The Difference Between Cyber Essentials and Cyber Essentials Plus (2023)

For any business, cyber security is an essential aspect that cannot be overlooked.

It’s no secret that companies must be more vigilant than ever to protect themselves from online threats and breaches, especially those with a lot of employees.

And these breaches occur much more often than you may think.

In fact, the Cyber Security Breaches Survey 2022 identified that out of the 39% of businesses that identified breaches, 31% were experiencing a breach a week. Of these attacks:

  • 83% were phishing attacks
  • 27% were impersonations of business leaders
  • 21% were malware attacks

While you can’t stop a cybercriminal from trying to attack your business, you can do your utmost to mitigate the damage caused by this attack. Implementing simple controls and having robust processes in place is essential for any business.

This is where Cyber Essentials and Cyber Essentials Plus come in.

What’s in this article?:

  • What is Cyber Essentials?
  • What makes Cyber Essentials Plus different?
  • What are the five key Cyber Essentials Controls?
  • What questions are asked for each control?
  • Active Protect Tools
  • To recap
  • Secure Cyber Essentials with Trust Hogen
Cyber essentials vs cyber essential plus

What is Cyber Essentials?

Cyber Essentials is a government scheme aimed at helping organisations protect themselves against the most common cyber threats. It’s a self-assessment task built up of 70 questions that require organisations to implement five security controls (but more on that a little later on).

Organisations must carry out the online assessment and become certified in order to receive the Cyber Essentials certification badge.

A Cyber Essentials certificate demonstrates to other companies and customers that your organisation is taking their cyber security seriously. Being certified with Cyber Essentials also gives access to official government contracts.

While it can be a daunting task, some companies, like Trust Hogen, will manage the certification process for your organisation.

Read more: Do you need Cyber Essentials?

Is a Cyber Essentials Certificate Essential for GDPR?

Technically, no. However, the five principles of GDPR can go a long way in helping organisations achieve GDPR compliance.

Article 32 of GDPR states that “the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”, meaning that it’s a business’s legal responsibility to ensure that their customer’s personal data is secure.

The National Cyber Security Centre (NCSC) keeps a database of every company that holds a Cyber Essentials certificate online, which is a helpful tool for customers to ensure that the company they are working with is properly secured.

What makes Cyber Essentials Plus different?

The main difference between the two levels of Cyber Essentials is that Cyber Essentials Plus involves a hands-on assessment of your organisation by a qualified, independent person.

This includes an external vulnerability scan and on-site interviews to assess the physical security of the organisation. The main aim of Cyber Essentials Plus is that it verifies that the five key controls are in place and working effectively.

Although this costs more than a standard Cyber Essentials certificate, gaining Cyber Essentials Plus will work out far less than the potential damage a data breach could cause.

In addition to this, many customers now require Cyber Essentials Plus from organisations they’re dealing with before they will enter into contracts or share sensitive data.

Cyber essentials vs cyber essential plus

What are the five key Cyber Essentials Controls?

Speaking of the five essential controls, what are they?

1) Boundary Firewalls – Every device with internet connectivity must have a firewall in place. Firewalls form a ‘buffer zone’ acting as the outermost barrier to the web, blocking malicious connections and inspecting the traffic sent to the device.

2) Secure Configuration –  All security software must be kept up to date and updated regularly, including operating systems, applications, browsers and plugins. Not updating these could leave your organisation vulnerable to security threats. Additionally, it’s vital to change the password frequently and not let devices sit idle with their default settings. Disabling all unneeded user accounts and software is a great way to meet this control.

3) User Access Control – Do you regularly monitor admin accounts and enforce user permission controls to data and installation of software? Only authorised accounts should have the ability to access, change and delete data. Not doing so could open your network up to potential cyber attacks.

4) Malware Protection – Protecting your business from malicious software is essential. These include viruses, spyware, trojans and more – all of which can compromise your data if left unchecked. Malware can wreak havoc on your devices and systems by gaining access and stealing confidential personal data, so make sure you have the right processes in place to protect against these attacks.

5) Patch Management – This final control requires all devices and software to be kept up to date with the latest patches and updates. This is essential for security as unpatched devices can contain major vulnerabilities that hackers could exploit, putting your data at risk.

What questions are asked for each control?

As mentioned earlier, the questions for the Cyber Essentials Plus assessment are designed to assess the five key controls. These questions are separated into three main areas:

  • Policy and Procedures – This includes general security policy, network diagrams and an overall understanding of your organisation’s cyber security posture.
  • Technical Assurance – This looks at how you plan to protect your systems from external threats and how you are protecting your data.
  • User Awareness – This covers areas such as employee training, policies and password management techniques.

Below are some questions you may be asked for each control:

For the first control, Firewalls & Boundary Protection:

  • Are firewalls in place to block connections from unknown sources?
  • Are internal firewalls in place for separating networks and devices?
  • Is there a process for auditing firewall policy changes?
  • Are all unnecessary ports closed down?

For Secure Configuration:

  • Are all default passwords changed immediately?
  • Are all devices and software kept up to date with the latest patches and updates?
  • Is auto-run disabled for USBs/DC/DVDs?
  • Do you have a lockout policy to mitigate against brute force attacks on user accounts and systems?

For User Access Control:

  • Are all accounts managed and monitored regularly?
  • Is there a system of permissions in place for viewing, changing and deleting data?
  • Are all passwords changed regularly to secure passwords?
  • Are remote access credentials secured properly?

For Malware Protection:

  • Do you have the latest anti-malware solutions installed on devices?
  • Is the software correctly configured for protection against threats?
  • Are anti-malware scans scheduled to run on a regular basis?
  • Are all employees trained in identifying malicious emails and websites?

For Patch Management:

  • Is there a patch management policy in place for applications, operating systems, browsers and plugins?
  • Are all devices, software and applications regularly updated with the latest patches?
  • Do you have a process for auditing patch changes?
  • Is a qualified external assessor checking your patch management system?
Cyber essentials vs cyber essential plus

Active Protect Tools

Active Protect Tools is a feature of Cyber Essentials Plus, which helps organisations actively monitor their applications and systems for any malicious activity or suspicious behaviour.

This extra layer of protection helps to prevent successful attacks on your organisation. The Cyber Essentials Plus accreditation also offers the same benefits as Cyber Essentials, but with an additional level of assurance through advanced technical assessments.

To recap:

  • Cyber Essentials is a simple but effective method of demonstrating your commitment to cyber security and data protection.
  • Cyber Essentials Plus offers an extra layer of assurance and protection for organisations that need to protect their data against cyber risks.
  • The difference between Cyber Essentials and Cyber Essentials Plus is that the latter includes verification of the five controls: boundary firewalls, secure configuration, user access control, malware protection, and patch management.
  • Organisations that are awarded Cyber Essentials Plus accreditation demonstrate a high level of cybersecurity assurance and can be trusted to keep data safe. Hence, if you want the highest level of protection for your organisation’s data, Cyber Essentials Plus is the best option.

Secure Cyber Essentials with Trust Hogen

Thank you for reading our post on the difference between Cyber Essentials and Cyber Essentials Plus.

If you’re looking to get your Cyber Essentials or Cyber Essentials Plus, certification, there’s no better place than Trust Hogen.

Trust Hogen provides insights, advice, and support for organisations looking to protect their data from cyber threats. Contact us today to discuss your security requirements. Our team of professionals have the experience and knowledge to help you find the right solution for your organisation.