Liam Joseph-Beckles is a Business Development Executive at Cyber Tec Security. They're one of the leading Certification Bodies for Cyber Essentials. I asked Liam to jump on a call to give us the lowdown on what Cyber Essentials is and why a business might get certified.
Sam: I've heard about Cyber Essentials, especially since our company recently got certified for Cyber Essentials Plus. I don't deal with compliance certification but it seems like a lot of work! Could you give me an overview of what Cyber Essentials is and why a company might need it?
Liam: Cyber Essentials is a UK-based certification scheme designed to demonstrate that your organisation has a minimum level of cyber protection.
It’s government-backed and overseen by the National Cyber Security Centre (NCSC) but delivered by the Information Assurance for Small to Medium Enterprises Consortium (IASME) and accredited Certification Bodies across the UK.
Companies get certified to show they’re compliant with key controls like malware protection, firewalls, and user access control. It’s becoming more popular because it’s a way to demonstrate compliance, and it might even be a requirement from clients for a company to be certified.
Sam: What kind of tests do you have to go through? What criteria do you have to meet to become Cyber Essentials certified?
Liam: There are two levels of Cyber Essentials. The first is the Basic standard certification, achieved through a self-assessment questionnaire. It’s a series of questions testing your infrastructure against controls. The company fills it out based on what they currently have in place.
Once completed, it gets assessed by a Certification Body like us. The assessor reviews your questionnaire to ensure everything in scope complies with the requirements.
Each year, the requirements usually update in line with changes in technology and the threat landscape. The assessor uses the latest standard as guidelines to mark your SAQ (self-assessment questionnaire).
Sam: If I'm a small or medium-sized enterprise and I decide, maybe for a client, that I need to get Cyber Essentials certified, what would be my first step? How do I go about starting the process?
Liam: The first step is finding a Certification Body. You can do that by visiting the IASME website, which has a list of CBs to choose from. Certification Bodies can offer different prices, so it’s a good idea to compare a few to find the best fit for your business.
Sam: And is it a difficult process? How long does it take?
Liam: Timelines depend on how quickly your company can start the process and commit time and resources. A Certification Body can be ready to assess as soon as possible; it’s really about how long it takes you to complete the SAQ.
Of course, if you’re aiming for Cyber Essentials Plus, that's more comprehensive and takes more time, which I’ll explain in detail later.
Sam: I guess certification can take a long time if your infrastructure isn’t ready to pass?
Liam: Definitely, which is why many Certification Bodies, like us, offer guided options providing support to companies that might lack the IT resources they need.
Sam: Beyond Encryption has just achieved C.E. Plus. What does that mean for our business? Can we work with different suppliers now, and what does it mean for our cyber security resilience?
Liam: Cyber Essentials Plus is the higher tier of certification. It’s more rigorous because your IT environment is tested against the requirements. In contrast to the SAQ where you self-report, we come in and conduct scans to verify your compliance. It’s a step up from the Basic assessment and takes longer, but there’s a 90-day window after passing the Basic assessment to achieve Plus.
Once we do an initial scan for a company’s Plus assessment, we’ll know how long it might take based on the remediation required. Plus is increasingly becoming the standard for demonstrating compliance with customers and suppliers, especially for tenders with the MoD and NHS.
Sam: There are other infosec standards like ISO 27001. Do you think Cyber Essentials is the first step a business should take in terms of cyber security and compliance?
Liam: For the basics covered by the Basic certification and the effort required, Cyber Essentials is an excellent first step.
Other frameworks like ISO can be very time-consuming, so for an SME, this can feel out of reach. Cyber Essentials focuses on the fundamentals to help protect against common cyber attacks.
Sam: For a business that doesn't need the Cyber Essentials stamp of approval right now but wants to enhance their cyber defences, what are the advantages of getting certified?
Liam: Being recognised by clients and suppliers is crucial - they see the C.E. badge and know you take security seriously. Winning tenders becomes easier and being viewed as a secure and trusted provider helps bring in more revenue. Besides, the requirements boost your business's resilience if you're not already up to standard.
Sam: Do you see many companies failing Cyber Essentials?
