Cyber Essentials is a simple, yet effective, Government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks
Cyber attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. Our advice is designed to prevent these attacks.
You need to get nearly all the questions right to pass the Cyber Essentials assessment. This very strict pass criteria is set by the UK Government. If you are not compliant in some of the questions we suggest you try and change your processes to meet the requirement and certainly add notes to explain why you are not compliant in this aspect and how else you control that risk.
Any company using unsupported software in the scope of the assessment, such as Windows XP, will probably fail to achieve Cyber Essentials certification.
You need to add brief notes to most answers. This allows us to understand your company and controls better, makes the assessment process faster and also makes it more likely we will be able to understand your systems enough to pass you. There are some questions where a yes/no answer is appropriate – we will highlight these so you won’t get caught out!
You will need to renew Cyber Essentials certification annually. It’s usually the case that subsequent certifications are easier than the first, with most of the work needed being done in the first year.
Cyber Essentials Plus Certification still has our trademark simplicity of approach. The protections you need to have in place are the same, but this time we verify your cyber security. This includes scans of the devices (laptops, servers, desktops) inside your network and vulnerability checks on devices (firewalls, routers) on the perimeter of your network.
On your perimeter devies we check for unnecessary open ports and services. We look for weak credentials and use of unsupported operating systems.
On a selection of your internal devices we run a vulnerability scanner to check that the operating system is receiving the latest updates, and that your internet browsers and major applications are up to date. We also check that the devices are running an effective ant-malware solution, running the latest updates.
We test your anti-malware solution by sending you “false” malware to see how your system deals with this “threat”.
We will also check these selected devices to ensure that user accounts are specific to users (no generic, shared accounts please!) and whether the user is logged in as an administrator.
Companies that get certified to Cyber Essentials via Cyber Clinic will automatically receive Cyber Insurance, if they are domiciled in the UK, certify their whole company and their turnover is under £20m.
Being compliant to Cyber Essentials has been shown to significantly reduce the likelihood and severity of a data breach however, the risk still remains, especially if there is an accidental or deliberate internal breach or a concerted external attack. The presence of cyber insurance will provide vital incident response services and costs in your hour of need. The insurance provided with certification gives you £25,000 limit of indemnity so you may want to purchase a higher limit of cover in case you suffer a severe breach.
If you suffer a data breach, hack or other cyber incident you should immediately contact the 24 hour helpline listed on your insurance schedule. The policy will provide crisis management and incident response services appropriate to your circumstances. Do not delay in reporting the incident as this could jeopardise the claim. Remember to keep a paper copy of your insurance schedule as you may not be able to access an electronic copy in the event of a data incident.
The insurance is provided by AIG. In the event of a claim they will appoint their specialist consultants to assist and advise you.
The name of the company insured is on your insurance schedule and should correspond with the company that has successfully been certified.
Your policy provides the following:
The insurance provided with certification gives you a £25,000 limit of indemnity.
If you require a higher limit contact firstname.lastname@example.org or call 01905 21681. Additional options include payment of ransoms / extortion, business interruption / loss of revenue, phone phreaking, social media, outsourced service providers and invoice fraud. The cost of additional covers will depend upon what cover you want, the limit of indemnity you require and the nature of your business.
Full details of what is and is not covered can be found in your policy wording. Some of the things that are not covered include: Business Interruption, Phone Phreaking, Outsourced Service Providers, Social Media, Ransoms and money that may have been stolen from you or defrauded from you. If you would like insurance to cover these aspects please contact email@example.com or call 01905 21681.
If you already have cyber insurance the policy provided with your certification becomes inoperative. There is no refund or discount.
Companies with a turnover above £20m are not eligible for the automatic insurance. If you would like to discuss options or would like a quote please contact firstname.lastname@example.org or call 01905 21681.
Only companies domiciled in the UK are eligible for the insurance. UK subsidiaries may be considered, contact email@example.com or call 01905 21681.
The policy starts from your certification and lasts 12 months, the exact dates will be on your insurance schedule. If you wish to maintain your insurance beyond that date you will need to renew your Cyber Essentials certification with IASME or one of their CBs. If you do not renew your certification then you may purchase Cyber Insurance from your insurance broker or Sutcliffe & Co; contact firstname.lastname@example.org or call 01905 21681.
The policy is connected to your Certification and cannot be renewed on its own. To maintain cover you will need to renew your Certification or take a separate stand-alone cyber insurance policy.
When you complete the Cyber Essentials assessment there is an option to opt out of the insurance. This does not affect the cost.
Contact email@example.com or call 01905 21681.
The Governance bolt-on covers your policies and procedures around security. Whereas Cyber Essentials is focussed on technical controls, the Governance bolt-on:
We offer this bolt-on via the IASME (Information Assurance for Small to Medium-sized Enterprises) organisation.
The IASME Governance standard was developed over several years during a government funded project to create a cyber security standard which would be an affordable and achievable alternative to the international standard, ISO27001. It allows companies to demonstrate their level of cyber security at a realistic cost, indicating that they are taking reasonable steps to protect their information.
Of course. We realise that most small to medium-sized companies will have not yet addressed all (or indeed any!) of the Governance Bolt-On. We can help. We will provide policy templates for you to fill in and guide you through any areas that you are unsure of.
Our Vulnerability Scanning service is an updated version of penetration testing on your internet-facing resources, such as your firewall and websites.
Traditionally, penetration testing is a one-off event carried out at irregular intervals, often yearly. This is useful as a yearly snapshot of the health of your systems, but vulnerabilities in previously secure systems are constantly being found. We overcome this by scanning your systems every month checking for over 10,000 security vulnerabilities including WannaCry and Heartbleed and web application flaws such as SQL Injection and Cross-Site Scripting and other emerging threats.
Each month we will supply you with easy to read reports with clear remediation steps should we find vulnerabilities. Should we find issues beyond the capabilities of our automated scans we will provide hybrid penetration testing to get to the bottom of the matter.
We use the industry-standard Nessus.
Active monitoring works seemlessly alongside your Office 365 subscription to monitor and alert you of suspcious activity by your users, your network administrators or external parties trying to get access toy our network.
It does this by continuously monitoring for transgressions of your data loss prevention (DLP) policies (such as plain-text credit card informaiton leaving your company) and for anomolous (unusual) behaviour by your users and administrators.