Our focus is on empowering your team to work efficiently from anywhere, boosting productivity and collaboration through customised IT Solutions.
Meet the Acora One Team
The Acora team is ready and waiting to help. We’d love to hear from you!
Follow Us
To view this video please enable JavaScript, and consider upgrading to a web browser that
Home News room Cyber Essentials Requirements
Acora is a UK based, award-winning IT services and technology company with over 25 years’ experience. We provide a range of IT support and Microsoft-centric business software and cloud solutions to help mid-market organisations modernise their IT so they can compete and win in the digital economy. More than 200 clients trust us to take responsibility for part, or all of their IT from solution design to support.
According to the Cyber Security Breaches Survey 2021, the average annual cost for micro and small businesses that lost data or assets after cyber security breaches in the UK was £8,170. In 2020, this figure was £2,340. An increase of 249%.
An alarming change! So, what can you do to protect your business from these attacks?
Today, we’re going to take a look at Cyber Essentials.
Cyber Essentials is a scheme to help companies and organisations protect themselves against cybercrime. It includes a set of basic technical tools and techniques that you can use to guard against the most common cyber-attacks. Businesses who meet the Cyber Essentials standard can gain a certificate to prove their compliance.
Cyber Essentials isn’t just for big business, or those with lots of resources. Any business, of any size, can get certified and realise its benefits. Cyber Essentials was created by the UK Government in 2014. It’s operated by the National Cyber Security Centre (NCSC) and supported by industry bodies including:
They usually offer incentives to businesses to get Cyber Essentials certified. Even though Cyber Essentials is a UK government scheme, companies outside the UK can still gain a certification.
The main areas covered by Cyber Essentials are:
The idea behind Cyber Essentials is that most cyber-attacks are blunt instruments, rather than sophisticated hacks. The certification defines a focused set of controls with clear guidance on basic cyber security for companies of all sizes.
It offers a sound foundation of cyber security measures that can be implemented with a relatively low cost. Criminals with fairly basic equipment and skills can launch simple attacks against a lot of businesses. They are opportunistic in the hope that some of them will get through.
As an example: It’s a bit like walking down the street and trying every front door in case it’s unlocked. Don’t be that low-hanging fruit. Take what precautions you can, to keep safe.
According to the NCSC, 93% of certified companies surveyed say they are confident they are protected against common, internet-based cyber attacks. They found that certified companies are more likely than their non-certified counterparts to be:
Cyber Essentials includes two levels:
Cyber Essentials allows you to assess your own security against cyber threats and learn what you can do to prevent them. To gain the certification, you complete a Self-Assessment Questionnaire (SAQ) that covers the following areas:
A member of your board must sign the SAQ to affirm that it’s accurate and complete. Even though you submit the Cyber Essentials questionnaire yourself, we recommend you get expert third-party input to make sure you’ve got everything right.
Some of the questions can be complex, particularly if you manage your own IT and don’t have a technical background.
Cyber Essentials Plus is very similar, but includes a higher level of validation. It includes a technical audit of the systems involved as well as the SAQ.
You can re-use an SAQ you completed for Cyber Essentials for Cyber Essentials Plus. You’ll need to apply within three months of completing the SAQ. Your Cyber Essentials Plus audit will be carried out by a qualified organisation known as a Certification Partner. The audit will include looking for:
During the on-site visit, the auditor will look at a representative sample of your devices to make sure they’re being managed in the right way. If you pass your audit, your certification body will give you a Cyber Essentials Plus certificate, providing independent confirmation that you meet the standard.
If you fail, you’ll need to fix the outstanding issues before you re-apply.
In short, yes.
Basic Cyber Essentials is a good option if you just want to demonstrate that you have essential controls in place. If your business is based at a single location, and your network is only accessed by team members when they physically come into work, then basic Cyber Essentials is probably enough for you.
The more access points there are to your network, the more likely you’ll need Cyber Essentials Plus. For example:
If you have multiple networked sites, people working remotely, or third parties who visit your premises or access your network, Cyber Essentials Plus will give you the reassurance that your data is still safe.
The main reason to gain Cyber Essentials certification is to get a clear picture of the cyber threats you’re facing, and protect your business against them. Cybercrime is a real and growing danger.
According to the UK government, four in ten businesses (39%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months. What’s more, these aren’t one-offs or occasional hiccups – out of the businesses who were targeted, 27% experienced some sort of attack at least once a week. With phishing attacks (83%) by far the most common.
Just by having Cyber Essentials, you make yourself a less attractive target for cyber criminals. Think about it:
The group without protection is a much easier target than the one with. If you aren’t certified, you mark yourself out as potentially vulnerable. This could act as encouragement for hackers to try more subtle and powerful attacks.
Cyber Essentials also shows customers, suppliers and partners that you take digital security seriously. It shows that they can trust you with their confidential data. Every certified business is listed on the NCSC’s website. You can search for a certified company on the IASME website.
If you’re bidding for a government contract that involves handling certain sensitive and personal information, you’ll need Cyber Essentials certification.
Well, let’s take a look at the process below:
1. Sign Up
The first stage is to sign up for Cyber Essentials. We recommend you get advice from a certified body to guide you through the whole process of gaining your Cyber Essentials aCyber Essentials Plus certification.
Before you start, you’ll need to:
As a rough guide, the more users, sites and network access points you have, the more complex the project is likely to be.
2. SAQ
The next step is to complete the Self-Assessment Questionnaire (SAQ). Even though you submit the SAQ yourself, we recommend you get expert input prior to submission. This is to ensure it meets the scheme’s requirements.
3. Cyber Essentials Certification
If your application is successful, you will be issued your Cyber Essentials certificate. Well done!
4. Onsite Assessment
If you are planning to obtain the Cyber Essentials Plus certification, you will need to go through a technical audit. This includes a collection of internal vulnerability scans and tests.
You’ll need to prepare for your audit by reviewing the security arrangements you currently have and with suggested improvements. If you need help with the technical side, you may need an IT engineer to help you make the necessary changes. A lot of this type of support can be delivered remotely, particularly if your data is hosted on external servers.
If you don’t have a Cyber Essentials SAQ from the last 30 days, you’ll need to complete one. An IT engineer will need to visit you to make a series of checks on your network and some of your work machines. They’ll also make sure that all the answers you put in your SAQ are correct and complete.
5. External Scan
For the final step, you will need to have an external vulnerability scan. This is a scan of your Internet-facing networks and applications. It is used to verify that there are no obvious vulnerabilities.
As the tests are external, they are performed off-site. With help, you are very unlikely to fail the audit. However, if you do, you can get feedback on what you need to change. Then you can decide whether you want to re-apply.
6. Cyber Essentials Plus Certification
If your application is successful, you will be issued your Cyber Essentials Plus certificate. Once you have acquired either Cyber Essentials or Cyber Essentials Plus, you can then display it at your premises or on your website.
In terms of cost, expert guidance on basic Cyber Essentials certification is usually covered by a flat fee for scoping work. Any remedial work would be an additional cost.
Cyber Essentials Plus is more complex and depends on the size of your company. You’ll need to contact your provider to get a tailored quote.
Power BI and Power BI Pro: Empowering SMEs with Data Insights Understanding and leveraging information effectively is no longer a luxury—it’s a necessity. For small and medium-sized enterprises (SMEs), the ability to make informed, data-driven decisions can set you apart…
Disaster Recovery: Why It’s Essential for Your Business Many business owners are natural optimists—after all, it’s that positive mindset that helps them build and grow successful companies. However, when it comes to disaster recovery, optimism alone won’t protect your business…