What is Cyber Essentials?

The protection of devices, services and networks — and the information on them — from theft or damage. Download the Small Business Guide to Cyber Security.

The UK’s cybersecurity sector is now worth an estimated £8.9 billion.

It's important to understand the basics and why cyber security is important to all businesses regardless of size or sector. Download our Cyber Security Guide for Small Businesses and start your journey by becoming a free member of the Cyber Resilience Centre.

If you understand the basics of cyber security, but you're ready to learn more about the practical steps you can take next then we'd encourage you to become a member of the Cyber Resilience Centre or learn more about our affordable services.

A breach of the security rules for a system or service - most commonly; Attempts to gain unauthorised access to a system and/or to data. Unauthorised use of systems for the processing or storing of data. Changes to a systems firmware, software or hardware without the system owner's consent. Malicious disruption and/or denial of service. We have created a Cyber Incident Response Pack, which contains documents to help support your business plan its response to a cyber incident. These documents are designed to complement any existing plans or assist you in creating one.

At the Cyber Resilience Centre, we have access to trusted specialist cybercrime investigators who can support you during an attack and recover digital forensic evidence to help identify who is responsible. We have created a Cyber Incident Response Pack, which contains documents to help support your business plan its response to a cyber incident. These documents are designed to compliment any existing plans or assist you in creating one.

A vulnerability assessment is a process of identifying existing weaknesses within your network. It can be host-based, network-based, wireless, application, or within your database.

A Website Vulnerability Assessment (often referred to as Web Application Penetration Testing or Pentest) addresses the security of your website (Web application). Websites are mostly publicly available and are there to provide services for anyone with internet access. This makes them a primary target for attackers.

In the world of cybersecurity and cybercrime, there are a lot of myths, misconceptions and rumours shared between business owners and employees. The five biggest myths that we hear the most are: Small and medium-sized businesses aren’t targeted by hackers. Cybercriminals are more interested in larger companies. Businesses must buy expensive hardware or software solutions to implement effective cybersecurity. My business has nothing worth protecting from cyber-attacks. Password managers are unsafe and a risk to my business. Public Wi-Fi is safe to use. It’s just like any other wi-fi network. Read our Cyber Security Mythbusting Guidance

Sensitive data management A lot of the data that is stored in the recruitment is Personable Identifiable Information (salaries, gender, contact information, job description, previous employers, references etc.). Therefore it is critically important that only those who are authorised to do so can access it. This means ensuring all accounts have strong, unique passwords and Multi-Factor Authentication enabled. The best practice would also be implementing a data classification tool to prevent sensitive data from leaving your organisation intentionally or accidentally. Phishing attacks / Malware (email attachments) As a recruiter, you will receive vast amounts of CVs as email attachments. As any one of these could be disguised malware, you need to stay vigilant in checking them. The same goes for hiring managers and finance staff or recruitment businesses, as these staff and departments are also more likely to receive malicious email attachments Remote working - lots of staff working remotely, high volume of client meetings A lot of staff working remotely brings a lot of cyber security risks as senior leaders will have less tangible control over where their employees work, meaning they could be working from unsecured public wifi, they could be working on a crowded train leaking sensitive data to anyone closeby who happens to be shoulder surfing, they could be leaving devices unattended in public working spaces. Learn more with our blogpost: The Cyber Security Dangers for Recruitment Agencies

Sensitive Data Exposure - This applies to electronic devices, and physical paper documents/notes. Even family members should not be allowed to see Sensitive Data, and this would be a breach of GDPR. The best practice is to implement a Secure Storage Cabinet where all work items (devices, documents, notebooks etc.) can be kept. Unauthorised Device Access - Even when working from home, your device must be locked whenever you leave it. Even though it may “only be family” that can see your screen, it is still a Cyber Risk Using the correct device - BYOD (Bring Your Own Device) is a common strategy amongst SMEs and WFH culture, However, if it is implemented it is important to ensure that work data and personal data are kept completely separate - if an Attacker gets your device, they may be able to gain further access to all the company information if it is not secure. The best practice is to use separate work and personal accounts and ensure strong, and unique passwords are used, in combination with Multi-Factor Authentication.

