Matt Rhodes, Quiss Technologies’ technology commercial services manager, says promotion of the government standard in cybersecurity can help protect small businesses

With cyberattacks becoming more frequent and sophisticated, companies are beginning to seek Cyber Essentials Plus certification to prove they are proficient at dealing with potential threats.

In the past 12 months, 875,000 small and medium-sized businesses have been targeted by cybercriminals, costing a fifth of affected organisations over £10,000 in damages.

It is no longer enough for companies to claim they are cybersecure; instead they are being asked to prove it. Clients have started adopting much stricter vetting processes when it comes to selecting a supplier, and are demanding that businesses hold the Cyber Essentials Plus badge to show they have effective security controls in place.

A seal of approval

There are currently two different certifications available to businesses – the standard Cyber Essentials and the Cyber Essentials Plus.

Cyber Essentials represents the most basic level of cybersecurity, and requires organisations to complete a short questionnaire regarding their current security controls. This basic level of certification does not provide assurance that systems are effectively configured to defend against more sophisticated or persistent attacks.

Cyber Essentials Plus, however, requires an organisation to undergo a more thorough assessment, based on internal security assessments of end-user devices. Using a range of specialist tools and techniques, the Cyber Essentials Plus assessment directly tests that individual controls have been implemented correctly, and recreates various attack scenarios to determine effectiveness.

The Cyber Essentials Plus certification requires your organisation to have five technical controls in place:

  • Boundary firewalls – these devices are designed to prevent unauthorised access to or from private networks, but require good setup to achieve maximum effectiveness;
  • Secure configuration – ensuring systems are configured securely to suit the requirements of an organisation;
  • Access control – only allowing those with authority to have access to systems;
  • Malware protection – ensuring the most up-to-date virus and malware protection have been installed;
  • Patch management – ensuring the latest supported version of applications are used and all the necessary patches have been applied.

Only once a company successfully passes these tests can it be awarded the badge, which can then be displayed on its website.

Remaining protected

For serious businesses that are committed to achieving strong cybersecurity, Cyber Essentials Plus is the only option worth considering.

The Cyber Essentials Plus scheme provides a well-defined standard that is suitable for organisations across all sectors, including charities, schools, universities and local authorities.

While the basic Cyber Essentials certification is a necessary starting point for businesses, the extra checks involved with Cyber Essentials Plus make it the best option, especially with GDPR scheduled to come into effect next year.

Achieving compliance

If your company is serious about achieving Cyber Essential Plus status, the first step is to visit the official website, and select one of the official accreditation bodies listed.

To successfully hold a Cyber Essentials Plus badge, you must first complete the basic Cyber Essentials certification process. Once an independent assessor has reviewed your answers and performed the basic tests on your security controls, you will be awarded the certificate.

Once you have received Cyber Essentials certification, you will then need to start the compliance process by introducing the appropriate controls to your system.

When looking for support to help you achieve Cyber Essentials Plus, it is important you contact an IT specialist with plenty of experience helping clients achieve compliance. Remember, different suppliers will offer varying levels of service and support, so make sure you select one that meets your company’s requirements.


Achieving Cyber Essentials Plus certification is a very important first step, but it should only be the start of your continuing journey to improve your company’s cybersecurity.

More sophisticated assessments are available to companies which are looking to push their security further than the Cyber Essentials scheme, including Penetration Testing and Simulated Targeted Attack and Response, which assesses specialist business functions with a market or country influence.

If you think your organisation could benefit from these additional levels of assessments, then contact an IT specialist and achieve total security for your business and clients.