Are You A UK Consultancy? You Need NCSC Cyber Essentials!

17 Dec. 2024 - Ben O'Neill

What is Cyber Essentials?

 

Cyber Essentials is a scheme by the UK’s National Cyber Security Centre (NCSC) designed to help UK organisations protect themselves against the most common cyber threats. It was launched in 2014 to help UK businesses protect against the growing threat of cyber attacks. There are 2 levels of certification – Cyber Essentials, and Cyber Essential Plus.

 

Obtaining Cyber Essentials certifications involves an assessment against the Cyber Essentials technical requirements, which is broken down into 5 core controls: 

 

Firewalls

Secure configuration

Security update management

User access control

Malware protection

 

The controls aim to address 99% of internet-originating vulnerabilities, providing a baseline of cyber security against the most common attack vectors.

How does Cyber Essentials help my consultancy firm?

 

Security Case

 

The obvious benefit of implementing the technical security controls is improved security. Cyber attacks can be devastating on any firm, but especially consultancy firms whose value proposition hinges on the confidence their clients have on them, which can be destroyed by the reputational damage of a cyber attack.

 

There’s good evidence to suggest that Cyber Essentials actually works. 85% certified businesses believe it improved their understanding of security risks, 91% said they felt more confident about security, and organisations with Cyber Essentials certification are a staggering 92% less likely to make a cyber insurance claim than uninsured organisations.

 

Business Case

 

Aside from the security benefits, the business case for Cyber Essentials is simple – it helps you land more and bigger clients, win more work, and therefore generate more revenue.

 

This is a big claim but it’s not hard to back up. In fact, Cyber Essentials is fast becoming the UK standard for winning any contracts involving handing sensitive or personal data with:

 

Public sector clients

Companies that provide goods or services to UK public sector

Other large private-sector organisations

 

Holding Cyber Essentials certification, or at least demonstrating equivalent security measures, is already a mandatory requirement to bid for any central government contracts involving handling sensitive and personal information. 

 

But it’s not just public sector clients. Cyber Essentials is also highly regarded in Critical National Infrastructure (CNI) companies such as energy companies, telcos, transport companies, and banks. In fact, in October 2024, NCSC released a Joint statement along with major UK banks (Barclays, Lloyds Banking Group, Nationwide, NatWest, Santander UK and TSB) promoting the adoption of Cyber Essentials across their supply chains. 

 

A substantial number of UK businesses and international businesses trading in the UK have Cyber Essentials certification. In the 12 months leading up to September 2024, over 34,000 Cyber Essentials and over 11,000 Cyber Essentials Plus certifications were awarded, and this figure is rapidly rising year-on-year.

 

We can only expect this trend to continue, especially with the upcoming UK Cyber Security and Resilience Bill, the details of which are forthcoming but are almost certain to include requirements for organisations to ensure the security of their supply chains and contractors. It may not be a stretch to speculate that it could even go as far as to enshrine requirements for Cyber Essentials in law, at least for certain types of business. 

 

In any case, citing Cyber Essentials certification to clients is an excellent way to quickly demonstrate good security practice and save time on cyber due diligence with prospective clients, so UK consultancies would be wise to put in the work. 75% of Cyber Essentials certified businesses report having greater confidence working with certified suppliers and 61% say they would be more likely to choose suppliers with Cyber Essentials certification over those who don’t. 79% of certified businesses believe it has a positive impact on the confidence of their own clients and customers.

 

How would I get certified?

 

There are 2 levels of Cyber Essentials certification:

 

Cyber Essentials – a self-assessment is entirely in-house. The organisation completes a self-assesssment questionnaire addressing the 5 core controls, which is marked by an independent assessor.

 

Cyber Essentials Plus – based on the same 5 core controls, except instead of self-assessment, a hands-on third-party technical assessment by a qualified independent auditor is carried out. 

 

Certification is granted by NCSC-accredited certification bodies. Both types of Cyber Essentials certification are valid for 12 months, after which they will need to be renewed.

 

The difference is not in how stringent the security requirements are, but on the level of independent validation that the controls are in fact in place. It’s possible for organisations to submit an apparently compliant application for Cyber Essentials, but miss out that the controls are inconsistently applied across the organisation. For Cyber Essentials Plus, the external auditor will be assessing for consistent application across the organisation.

 

Cyber Essentials certifications status is publicly searchable, and many clients may use it as part of procurement to gauge the security awareness of their supplier.

 

How does Cyber Essentials compare to ISO 27001?

 

Cyber Essentials is described by NCSC as defining the minimum baseline standard for technical security for all organisations.

 

ISO/IEC 27001 is an international standard for information security, defining how an Information Security Management System (ISMS) should be operated. As such, unlike Cyber Essentials, it is not prescriptive about which technical security controls should be implemented, focusing much more on the procedures and policies that should be in place to support the organisation’s security and risk management. 

 

As such, the two certifications have virtually no overlap. In fact, they could be seen to complement each other very nicely. 

 

Most organisations find the time and effort required to achieve Cyber Essentials certification is much lower than to achieve ISO/IEC 27001, which may be why 53% of Cyber Essentials holders surveyed said it was the only form of external security assurance they have. Many smaller organisations prioritise achieving Cyber Essentials, perhaps focusing on ISO/IEC 27001 at a later date.

 

Conclusion

 

With high-profile security breaches appearing in the news on a regular basis, many of which originate not from the victim organisations but from their suppliers such as consultants, UK consultancies increasingly find themselves dealing with security-aware clients. As update of Cyber Essentials increases and new legislation may potentially be around the corner, many of these clients are increasingly recognising Cyber Essentials as a convenient way to discern whether their suppliers and contractors take security seriously.

 

As such, Cyber Essentials is gradually becoming not only a good opportunity, but in some cases almost a necessity, for winning over some of the most high-value clients on the market. Those UK consultancies that don’t keep up with the trend may find themselves lagging behind their competitors.

 

Shieldwall IT Services is a Managed Service Provider supporting small to medium UK consultancies. We fully comply with Cyber Essentials and actively support our customers in achieving it. If you represent a consultancy firm with 100 employees or fewer and would like to discuss how we can help you in your IT and security journey, book your free consultation with our experts today!