Cyber Essentials Plus Certification: What Is It And Who Needs It?

In 2021, there was an 11% increase in cybersecurity incidents when compared to 2020, and this rise in cybercrime looks set to continue in 2022. 

This is a perfect example of why the government chose to launch the Cyber Essentials (CE) scheme back in 2014 in response to these growing numbers of cybersecurity threats and incidents.

The scheme awards businesses Cyber Essentials certification, something which can have a number of benefits. There is also an opportunity to gain the Cyber Essentials Plus (CE+) certification afterwards for more advanced protection. 

Since its launch, Cyber Essentials Plus is something that a lot of businesses have, and should, consider. But if you’re new to the world of cybersecurity and you’re unsure what Cyber Essentials Plus is – don’t panic. 

In this guide, we’re going to take a look at what the CE+ certification is, its key benefits and which businesses need to become certified. 

Read on to find out more. 

What is Cyber Essentials Plus? 

As we’ve mentioned above, Cyber Essentials is a government-backed scheme designed to tackle cybersecurity issues. It is also supported throughout the security industry and was created as a way for businesses to protect themselves against the rising threat of cyberattacks. 

In a nutshell, the Cyber Essentials scheme is a clear statement that outlines all the basic controls businesses should have in place if they hope to protect themselves as effectively as possible. 

The CE scheme was developed and operated by the National Cyber Security Centre (NCSC), and it is an important step towards a more secure network for any company. 

After gaining the foundation level Cyber Essentials certification, businesses can then go on to get Cyber Essentials Plus status, which offers more rigorous testing and, therefore, better security. 

During the CE+ certification process, security experts will carefully test a company’s IT infrastructure, including the following five controls: firewalls, secure configuration, user access control, malware protection and patch management. 

Cyber Essentials Plus is the highest level of certification under this scheme, and that is not the only difference between CE and CE+. 

The basic Cyber Essentials package is conducted through an online self-assessment questionnaire, whereas CE+ requires a much more in-depth assessment of your security infrastructure. 

Not only this, but with Cyber Essentials Plus, you receive help when completing your assessments, as well as dedicated help desk support at all times. This is not included in the basic CE package. 

The benefits of being Cyber Essential Plus certified in your business

Becoming Cyber Essential Plus certified has a number of benefits for any business. In fact, the NCSC has said that undertaking the CE certification process for as little as one of the five controls we mentioned earlier can still protect your business from around 80% of attacks. 

Some of the other key benefits include: 

  • CE+ certificates indicate that your business is taking a proactive stance against cyberthreats, which is great for boosting your reputation and securing more customers 
  • As part of the certification process, you are given CE+ branding for your websites, emails, etc. This means your business can showcase its credentials as a trustworthy and secure source
  • It also helps to create a clear picture for customers, investors and your teams on the current level of cybersecurity within the business 
  • There are some contracts that require your business to be CE+ certified; therefore, you can win more business with these credentials – more on this later 
  • You can reduce the risk of a security breach in your systems, leading to a hefty fine as a result of General Data Protection Regulations (GDPR)

When is CE+ certification mandatory?

Cyber Essentials certification is suitable for all businesses of any size and in any sector. Therefore, this is something every company should consider. However, it’s important to note that in order to gain CE+ status, you must first be granted the basic CE certification. Otherwise, you cannot continue with your application.

Not only this but there are some circumstances where Cyber Essentials Plus certification is mandatory. 

One such example is the government contracts we briefly touched on in the last section. If your business is looking to take on specific government contracts, the likelihood is you will need to be CE+ certified. Otherwise, your bid will not be considered. 

Essentially any government contract that requires you to handle the personal information of UK residents or government employees will require CE+. As does delivering any IT products that will be used to collect, process or store this data. 

And it’s not just government work that requires certification either; the UK Ministry of Defence (MOD) places even more importance on being Cyber Essentials certified. 

So, if you want to be a supplier or service provider for MOD, you need to be a part of this scheme. And this must flow all the way down through your supply chain to the very last person so that every part involved in the MOD contract is CE+ certified. 

Without this, your business won’t even be considered. 

Why is Cyber Essentials Plus so important for SMEs?

Finally, despite saying that CE+ certification is beneficial to businesses of all sizes, lots of smaller companies often neglect their security efforts, wrongly believing they won’t be a target. 

The reality is that every business is a potential target to cybercriminals. Particularly because all suppliers, third-party vendors and smaller organisations are part of a wider ecosystem. They are all connected, therefore, they are all possible targets. 

In fact, as an SME, the impact of a security breach can actually be more damaging because data leaks can be very costly in the long run. Not only could you be faced with a fine if you don’t comply fully with GDPR, but your reputation could become damaged beyond repair. 

Larger organisations are more prepared for this and will often have teams and money dedicated to dealing with these problems. SMEs don’t always have this luxury. 

This is why all businesses should consider Cyber Essentials Plus certification regardless of size, longevity or number of employees.