Information security for the uninitiated: what is the minimum level of cyber security necessary for small businesses?

All organisations with an Internet presence are at risk from hacking and other attacks, but not all organisations have the same resources to deal with them. While small businesses face the same threats as larger organisations, many lack the security posture and incident response plans necessary to defend against, and react to, attack.

All information – including yours – has a value to criminals. Even if your website isn’t obviously valuable in itself, it could be used as a means of attacking a larger organisation in the supply chain. If you think you don’t hold anything worth stealing, you’d be unpleasantly surprised if you visited the dark web: trade in stolen credentials of all sorts abounds on the black market.

Cyber crime is cheap and simple for criminals

Automated attacks are indiscriminate and easy to instigate: they identify and exploit known vulnerabilities in commonly used platforms, software, applications and plugins. Every website is at risk.

PwC/BIS’s most recent Information Security Breaches Survey found that 60% of small businesses had suffered a security breach, and that the average cost of a breach to a small business ranged from £65,000 to £115,000.

Fortunately, cyber security can be cheap and simple too

Faced with such risks, increasing numbers of small businesses are investing in security to protect their revenues and reputations. But if you’re new to cyber security, where do you start? What’s the minimum level of security you need to implement?

Cyber Essentials: a baseline of cyber security

Launched in 2014, the UK Government’s Cyber Essentials scheme provides a set of five controls that organisations can implement to achieve a baseline of cyber security, and against which they can achieve certification to prove their credentials. These five controls can help prevent 80% of the most common attacks.

Follow the links below for more information on the five controls:

  1. Secure configuration
  2. Boundary firewalls and Internet gateways
  3. Access control and administrative privilege management
  4. Patch management
  5. Malware protection

Cyber Essentials certification

There are two levels to the Cyber Essentials scheme: Cyber Essentials and Cyber Essentials Plus.

  • Cyber Essentials requires a company to complete a self-assessment questionnaire, which must be signed off by a senior company representative and then verified by an external certification body. An external vulnerability scan is also required if the company chooses to be certified by a CREST-approved certification body such as IT Governance.
  • Cyber Essentials Plus requires a more advanced level of assurance. In addition to meeting the requirements of Cyber Essentials, organisations must undergo an internal assessment and internal scan conducted on-site by the certification body.

Cyber Essentials: the benefits of certification

Certification to the Cyber Essentials scheme provides numerous benefits, including reduced insurance premiums, improved investor and customer confidence, and the ability to tender for business where certification to the scheme is a prerequisite.

Cyber Essentials certification has been a requirement for organisations bidding for certain government contracts involving the handling of sensitive and personal information, and the provision of certain technical products and services, since October 2014.

For more detailed information on the Cyber Essentials scheme, click here >>

Cyber Essentials certification from £300

IT Governance is a CREST-accredited Cyber Essentials certification body. To find out how our fixed-price Cyber Essentials solutions can help you achieve Cyber Essentials certification for as little as £300, click here >>


This blog is part of a short series providing information security advice to those who are new to the subject. See also: Information security for the uninitiated: the information security trinity (people, processes and technology)