Frequently asked questions

How can Cyber Essentials help me?

Cyber Essentials is a simple, yet effective, Government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks

Cyber attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. Our advice is designed to prevent these attacks.

How can I ensure that we're Cyber Essentials ready?

An excellent place to start is jargon free guide produced by the National Cyber Security Centre’s which is available here.

Where can I find the technical requirements for Cyber Essentials?

For detailed coverage of requirements which could be used by an IT specialist, see the guide here.

How many of the questions do I need to get right to pass?

You need to get nearly all the questions right to pass the Cyber Essentials assessment. This very strict pass criteria is set by the UK Government. If you are not compliant in some of the questions we suggest you try and change your processes to meet the requirement and certainly add notes to explain why you are not compliant in this aspect and how else you control that risk.

Are there any automatic fail questions?

Any company using unsupported software in the scope of the assessment, such as Windows XP, will probably fail to achieve Cyber Essentials certification.

Can I just answer yes / no to most questions?

You need to add brief notes to most answers. This allows us to understand your company and controls better, makes the assessment process faster and also makes it more likely we will be able to understand your systems enough to pass you. There are some questions where a yes/no answer is appropriate – we will highlight these so you won’t get caught out!

How long does the certification last before I have to renew it?

You will need to renew Cyber Essentials certification annually. It’s usually the case that subsequent certifications are easier than the first, with most of the work needed being done in the first year.

What extra do I get from certyfying to Cyber Essentials Plus?

Cyber Essentials Plus Certification still has our trademark simplicity of approach. The protections you need to have in place are the same, but this time we verify your cyber security. This includes scans of the devices (laptops, servers, desktops) inside your network and vulnerability checks on devices (firewalls, routers) on the perimeter of your network.

Can you give more details on the type of Cyber Essentials Plus testing you do?

Of course!

On your perimeter devies we check for unnecessary open ports and services. We look for weak credentials and use of unsupported operating systems.

On a selection of your internal devices we run a vulnerability scanner to check that the operating system is receiving the latest updates, and that your internet browsers and major applications are up to date. We also check that the devices are running an effective ant-malware solution, running the latest updates.

We test your anti-malware solution by sending you “false” malware to see how your system deals with this “threat”.

We will also check these selected devices to ensure that user accounts are specific to users (no generic, shared accounts please!) and whether the user is logged in as an administrator.

How do I receive the free Cyber Insurance?

Companies that get certified to Cyber Essentials via Cyber Clinic will automatically receive Cyber Insurance, if they are domiciled in the UK, certify their whole company and their turnover is under £20m.

Why do I need Cyber Insurance?

Being compliant to Cyber Essentials has been shown to significantly reduce the likelihood and severity of a data breach however, the risk still remains, especially if there is an accidental or deliberate internal breach or a concerted external attack. The presence of cyber insurance will provide vital incident response services and costs in your hour of need. The insurance provided with certification gives you £25,000 limit of indemnity so you may want to purchase a higher limit of cover in case you suffer a severe breach.

How do I make a claim?

If you suffer a data breach, hack or other cyber incident you should immediately contact the 24 hour helpline listed on your insurance schedule. The policy will provide crisis management and incident response services appropriate to your circumstances. Do not delay in reporting the incident as this could jeopardise the claim. Remember to keep a paper copy of your insurance schedule as you may not be able to access an electronic copy in the event of a data incident.

Who is the insurer?

The insurance is provided by AIG. In the event of a claim they will appoint their specialist consultants to assist and advise you.

Who is insured?

The name of the company insured is on your insurance schedule and should correspond with the company that has successfully been certified.

What is covered and what services are provided?

Your policy provides the following:

  • Event Management – Legal, IT Forensics, Data Restoration, Reputational Protection, Notification Costs and Credit and ID Monitoring services following an actual or suspected breach of personal or corporate information, an IT security or system failure
  • Data Protection Obligations – Insurers will pay Defence Costs in respect of a Regulatory Investigation, and any lawfully insurable Data Protection Fines that the Company is legally liable to pay in respect of such Regulatory Investigation with regards to a breach of Data Protection Legislation
  • Liability – Damages and Defence Costs arising from: An actual or alleged breach of data, an actual or alleged security failure, the failure to notify a Data Subject and/or any Regulator of a breach of personal information in accordance with the requirements of Data Protection Legislation, an actual or alleged breach of duty by the Information Holder in respect of the processing information (for which the Company is responsible) on behalf of the Company

What limit of cover is provided?

The insurance provided with certification gives you a £25,000 limit of indemnity.

