Building Beyond Cyber Essentials

- By -

Robert Wilson

I have Cyber Essentials.  Now what?

For UK organisations, or those trading in the UK, the reasons for achieving the Cyber Essentials certification are varied.  Some will apply for the accreditation as a mandate for doing business with public sector entities; others respect the need to demonstrate externally they take the protection of their data seriously; and some want to take control of their cyber risks but have little in place, so see Cyber Essentials as the first step on the journey to being operationally resilient.

What is Cyber Essentials?

Cyber Essentials is a set of basic technical controls organisations should have in place to protect themselves against common online security threats.  It is suitable for organisations of any size, in any sector.  The UK government requires all suppliers bidding for contracts involving the handling of certain sensitive and personal information to hold an up to date Cyber Essentials certificate.

For some organisations, achieving the certification is very simple.  For others who do not possess their own expertise, or have a large and complex environment, it can be a far more taxing affair.  Regardless, once you have achieved this and can be recognised as accredited for the next 12 months, where do you go from there?  That depends entirely on your motives for achieving the certification in the first place.  Below we outline some activities to consider.  However, be under no doubt, just because you can showcase the certificate, it does not represent a gold standard of cyber resilience against the threat landscape, nor should any complacency set in around your organisation’s ability to withstand an attack if you’re stopping at the certification.

Some activities to consider, depending on the nature of your organisation and the degree of risk you face, are:

Regularly Update Systems and Software: Ensure that all systems, applications, and software are regularly updated with the latest security patches and fixes. Regular updates help protect against known vulnerabilities and reduce the risk of exploitation.

Implement Multi-Factor Authentication (MFA): Enable MFA wherever possible to add an extra layer of security. MFA requires users to provide additional verification beyond passwords, such as a fingerprint scan or a unique code sent to a mobile device, making it more difficult for unauthorised individuals to gain access.  Given most cyber attacks still emanate from human error, this is a crucial measure to adopt.

Conduct Regular Vulnerability Assessments and Penetration Testing: Perform regular vulnerability assessments and penetration testing to identify weaknesses in systems and networks. This helps you proactively address vulnerabilities before they can be exploited by attackers.

Develop an Incident Response Plan: Create a comprehensive incident response plan that outlines the steps to be taken in the event of a cyber incident. This includes clear roles and responsibilities, communication protocols, and procedures for containment, investigation, and recovery.

Monitor Network Traffic: Implement network monitoring tools and intrusion detection systems to detect and respond to potential security incidents in real-time. Analysing network traffic patterns and employing behaviour-based analytics can help identify abnormal activity and potential threats.

Regularly Back Up Data: Establish a robust backup and recovery system to regularly back up critical data. Offsite backups and regular testing of the restoration process are essential to ensure data availability in the event of a cyber incident or data loss.

Establish Strong Supplier Security: Extend cybersecurity standards to third-party suppliers and vendors. Ensure that suppliers adhere to similar security practices and regularly assess their cybersecurity posture to mitigate the risk of supply chain attacks.

If you are approaching or re-applying for Cyber Essentials certification, or would value advice from a team who have helped hundreds of businesses large and small, either before, during or post the accreditation, reach out to the Amicis team at

Ready to get started?