Backups are one of the most effective defences against Malware Attacks because if you are the victim of one, and your data is encrypted by an Attacker, you effectively “ignore” the attack by reverting to your Backed Up data and start restoring business continuity from there. There is no “one size fits all” approach for backups. The schedule will depend on business needs - some may require backups every 12 hours, but for others, it may be acceptable to back up every 24 hours. The most important aspect however is to make sure any Backups are stored separately from your business's network - either in the cloud or on a completely separate hard drive that is not network-connected.

Do my apps need to be updated regularly? Yes, all of your devices (computers, laptops, mobiles and tablets, etc) should always be kept up to date with the latest software. This is because the companies who provide the software (e.g. Microsoft) have security teams that search for vulnerabilities in their apps, and fix them before Attackers can take advantage. The longer you go without updating your apps, the more vulnerable you will be to an Attacker Can I automate my device and application updates? Yes - inside the settings of your device there will be an option to automatically update, all you have to do is select “Yes”. However, if you don’t want your device to update in the middle of work, you can also select “Working Hours” and this will tell your device to only install updates outside of that time

Password managers take all of your passwords and store them in what is called a vault. However, when each password is put into the vault, the password manager will heavily encrypt its value so that it cannot be read by the naked eye. Then, the Password Manager will have you set an incredibly complex Master Password to access this vault (if you want to add/remove credentials from it). Finally, Password Managers have Two Factor Authentication (2FA) enabled by default, adding another layer of security by requesting you to input a code any time you want to access your secure vault. Read more with our FAQ guide to Remote Working

BYOD is the concept of employees using their personally owned device(s) for work purposes. With BYOD, an organisation has ownership of the corporate data and resources that may be accessed or stored on a device, but the device itself is the property of the user.

When employees use their own devices, if your budget is tight you don’t need to buy any extra computers, screens, mobile phones, and tablets. Using personal devices is a preference for people who want to stay connected to both personal and work life and with home commitments such as childcare. If staff are working remotely, your BYOD policy will ensure your team can stay connected without needing to carry multiple devices. Within a well-structured BYOD policy, employees should feel more at ease with their day-to-day work and help to keep them working in your organisation. Read more with our FAQ guide to Remote Working

Giving employees access to a hybrid working environment will give them the option to work comfortably from their home office. This may be especially useful when offering remote work on a flexible basis for employees with childcare needs, medical appointments or when having work done at home. Spending long periods travelling to work each day can be a strain for all of us, especially with train strikes and cold, wet weather during the autumn and winter months. Remote workers can often feel more motivated and organised when working without a commute, with many workers using their commute time to talk walk and exercise before and after work. With more staff working remotely many businesses in the UK have made cost-savings through reduced reliance on large offices and reduced staff turnover. Staff can often find increased motivation in a role which has introduced flexible hours and then be more comfortable to stay in a job and progress. Did you know? Members of the Cyber Resilience Centre get access to several Cyber Security Policy and Procedures Templates to help staff you put the right measures in place to ensure your business has clear security strategies and can respond efficiently if an incident occurs. Learn more about our Membership options for your business. Read more with our FAQ guide to Remote Working

Explain why you’ve created the policy and which members/teams it applies to. For example, you may want to clarify whether the remote worker policy is in effect only temporarily or if your business has decided to offer all staff flexible working contracts. Specify whether your contractors, part-time employees, interns and new hires are covered by this policy, or if it only applies to existing full-time employees who have been with your company for at least six months. If your business is entirely remote, there may be some eligibility criteria you’ll want to include; will employees need to live within a certain distance or can they move anywhere in the UK? Outline who is working from home and when. For instance, your remote work policy may state that people in client-facing roles can only work from home three days per week. You can also create other criteria rules, such as those who have passed their probation can work remotely. Some roles aren’t suited for remote work; employees who need certain equipment that can’t be replicated at home, access documents available only in the office or regularly interact in person with clients. If there are broad categories of positions that are not eligible for remote work, remember to list them in your policy.