If you require a higher limit contact enquiries@sutcliffeinsurance.co.uk or call 01905 21681. Additional options include payment of ransoms / extortion, business interruption / loss of revenue, phone phreaking, social media, outsourced service providers and invoice fraud. The cost of additional covers will depend upon what cover you want, the limit of indemnity you require and the nature of your business.

What is not covered?

Full details of what is and is not covered can be found in your policy wording. Some of the things that are not covered include: Business Interruption, Phone Phreaking, Outsourced Service Providers, Social Media, Ransoms and money that may have been stolen from you or defrauded from you. If you would like insurance to cover these aspects please contact enquiries@sutcliffeinsurance.co.uk or call 01905 21681.

What if I already have Cyber Insurance?

If you already have cyber insurance the policy provided with your certification becomes inoperative. There is no refund or discount.

What if my turnover is more than £20m?

Companies with a turnover above £20m are not eligible for the automatic insurance. If you would like to discuss options or would like a quote please contact enquiries@sutcliffeinsurance.co.uk or call 01905 21681.

What if I am not domiciled in the UK?

Only companies domiciled in the UK are eligible for the insurance. UK subsidiaries may be considered, contact enquiries@sutcliffeinsurance.co.uk or call 01905 21681.

How long does the policy last?

The policy starts from your certification and lasts 12 months, the exact dates will be on your insurance schedule. If you wish to maintain your insurance beyond that date you will need to renew your Cyber Essentials certification with IASME or one of their CBs. If you do not renew your certification then you may purchase Cyber Insurance from your insurance broker or Sutcliffe & Co; contact enquiries@sutcliffeinsurance.co.uk or call 01905 21681.

How do I renew the policy?

The policy is connected to your Certification and cannot be renewed on its own. To maintain cover you will need to renew your Certification or take a separate stand-alone cyber insurance policy.

What if I don’t want insurance?

When you complete the Cyber Essentials assessment there is an option to opt out of the insurance. This does not affect the cost.

How do I get more information on the Insurance?

Contact enquiries@sutcliffeinsurance.co.uk or call 01905 21681.

Can you give me more details about the Governance Bolt-On?

The Governance bolt-on covers your policies and procedures around security. Whereas Cyber Essentials is focussed on technical controls, the Governance bolt-on:

    • ensures you know what and where your information assets are
    • looks at how you treat data in the cloud
    • ensures that you comply with data privacy legislation (including GDPR)
    • examines your risk management and risk assessment stance
    • addresses the interaction of staff and security, including recruitment, termination and staff responsibilities
    • ensures that you have a security policy
    • examines your physical and environmental issues that may impact on security

We offer this bolt-on via the IASME (Information Assurance for Small to Medium-sized Enterprises) organisation.

The IASME Governance standard was developed over several years during a government funded project to create a cyber security standard which would be an affordable and achievable alternative to the international standard, ISO27001. It allows companies to demonstrate their level of cyber security at a realistic cost, indicating that they are taking reasonable steps to protect their information.

The items in the Governance Bolt-On look a little... scary. Will you help?

Of course. We realise that most small to medium-sized companies will have not yet addressed all (or indeed any!) of the Governance Bolt-On. We can help. We will provide policy templates for you to fill in and guide you through any areas that you are unsure of.

Tell me more about the Vulnerability Scanning service.

Our Vulnerability Scanning service is an updated version of penetration testing on your internet-facing resources, such as your firewall and websites.

Traditionally, penetration testing is a one-off event carried out at irregular intervals, often yearly. This is useful as a yearly snapshot of the health of your systems, but vulnerabilities in previously secure systems are constantly being found. We overcome this by scanning your systems every month checking for over 10,000 security vulnerabilities including WannaCry and Heartbleed and web application flaws such as SQL Injection and Cross-Site Scripting and other emerging threats.

Each month we will supply you with easy to read reports with clear remediation steps should we find vulnerabilities. Should we find issues beyond the capabilities of our automated scans we will provide hybrid penetration testing to get to the bottom of the matter.

We use the industry-standard Nessus.

Can you help remediate against threats found from the Vulnerability Scans?

Yes we can, through our IT support partners, Lighthouse IT. Please note that there is an additional charge for this. Please ask us for costs associated with this.

How does Active Monitoring help my organisation?

Active monitoring works seemlessly alongside your Office 365 subscription to monitor and alert you of suspcious activity by your users, your network administrators or external parties trying to get access toy our network.

It does this by continuously monitoring for transgressions of your data loss prevention (DLP) policies (such as plain-text credit card informaiton leaving your company) and for anomolous (unusual) behaviour by your users and administrators.