Cyber Essentials has been around for many years now and has become a well-established baseline cyber security standard for organisations across the UK. However, despite its longevity, there are many myths surrounding the scheme that still lead to confusion and misunderstandings. In this blog, we will set straight some of the most common Cyber Essentials myths to help organisations make better-informed decisions about their Cyber Essentials journey.
Myth 1: Cyber Essentials is expensive.
The cost of Cyber Essentials varies depending on the size of the organisation and whether you are aiming for the self-assessed “Basic” badge or the full “Plus” certification. The cost of the scheme is relatively low and shouldn’t be a barrier for even the smallest organisation to be concerned about, with application fees starting at £300. The objective of Cyber Essentials is to ensure organisations protect themselves against the most common cyber threats, so it is worth pointing out that the outlay will be substantially less than the cost of a breach.
Myth 2: Cyber Essentials is a one-off effort or investment.
Cyber threats are constantly evolving and it is important to keep up with the latest developments to protect your organisation. The National Cyber Security Centre continues to review and update the Cyber Essentials standard year after year to ensure it is relevant and still meets the objective of protecting against the most common threats. Aligning with this, Cyber Essentials certification (whether it is Basic or Plus) is valid for 12 months and maintaining continuous certification requires organisations to complete full recertification on an annual basis.
Myth 3: Cyber Essentials is only for larger organisations.
Actually, Cyber Essentials was originally devised to ensure organisations of any size could meet the standard. The application costs are tiered based on organisation size, but the requirements are the same for all organisations, big or small. The NCSC has said that cost should not be a barrier to cyber security and the standard does not mandate or stipulate that an organisation must have specific software solutions in place.
Myth 4: Cyber Essentials is a silver bullet for cyber security.
Whilst Cyber Essentials helps organisations protect themselves against cyber-attacks, it is important to remember that it will not stop all attacks. The standard is designed to ensure that those basic threats are significantly less likely to succeed and that it ensures a baseline approach formed around security best practices is applied. For some organisations, particularly operating with sensitive data or in high-risk industries, it may still be prudent, however, to consider additional measures to protect themselves against more sophisticated threats.
Myth 5: Cyber Essentials is too straightforward to be effective.
Cyber Essentials is based on five key areas: Boundary firewalls and internet gateways; Secure configuration; Access control; Malware protection; and Patch management. These five areas in turn have several components that organisations need to put in place to be compliant with the standard. Studies have shown that correctly implementing the Cyber Essentials controls and successfully attaining Cyber Essentials certification can significantly improve an organisation’s cybersecurity posture and reduce the likelihood of a successful cyber-attack.