Liam: Yes, both new to certification and those renewing. Many companies just reuse last year's answers, but this doesn’t work. Each year’s assessment should be treated as new. The standard can update, and your infrastructure might change, so copying and pasting isn't effective and often leads to failure.
Sam: If I’m already Basic C.E. certified, when should I go for Plus? Is there anything technically that might hold a business back?
Liam: With our process, if they’ve passed Basic, it's unlikely they’ll fail Plus because we do practice scans before the final assessment. Cost is a common reason businesses hesitate to go for Plus, as it’s a significant jump from Basic. We offer a one-off scan for Cyber Essentials Plus, which helps companies see what remedial work is needed before committing.
Sam: Do you work with companies of a certain size typically?
Liam: With IASME's new tiering structure, companies fall into bands from micro to large. We work with companies ranging from 1-10 employees to those with 200+. The process is similar, though larger companies might complete the SAQ quicker due to more resources, while their infrastructure may be more complex.
Sam: Do some companies pass the process easily because they're already aware of the requirements?
Liam: New or renewing companies will always have vulnerabilities to address. Even if they've certified before, each year’s assessment might change, requiring new measures. Expecting perfection and no remedial work isn’t realistic.
Sam: What vulnerabilities do you see most often? What do you advise businesses to focus on?
Liam: Common issues include new questions about home working, cloud security, and password security. End-of-life software is another big one - software that no longer gets security updates. It’s a common target for hackers and needs to be addressed to pass. Phishing attacks are also prevalent, making email security a priority.
Sam: Our flagship product, Mailock, is a secure email solution. We work primarily with financial services and advisers, who’ve been forced to work more remotely. We’ve seen huge growth in Mailock’s use and new business. Have you seen a similar trend?
Liam: Yes, remote or hybrid work setups have introduced new vulnerabilities. Over the pandemic, there was a surge in cyber attacks as people were thrust into remote environments without adequate security. Staying ahead of threats is crucial.
For instance, I had a client whose certificate expired for just three days and they experienced a cyber attack in that time! This is why we encourage early renewal to avoid such risks.
Sam: Do companies stick with you for years, renewing their certification each time?
Liam: Yes, we have many returning clients renewing yearly. Customer success is crucial, which is why we emphasise human interaction rather than just using bots and AI. Especially for non-technical clients, that personal touch is essential.
Sam: Why would I choose Cyber Tec if I started a business tomorrow?
Liam: We’re competitive on pricing and often beat other quotes, which is why we’re a leading Certification Body. Customer satisfaction is key for us; we offer guided options for detailed, one-on-one support, especially valuable for first-time assessments.
Sam: In the cyber security field, repeat business is high because once you have security, you won’t want to lose it. But it’s hard to convince people initially. What’s the best way to persuade someone to prioritise this earlier rather than later?
Liam: Examples help. For someone unfamiliar with Cyber Essentials, avoiding technical jargon is crucial. I like the analogy of a driver’s test - Cyber Essentials Basic is like your provisional license, and the Plus audit is your full licence.
Sam: Our sales team often compare cyber security to seatbelts in cars - initially annoying but now indispensable! Liam, it’s been great chatting. Any final thoughts?
Liam: I'd ask you: do you see Cyber Essentials becoming more mandatory for businesses?
Sam: Any company with IT infrastructure should have the necessary security measures. Certification prioritisation is challenging for smaller businesses, though. It’s not the first thing an entrepreneur thinks of when starting up.
It’s about finding the right time to transition from a small business to one that has the infrastructure and certifications needed to work with larger clients.
Liam: Exactly, you should do it when you’re ready. Checking the requirements on the IASME website is a good starting point to see what’s needed and decide if certification is feasible for you.
Sam: Where can we find Cyber Tec Security?
Liam: Check out our services at cybertecsecurity.com, where there’s a live chat feature to connect with us directly. We’re also on LinkedIn.
Get Secure With Cyber Essentials, Cyber Tec, 2024
The National Cyber Security Centre, 2024
IASME - Information Assurance for SMEs, 2024
Cyber Security Breaches Survey, UK Government, 2022
Sam Kendall, 07.06.24
Sabrina McClune, 07.06.24