaches Survey 2024:

  • 50% of UK businesses experienced a cyber-attack in the last year.
  • For medium and large businesses, the figures rise to 70% and 74%, respectively
Malware protection
Security update management

How Cyber Essentials helps

Cyber Essentials outlines fundamental technical controls to mitigate risk, including:

  • Firewalls

  • Secure Configuration

  • User Access Controls

  • Security Update Management

  • Malware Protection

Through a straightforward self-assessment process, businesses can ensure these controls are in place, making them a less attractive target for attackers.

The importance of Cyber Essentials certification

Cyber-attacks can devastate businesses, affecting operations, revenue, and reputation. Beyond disrupted workflows and financial loss, the long-term damage – diminished customer trust and tarnished brand reputation – can lead to declining revenue or even closure. Fines for failing to meet regulatory requirements, such as GDPR, add another layer of risk.

Key benefits of Cyber Essentials certification

  • Boosts Cyber Resilience: Cyber Essentials helps safeguard against 80% of common cyber threats, strengthening business resilience.

  • Enhanced Credibility and Market Opportunities: Show commitment to protecting stakeholders, making it easier to attract customers, bid on government contracts, and improve trust.

  • Insurance Savings: According to the National Cyber Security Centre’s (NCSC) 2024 annual review, businesses with Cyber Essentials certification are 92% less likely to make an insurance claim, potentially lowering premiums.

Supporting statistics

  • 91% of Cyber Essentials users say it boosts confidence in reducing cyber security risks (Cyber Essentials impact evaluation for 2024)
  • 80% report improved customer confidence.
  • Over one-third of businesses find Cyber Essentials mandated by clients or partners in contracts – not just for government and public sector bids – stating ‘all contracts they entered into over the preceding 12 months required them to be Cyber Essentials certified’.

With all that in mind, how does a business become Cyber Essentials certified?

User access controls
penetration testers

Steps to getting Cyber Essentials certification

Obtaining Cyber Essentials certification is a straightforward process, involving three key steps: completing a questionnaire, addressing security gaps, and submitting your application. With professional guidance, the process becomes even smoother.

Step 1: Complete the self-assessment questionnaire

Begin by completing a self-assessment questionnaire that evaluates your organisation’s adherence to the five Cyber Essentials security controls:

  • Secure configuration
  • Firewalls
  • User access controls
  • Security update management
  • Malware protection

This step identifies gaps in your current security setup and highlights areas needing improvement.

Step 2: Address security gaps

Once you’ve pinpointed areas for improvement, take action to strengthen your controls. This ensures your business meets the Cyber Essentials standards.

Step 3: Submit your application

After remediation, submit your application to an accredited testing body, such as RightCue for as little as £320+VAT, depending on your organisation’s size.

RightCue offers an assisted self-certification service, guiding you through the entire process. From understanding the requirements to completing the questionnaire and conducting a final review before submission, our experts are here to help ensure a smooth certification journey.

Cyber Essentials certification cost: is it worth it?

If you’re considering whether the Cyber Essentials certification is worth it, just consider the financial implications of a data breach, ransomware attack or DDoS attack. The average cost of a data breach in the UK is £3.58 million, while for SMEs, closing doors for four days (the time calculated by SME decision makers) can cost as much as £123,984.

How does that compare to the Cyber Essentials cost? Take a look:

Cyber Essentials costs table

Progression: From Cyber Essentials to Cyber Essentials Plus and beyond

In the research commissioned by the UK government and released in the Cyber Essentials impact evaluation for 2024, it was highlighted that slightly more than three-quarters of UK businesses with Cyber Essentials took their security posture a step further by implementing other preventative actions.

Cyber Essentials provides an excellent foundation for businesses to mitigate risk and increase their cyber resilience. It leads to other certifications such as Cyber Essentials Plus and ISO 27001 (information security), depending on the needs of the business.

Key differences between Cyber Essentials and Cyber Essentials Plus

The main difference between Cyber Essentials and Cyber Essentials Plus are that the former relies on a self-assessment, while the latter offers a higher level of assurance by including a technical audit of the technology infrastructure to ensure that the technical controls have been properly implemented, including:

  • Internal vulnerability scans
  • Testing of in-scope systems
  • External IP vulnerability scans

The technical audit is carried out by an independent third-party organisation and looks at a representative set of user devices, all internet gateways, and all servers with services accessible to unauthenticated internet users.

Benefits of upgrading to Cyber Essentials Plus

The benefits of upgrading to Cyber Essentials Plus include:

  • Improved cyber resilience: Enhanced protection against cyber threats.

  • Better protection: Stronger safeguards against potential attacks.

  • Enhanced reputation: Increased trust with customers, future customers, and the wider market.

  • Business growth: Opportunities to bid for more business, particularly government contracts that require cyber security assurances.

  • Insurance savings: Potential reductions in cyber insurance premiums.

ISO 27001 consultants
ISO 27001 transition

Next step – from Cyber Essentials Plus to ISO 27001

ISO 27001 is the internationally recognised standard for information management security, and is a complementary certification to Cyber Essentials Plus, often building on its foundation. ISO 27001 provides a framework for creating and managing an information security management system (ISMS). The key difference between the two certifications is that ISO 27001 is a more rigorous standard, covering a broader scope than Cyber Essentials Plus.

Here are a few more differences:

  • ISO 27001 doesn’t just look at technical controls, but also considers policies, documentation, data, products, processes, services and systems.
  • It applies to both physical and digital information assets.
  • The certification is also focused on risk management and requires regular internal audits.
  • ISO 27001 can be used to comply with legal and regulatory requirements.

The important thing to remember is that the two certifications are complementary and provide a crucial layered approach to building cyber resilience and mitigating risk.

Why Choose RightCue for Cyber Essentials, Cyber Essentials Plus and ISO 27001 certification?

RightCue is an expert in cyber security compliance – with over 15 years’ experience helping organisations achieve certifications, increase cyber resilience and mitigate risk. With that experience comes an intricate understanding of business and what organisations need to succeed when it comes to cyber security. As a cyber security consultancy and Cyber Essentials Certification Body, RightCue is ideally positioned to help you with your compliance journey.

Ready to secure your business?

Take the next step in improving your cyber security posture and get in touch with our team of experts today.

Contact us

Related articles & guides