Everything you need to know about the Cyber Essentials scheme

With the government’s National Cyber Security Centre set to update the Cyber Essentials scheme in January 2022, IT support specialist ReformIT explains why it should be at the top of businesses’ digital to-do list.

By Andrew Merrell  |  Published
The Cyber Essentials scheme is being overhauled to reflect the UK’s digital economy, with new requirements for businesses from January 2022.
The Cyber Essentials scheme is being overhauled to reflect the UK’s digital economy, with new requirements for businesses from January 2022.

From Monday 24 January 2022, the government’s National Cyber Security Centre will introduce an updated set of requirements for the Cyber Essentials scheme – its biggest overhaul since it was launched in 2014.

With the updated scheme setting a new baseline standard for best practice in cyber security, SoGlos spoke to cyber expert, Neil Smith from ReformIT, to find out why businesses should be putting Cyber Essentials at the top of their digital agenda in 2022.

About the expert – Neil Smith, founder and managing director of ReformIT

Neil Smith

Neil Smith is the founder and managing director of ReformIT, a nationwide IT support specialist, headquartered in Cheltenham. Its skilled technicians can advise on all IT matters, from security, software and cloud solutions, to IT support and managed services, such as VoIP telephone services and website hosting.

ReformIT is a small business specialist, Microsoft Silver partner and Microsoft Office 365 consultant that also provides a customised range of managed IT services for business. From a full out-sourced IT department to third-line support and project management, the firm can customise its service to suit a range of requirements.

What is the Cyber Essentials scheme?

Cyber Essentials is the digital standard that the government wants all businesses to align themselves with, demonstrating that they are meeting at least the minimum cyber security requirements.

It covers everything a business should have or be aware of when it comes to IT security to keep their business safe, secure and operational. As a managed IT firm, this is our yard stick – we go by Cyber Essentials to ensure we’re looking after our clients in the best possible way.

Why is it suddenly in the news again?

The UK’s digital economy has changed enormously and the government is set to make some changes to Cyber Essentials to reflect this from Monday 24 January 2022.

Importantly, the new standards will mean all cloud services will now be within the scope of Cyber Essentials for the first time – cloud services meaning infrastructure, platforms, or software that is hosted by third-party providers and made available to users through the internet.

Why the emphasis on ‘the cloud’?

An increasing number of firms have moved and are moving their back-office and digital platforms to the cloud – to service providers. Cyber Essentials will map out what they need to consider to make sure they are in safe hands.

Most cyber attacks originate via emails, for example. You need to make sure the service provider looking after your emails is doing everything it can to protect you.

Cyber Essentials sets a standard that business leaders should be looking to achieve to give them and everyone else peace of mind.

Is there anything more to it?

The scope is broader, but significantly there is also a response to our changing working habits during the Covid-19 pandemic, which means Cyber Essentials will now also consider the new army of home workers.

And it will look at everything from passwords for machines and systems through to the machines themselves.

What is best practice when it comes to passwords and changing passwords has become a little confused. Cyber Essentials will lay down some clear guidelines – and that also applies to home working.

Lots of us now work from home. What is the issue?

Anyone who works from home is now classed as a home worker and the scope of the new standards extend to the devices, phones, laptops and computers they use.

It will encourage firms to think about whether it is a good thing to let staff members access internal company systems on personal laptops and phones – devices that their children may well pick up and download anything onto, for example.
Do they need security and software on those devices? If so, what, and how will that be managed?

Advice will be for all admin accounts on all cloud services to have multi-factor authentication (MFA) – which is more than two pieces of information to access an account. The idea is to help provide that extra level of protection.

How can businesses get a Cyber Essentials certificate? It is expensive? And why is it so worthwhile?

Prices are about to change as a result of the reform, but Cyber Essentials Basic costs roughly £300 plus VAT for a self-assessment process. As an IT company, ReformIT can help with this – we have helped many of our clients, bringing them up to standard and then taking them through the test.

Then, on top of this, there is Cyber Essentials Plus. ReformIT can help bring your business up to speed and then a third-party assessor audits your assessment and runs tests such as attempting to hack into your system, independent of us, to check our work.

By passing that, business leaders will get a confidence boost in knowing that their organisation is in the top two or three percent of firms. Plus, it can be essential for doing business with certain suppliers.

Which brings us to the other real benefit: not only will businesses be better protected and prepared for when a cyber attack comes, but with a Cyber Essentials certificate, customers and suppliers will know they can say ‘yes’ with confidence to doing business with them.

More on ReformIT

More from Business