Virtual Private Networks (VPNs) allow businesses and organisations to provide secure connectivity between devices, especially useful if staff work remotely.

The biggest threat to free Wi-Fi is for a hacker to position themself between you and the wi-fi point. So instead of talking directly with the wi-fi router, you'll be sending your data to the hacker, who might exploit this data. Using a phone hotspot can increase your security, your mobile connection is secured and private as you would be making a phone call or using your phone to browse the internet. Most phones now are using 5G networks which use 256-bit AES encryption, this blocks fake mobile network transmission sites (referred to as stingrays) and encrypts your phone’s ID during transmissions.

You may be unaware that an innocent trip to a coffee shop may have threats lurking in the background of their public Wi-Fi network. Public wi-fi is common in most locations when working remotely, we all frequently connect to them to check our emails or social media without thinking twice. Whilst your local cafe owner may believe they’re providing free wi-fi to try and keep you in-store to buy that extra slice of cake, chances are the security on these networks is minimal or nonexistent. A Man-in-the-Middle (MitM) attack is a form of eavesdropping. When your laptop or phone connects to the Internet, data is sent from your device to the website, and security vulnerabilities can allow an attacker to get in between these transmissions and “read” them. Your data could be no longer private and shared amongst a criminal network. If a public wi-fi router hasn’t got encryption, the information being sent from your laptop/phone to the wi-fi router could be intercepted. There’s also no way you can tell if a public wi-fi spot has got the necessary encryption. Attackers way look to slip malware onto your computer without you even knowing through public wi-fi. If attackers know of a software vulnerability they may use a busy public location to write code and target a specific vulnerability, and then inject the malware onto your hundreds of devices through a public wi-fi network. Wi-Fi snooping is what it sounds like. Cybercriminals can buy special kits and devices to eavesdrop on Wi-Fi signals. This technique can allow the attackers to access everything that you are doing online — from viewing whole webpages you have visited (including any information you may have filled out while visiting that webpage) to being able to capture your login credentials, and even hijack your online accounts. Rogue public wi-fi networks trick victims into connecting to what they think is a legitimate network because the name sounds reputable. Say you’re staying at the Hotel Easy and want to connect to the hotel’s Wi-Fi. You may think you’re selecting the correct one when you click on “HotelEassy,” but you haven’t. Instead, you’ve just connected to a rogue hotspot set up by cybercriminals who can now view your sensitive information. Read more with our FAQ guide to Remote Working

If you are an employee, sole trader or small business, ensure that you are not using sensitive information within your prompts to ChatGPT or any other chatbots. Also, always double-check the responses against other information if the topic you're asking about is something you might not know much about. If you are an employer or in any managerial role, then it's important that you educate yourself and those around you about the potential risks involved when using chatbots. Make sure you clearly define the scope for which employees could use chatbots and the limitations that might be in place. This would come hand in hand with regular review to ensure that it is up to date with any new regulations or legislation that may emerge in the future. Learn more with our guide on the Unseen Risks of Implementing AI Chatbots in Your Business.

Could an overwhelming summer tourist demand disrupt the good cyber practices within your business? With such a drastic change to how companies work, such as working from home and taking bookings and payments online. Your business is more vulnerable to attacks from hackers. Concerns about the safety of corporate devices running on employee home networks or employees using their devices while working from home have been heightened recently. These concerns include businesses and their employees running the risk of letting their good practices in cyber-security become too relaxed due to the notion of being outside an office environment. Learn more with our guide on how Tourism and Travel companies can stay protected from Cyber Attacks.

