Is Cyber Essentials certification worth the investment?

If you’re considering Cyber Essentials certification, you’ve probably got some questions about the process. Most importantly, what does it cost and is Cyber Essentials certification worth the investment? If so, we’ve got you covered. Read on for everything you need to know. 

How much does Cyber Essentials cost?

From 2014-2022, you paid a flat fee of £300 plus VAT to get a Cyber Essentials certification. However, in 2022, the National Cyber Security Centre (NCSC) adopted a tiered pricing structure. 

Under the new tiered system, Cyber Essentials costs range from £300 to £600 plus VAT. Tiers are decided by factors such as business size, number of locations, and the current level of cybersecurity measures in place.

This fee covers the assessment and certification process. However, the total cost can vary due to factors like the support required to meet the five assessment controls:

• Firewalls
• Secure configuration
• Use access control
• Malware protection
• Patch management

Costs can also differ from certification body to certification body, with some charging for extra support, resubmissions and additional services.  Ready to get started with Cyber Essentials Certification? CyberSmart offers the fastest and simplest route to certification on the market.

Why have Cyber Essentials costs changed?

With the rise of cloud services, remote work, and digital transformation, businesses face new challenges in securing their data and systems.

To address these changes, the NCSC and IASME Consortium updated the Cyber Essentials requirements, which now include:

• Cloud services: ensuring secure configuration of cloud platforms
• Multi-factor authentication (MFA): adding an extra layer of security for user logins
• Password management: implementing stronger password policies
• Security updates: regular software updates to protect against vulnerabilities
• Remote working: securing remote access to company systems and data

These updates have led to more rigorous assessments, particularly for larger companies, and you’ll see this reflected in the new pricing.

The benefits of Cyber Essentials certification

Now for the most important question, is Cyber Essentials certification worth the investment? 

In short, yes. Cyber Essentials certification offers benefits to every organisation. Let’s take a look at some of the key reasons to invest in certification.

You’ll be more secure 

Cyber Essentials helps you put a strong security foundation in place. When its security controls are properly implemented, your organisation will be far better prepared to identify, prevent and respond to attacks. In fact, Cyber Essentials can reduce your cyber risk by up to 98.5% .

Reduced risk 

Cyber Essentials focuses on critical elements of your security like regularly patching applications and implementing multi-factor authentication (MFA). These and other controls dramatically reduce the risk of a breach.

Cost-effectiveness 

Although getting Cyber Essentials certified requires some investment, the upfront cost is negligible compared to the cost of a breach. The Department of Science Innovation and Technology (DSIT) estimates that the single most disruptive breach from the last 12 months cost businesses £1,205 on average .

It’s also worth noting that while that figure looks low, it’s for a single breach. Many organisations suffer multiple breaches per year, so the real cost is likely to be higher. Adopting robust security controls can help prevent a breach in the first place, saving your organisation money in the long run.

Assure customers and partners 

Gone are the days when cybersecurity and data protection were secondary concerns for customers. Research shows that 60% of men and women are more concerned about their personal data than a year ago. And this influences decision-making in the workplace. 

As a result, businesses are increasingly reluctant to work with organisations that can’t demonstrate a commitment to security. 

Completing Cyber Essentials allows you to demonstrate you take cybersecurity and data protection seriously. You’ll even get a digital badge to display on your website, ultimately,  helping you show your credentials and win business. 

Better response to incidents 

Every business hopes to avoid being breached. However, cybercriminals are resourceful and excellent at finding unknown vulnerabilities. Cyber Essentials can help you put in place the processes you need to recover quickly, even if the worst-case scenario does happen.

Ability to bid for government contracts 

Cyber Essentials will likely be mandated if your organisation is a government body. But, you may not know it also applies to government suppliers. Getting Cyber Essentials certified can give you the ability to bid for lucrative government contracts, opening up an additional revenue stream. Or, if you’re already a government supplier, help you keep that contract. 

Meet your compliance requirements 

While this doesn’t apply to every industry, there are many sectors where Cyber Essentials certification is mandatory or at the very least, strongly recommended for compliance. These include sectors like education, healthcare, financial services and law. 

What should you look for in a Cyber Essentials certification body? 

We’ve established why Cyber Essentials is worth the investment. However, not all certification providers are created equal. So, what should you look for when picking a certification body?

Unlimited support 

Cyber Essentials certification is usually a fairly straightforward process. Nevertheless, if it’s your first time or you have more complex needs (such as multiple offices or hybrid working) you’ll need support. Look for providers who offer unlimited support and provide ready access to auditors. 

Free resubmissions 

It’s not always possible to complete the certification process first-time. In many cases, you’ll need to remediate aspects of your IT estate. And, when this happens, some providers will charge you for resubmissions, so keep an eye out for those who don’t. 

In-assessment guidance and automation

Some certification bodies use assessment platforms that guide as you go or automate parts of the process. Although this can (but not always) mean a greater up-front cost, it’s well worth it for the time it’ll save you.

Ongoing protection

Cyber Essentials is a great first step, but year-round protection goes further than certification day. Look for providers that will help your business stay protected year-round through vulnerability scanning, threat detection and cyber insurance. 

Want to know more about cybersecurity certifications? Check out our guide to UK certifications for everything you need to know.