Interview: Getting started with the Cyber Essentials scheme

Cyber Essentials - cyber security

Supply2Gov met with Cyber Essentials Consultant Tom McFadyen to discuss how micro businesses can get started with cyber security.


  1. Why is cyber security so important to small businesses?

Cyber security is important to small businesses – just look at the WannaCry attacks from last year.

WannaCry became headline news due to its impact on the NHS. The healthcare sector was crippled and staff lost hundreds of hours trying to fix the countless appointments that were lost. WannaCry was also a big headline grabber due to its global scale and connection to North Korea. One of the effects it should have had is to put cyber security in the spotlight.

But that isn’t the full story of course. 150 countries were attacked and all manner of different businesses, many of them small businesses, were affected that were not prepared for this type of attack. The main difference between the NHS and a micro business in this situation is that bigger organisations have the budget to handle the fallout from a cyber attack.

It’s not just a financial burden. If you are a micro business with just a handful of people working in your office and you are forced to waste days, management time and technical support time, that can have a big impact on your bottom line.

Nonetheless, now is a good time to remind people that smaller, low profile cyber attacks happen every single day and hit small businesses.


  1. Leading on from that, what types of attacks should a small business look out for?

WannaCry is a famous example of a ransomware attack where victims must pay a fee to unlock their data or prevent its publication. WannaCry attackers demanded to be paid in bitcoin.

There are all sorts of different attacks to look out for, one of which is phishing. This is when a user receives an email from an attacker who is claiming to be another individual. The attacker will be looking to get hold of your details.

Most recently, I received a phishing email from an attacker who was claiming to be Microsoft. The attacker wanted my email and login details – but as I said, this is just one example among many.

Look out for phishing emails and, if you do get an unsolicited email, think twice about why you are receiving that email. Anti-virus software should be helpful to tackle this.


  1. What other basic things can a small business do to reduce the risk of online threat?

Small businesses can learn from the mistakes of more experienced businesses. One of the stories that I wrote in 2017 was about MPs who would share their login details and passwords with members of staff and other employees. This is a cyber security “no no”.

The shocking thing about this story is that MPs appeared to be extremely blasé about sharing passwords when having a strong, secure password seems to be an obvious practice. The reality is many businesses and organisations are not as secure as you would think.

It is still extremely common for businesses to use “password” for their password, which makes their business incredibly vulnerable to attackers. If you want more information on how to create a secure password, you can Google “the fifty most obvious passwords” or “the most hacked passwords”.

The Government recommends is that users combine three unrelated words into a single password as it will provide more security. You should also update your passwords regularly.


  1. How can Cyber Essentials help small businesses achieve their cyber security goals?

If you were to go through the process and become Cyber Essentials certified, it would bring two main benefits.

First, you and your businesses’ customers will be better protected against attacks – you will become cyber secure against 80% of common cyber security threats. Your organisation will also be on its way in terms of preparation for GDPR which comes into effect in May.

Cyber Essentials does not completely set you up for the launch of this regulation, but it will contribute to your preparations.

Secondly, Cyber Essentials will protect your business from data theft, which, as I was saying earlier, can be extremely costly for small businesses. The amount of money and time your business can save by being more efficient with your cyber security is incredible.

The other aspect of cyber security is winning contracts. Perhaps your micro business wants to win work with the MOD. Currently MOD suppliers must have the certification to win work with them.

When you are tendering, cyber security is an area that the private and public sector will notice as everyone’s information is valuable to them. Organisations that are sharing data will not want to be attached to other businesses that are vulnerable to cyber attacks.

Whilst the MOD and Central Government mandate Cyber Essentials, many other public sector bodies don’t. However, as time goes on, it is likely that this will change. It is better to be prepared for that situation than to bury your head in the sand.

  1. What package is most suited for microbusinesses and sole traders?

We offer three separate packages.

First, the base level package which costs £300 (excluding VAT).  This package allows users to go through the Cyber Essentials process and lets you fill in the self-assessment questionnaire. Customers must pass all the sections to become Cyber Essentials certified.

There is also Fast Tracker Cyber Essentials certification which is £600 (excluding VAT). This allows the customer to become certified as soon as possible. Once the customer has passed the self-assessment questionnaire, they are guaranteed Cyber Essentials certification within 24 hours.

We also offer Cyber Essentials Plus which is £2500 (excluding VAT). This includes an onsite visit from our team where we will look at your cyber processes in depth and help you to improve in areas where you may be vulnerable.

The first two options are likely to be the most suitable for small and micro businesses. If you are a micro business getting started and not in a great hurry to achieve certification, it would probably make more sense to choose the first option as this is likely to be all that is required for low value tenders. Make sure you have this in place as it could help you to win contracts.


  1. How can a business get started with Cyber Essentials?

The scheme summary and sample self-assessment questionnaire are valuable resources.

I would recommend that you download both Cyber-Essentials-Scheme-Summary_supply2govdocuments in preparation for certification.

The scheme summary will give you an overview of Cyber Essentials which is great for beginners. The summary will tell you what Cyber Essentials Certification and why your business may need it.

Inside the summary you will find out what the five key controls of Cyber Essentials are and why they are important.

If you are interested in achieving Cyber Essentials certification, download the sample self-assessment questionnaire in advance, you can look at the kind of questions that you will need to answer. This means that you will be ready with the right information to hand when you purchase Cyber Essentials.


  1. How can I learn more about Cyber Essentials?

I would start by going on to the Supply2Gov website and clicking on Cyber Essentials.

You will find a tonne of information about the products available and you can download both the sample questionnaire and scheme summary, which I highly recommend any micro business or sole trader to read through.

We are also in the process of recording a webinar that will be embedded into the website and you can watch it in your own time.

In the future, we will also be doing a micro business based live webinar, which will discuss the process in more depth. This will be confirmed on the Supply2Gov website nearer the time.

If you have any questions about this or Cyber Essentials you can also contact me on

I am also happy to answer any queries that you may have from this interview, just get in touch.