Cyber Essentials is a simple and effective Government backed scheme, supported by industry experts and the Cyber Resilience Centre. The scheme helps you put measures in place to protect your organisation, regardless of size or sector, against a range of the most common cyber-attacks. This includes protecting against threats such as malware, ransomware and phishing.

Cyber Essentials helps you demonstrate a commitment to cyber security to your customers and clients with a certificate and badge to display on your premises and website. Having the certificate makes your organisation more resilient against the most common forms of cyber-attacks. Gives your business peace of mind knowing that your data is protected and your security systems are robust, should a cyber-attack occur. Allowing you to reach further business opportunities, as Cyber Essentials will enable you to tender for specific contracts in government.

At the Cyber Resilience Centre, we work with a small group of Cyber Essentials Partners who are official providers of Cyber Essentials and Cyber Essentials Plus Certification. Any members or businesses in the North West should contact us, and we can refer you to a partner in your region who can help you get certified.

Cyber Essentials is mandatory for businesses looking for specific government contracts.Without Cyber Essentials, you will not be able to bid for such contracts. Often these contracts will involve delivering certain IT products and services and the handling of personal information.

For recruiters, your business processes large quantities of valuable data, making you a big target for cybercriminals. Cyber Essentials can help protect your business from most cyber threats. With 82% of UK recruitment firms adopting some form of hybrid working, you need to ensure any staff working from home are secure. Cyber Essentials can provide your business with the guidance to make the switch safely. Your recruitment business is built on trust – your clients and candidates need to know their personal data is safe in your hands. Cyber Essentials certification provides government-backed proof your business is taking cyber seriously and keeping your data safe – crucial when looking to retain current customers and win new clients. Learn more with our FAQ guide to Cyber Essentials

Cyber Essentials helps you demonstrate a commitment to cyber security to your customers and clients with a certificate and badge to display on your premises and website. Having the certificate makes your organisation more resilient against the most common forms of cyber-attacks. Gives your business peace of mind knowing that your data is protected and your security systems are robust, should a cyber-attack occur. Allowing you to reach further business opportunities, as Cyber Essentials will enable you to tender for specific contracts in government. Learn more with our FAQ guide to Cyber Essentials

A law firm’s greatest asset can often be its reputation, and it only takes 1 cyber incident for this reputation to be damaged beyond repair. However, if you are Cyber Essentials certified then you are safe from over 80% of cyber attacks. Cyber Essentials also helps reassure your Clients that you have good cyber hygiene and practices in place, especially when it comes to data protection, data handling and GDPR. Cyber Essentials can also support your Lexcel certification Does your law firm have a Cyber Incident Response Plan? Our Cyber Incident Response pack can help you prepare for, respond and recover from cyber incidents. Learn more with our FAQ guide to Cyber Essentials

Manufacturing is an attractive target for cybercriminals. So much so, 47% of UK manufacturers report suffering a breach that cost them time or money. And, with more back-office staff working from home on unsecured networks and devices, the risk is only growing. Cyber Essentials is a government-backed certification that shows your business takes cybersecurity seriously. This makes you an attractive partner and is reassuring new and existing customers. Depending on what your business manufactures, government contracts could be an important source of revenue. If this is the case, then your business will need a valid Cyber Essentials certificate in order to bid for them. Learn more with our FAQ guide to Cyber Essentials

Yes - If your business wishes to become Cyber Essentials Plus certified, you must first pass Cyber Essentials. In addition to this, you must take the Cyber Essentials Plus audit within 3 months from the date that your Cyber Essentials certificate was awarded.

There is no mandatory requirement for your business to obtain Cyber Essentials plus - If you wish to bid on government or MoD contracts then you will need Cyber Essentials as a bare minimum. However, having Cyber Essentials Plus shows your company is going the extra mile to ensure security and data protection. However, if you do not require this then Cyber Essentials can make your organisation more resilient against the most common forms of cyber-attacks and demonstrate to your Clients that you are committed to being cyber secure.