We’ve all seen the news regarding the impact that the recent hacking of the Co-op and Marks & Spencer’s had on these businesses and their customers and it’s something that all businesses could be affected by. According to a report by Beaming, there were over 2,000 cyber attacks a day on UK businesses in 2024, that’s over 750,000 a year.
While digital technology can be, and is, a massive help in our daily lives (I’ve used AI to help me pull this blog together) we need to make sure we’re doing what we can to protect ourselves, and our customers, from hackers. I was speaking recently with one member who was telling me about a tender requirement that they had to have Cyber Essentials. This led me to do some more research to learn more about the scheme and how it works.
In today's increasingly digital landscape, cyber threats are a constant and evolving danger for businesses of all sizes. For Master Builders who may not have IT resources of larger businesses a cyber-attack could be devastating, leading to significant financial losses, reputational damage, and operational disruption. This is where Cyber Essentials comes in – a government-backed certification scheme designed to provide a baseline of good cyber security practice.
What is Cyber Essentials?
Cyber Essentials is a UK government-backed scheme, overseen by the National Cyber Security Centre (NCSC), that helps organisations protect themselves against the most common online threats. It focuses on five fundamental technical controls that, when implemented correctly, can prevent around 80% of typical cyber-attacks, including phishing, malware, ransomware, and password-guessing attacks. These five controls are:
- Secure Configuration: Setting up your devices and software securely to minimise vulnerabilities.
- Boundary Firewalls and Internet Gateways: Creating a secure barrier between your network and the internet.
- User Access Control: Managing who has access to your data and services and at what level.
- Malware Protection: Implementing and maintaining anti-malware software to prevent malicious infections.
- Security Update Management (Patch Management): Ensuring all your software and systems are kept up to date with the latest security patches to address known weaknesses.
There are two levels of Cyber Essentials certification:
- Cyber Essentials: A self-assessment questionnaire, reviewed by an accredited body, where you declare that you have the five controls in place.
- Cyber Essentials Plus: This builds on the basic certification with a more rigorous, independent technical audit of your systems by a certified assessor, including vulnerability scans and on-site testing.
Why is Cyber Essentials important for UK SMEs?
For any UK SME handling digital assets or storing data, Cyber Essentials offers a vital layer of protection. The benefits extend well beyond just ticking a compliance box:
- Protection Against Common Cyber Threats: By implementing the five core controls, businesses significantly reduce their vulnerability to the most prevalent and damaging cyber-attacks. This is crucial for maintaining business continuity and protecting sensitive data.
- Enhanced Trust and Credibility: Achieving Cyber Essentials certification demonstrates a clear commitment to cyber security. This builds trust with customers, suppliers, and partners, giving them confidence that their data is in safe hands. The official Cyber Essentials badge can be displayed on websites, promotional materials, and letterheads.
- Competitive Advantage and New Business Opportunities: Many organisations, particularly in government and increasingly in the private sector, now mandate Cyber Essentials certification for their suppliers. For UK SMEs, this can open doors to lucrative contracts that would otherwise be inaccessible. Around 69% of businesses report increased competitiveness after obtaining certification.
- Insurance Incentives: Many insurance companies offer reduced premiums or even free cyber liability insurance to businesses that have achieved Cyber Essentials certification. This can lead to significant cost savings and provide vital financial protection in the event of a cyber incident.
- Improved Operational Efficiency: The process of preparing for Cyber Essentials often involves streamlining IT processes, improving overall system health, and fostering a more security-aware culture within the organisation. This can improve efficiency and reduce IT disruptions.
- Compliance and Data Protection: Cyber Essentials helps organisations meet their obligations under data protection regulations, such as the Data Protection Act 2018, by ensuring personal data is adequately protected.
- Supply Chain Security: As cyber-attacks increasingly target businesses through vulnerabilities in their supply chain, Cyber Essentials provides assurance that your suppliers (and you, as a supplier) have a foundational level of cyber security in place, reducing overall risk.
What are the benefits for builders?
The UK construction industry has rapidly embraced digital transformation, with widespread adoption of Building Information Modelling (BIM), cloud-based project management, and mobile workforce solutions. While these technologies offer immense benefits, they also introduce new cyber risks. For FMB members, Cyber Essentials is particularly important due to:
- Handling Sensitive Project Data: Construction firms handle vast amounts of sensitive data, including detailed building plans (which could be intellectual property targets), client financial information, employee personal data, supplier commercial information, and health and safety reports. A breach of this data could lead to intellectual property theft, financial fraud, reputational damage, and legal repercussions.
- Reliance on Complex Supply Chains: The construction industry operates with intricate supply chains involving numerous subcontractors, material suppliers, and consultants. A cyber-attack on one link in this chain can have a cascading effect, causing delays, financial penalties, and project disruption. Cyber Essentials helps secure these vital connections.
- Mobile Workforce and Site-Based Operations: Construction teams often work remotely and on-site, using mobile devices and temporary networks. These environments can be more vulnerable to attack than a traditional office setup. Cyber Essentials addresses the need for secure configurations, malware protection, and user access control for all devices, regardless of location.
- Increasing Mandates for Government Contracts: For UK construction firms, Cyber Essentials Plus certification is becoming mandatory for government contracts, particularly those exceeding £5 million. Increasingly, private sector clients are also requesting this assurance.
- Protecting Financial Transactions: Builders deal with significant financial transactions, from managing payroll to paying suppliers and receiving client payments. Cyber-attacks like phishing or business email compromise can target these transactions, leading to substantial financial losses.
- Safeguarding Operational Technology: Modern construction projects often incorporate building management systems (BMS), building automation and control systems (BACS), and other operational technologies. Ensuring the cyber security of these systems is vital for both project delivery and long-term building security.
Where to find more information
The primary source for information on Cyber Essentials in the UK is the National Cyber Security Centre (NCSC) website. Their dedicated Cyber Essentials section provides comprehensive details, guidance, and resources:
- NCSC Cyber Essentials Overview: https://www.ncsc.gov.uk/cyberessentials/overview
- NCSC Resources for Cyber Essentials: https://www.ncsc.gov.uk/cyberessentials/resources
The NCSC works in partnership with the IASME Consortium (IASME) as the sole Cyber Essentials Scheme Accreditation body. Their website also offers a wealth of information:
- IASME Website: https://iasme.co.uk/ (You can find certified assessors and more details on the application process here).
Additionally, several organisations offer support and guidance for achieving Cyber Essentials certification. You can often find accredited certification bodies through the NCSC or IASME websites.
What are your thoughts on this? Will you be getting Cyber Essentials accreditation? Let me know if you’ve any thoughts on this? Also, keep an eye out for more information on Cyber Essentials in a future edition of Master Builder magazine.
Authors
Iain Kirtley
With over 20 years’ experience of membership bodies, not for profit organisations and the private sector, Iain joined the FMB in August 2023 from the Chartered Institute of Building where he worked with construction companies of all sizes to support them with training, development and accreditation.
