If you’ve begun exploring cyber security for your business, you might have already heard the term Cyber Essentials being thrown about, but wondered what exactly is it, and more importantly, is it something I need?
Well, keep reading as we break down the key facts you need to know about Cyber Essentials and how it can help you on your way to becoming a safe and secure organisation. Don’t worry, we’ll skip the technical jargon!
The Cyber Essentials scheme was introduced in 2014 by the National Cyber Security Centre (part of GCHQ). It was designed to provide organisations with a minimum standard of security that, if achieved, could reduce the risk of most common cyber attacks by up to 80%.
Cyber Essentials is based on five technical controls that you need to be aligned with in order to comply with the standard. For the more tech-oriented among you, those controls include: Firewalls and Internet Gateways, Secure Configuration, Patch Management, Access Control, and Malware Protection. The certification has to be renewed each year to make sure your business’ security is still aligned with these controls.
While these controls make up the Cyber Essentials standard, there are actually two levels within the scheme. Cyber Essentials Basic offers a self-assessment option, where businesses must answer a series of questions about their current processes and policies. These answers are then reviewed by an official Certification Body under The Information Assurance for Small and Medium Enterprises Consortium (IASME), who became the NCSC’s sole partner for the scheme’s delivery in April 2020.
Cyber Essentials Plus takes things a little more seriously. Instead of coming up with the answers to those security questions yourselves, you’ll have an official auditor scan your systems for you, and they will tell you if your security levels are in line with the Plus standard. This option is a much more effective way to know how good your security posture is because it’s being assessed by a qualified third party who really knows what they’re looking for.
The cost of Cyber Essentials can vary quite a lot depending on who you go to, but you will generally find the cost for a Cyber Essentials Basic assessment to be, at a minimum, £300. It’s worth noting, however, that this will just be for the self-assessment questionnaire which you will have to complete without any support.
Many who offer certification will have a guided option which, although more expensive, offers invaluable guidance from security specialists, who will work closely with you to find your vulnerabilities and get them fixed so you can pass first time. IASME also make changes to the Cyber Essentials requirements from time to time so having someone with the right knowledge to help you through assessment can take away a lot of unnecessary stress and confusion.
It’s often said that Cyber Essentials was built with small businesses in mind. Getting certified is extremely accessible and affordable, giving small businesses an opportunity to do something meaningful around their cyber security. It’s also especially important for smaller businesses to implement whatever security measures they can because they are often most vulnerable in the case of an attack - previous reports have found that 60% of small organisations go out of business within 6 months of being victim to a cyber attack. A scary statistic, but it goes to show how many small businesses are just not equipped to deal with potential breaches!
You don’t just have to be a small business to benefit from Cyber Essentials though; the standard really serves as a good benchmark to all companies, whatever size or industry. There’s a reason you’ll find companies like Barclays, BP and Vodafone have got certified! It’s also no surprise that these companies are encouraging those in their supply chain to get certified considering the number of supply chain attacks we’ve seen in recent years. Cyber Essentials is increasingly becoming an actual requirement for a lot of businesses, for example, it is now required for any MOD supplier and if you want any work with the Government that deals with sensitive data. So getting certified will definitely keep you in the running for that big Government contract!
Essentially, aside from being something you’ll need to secure certain business contracts, the certification is a great starting point for any and all businesses wanting to take action towards bettering their cyber security and get important recognition for doing so.
There would be no point getting certified if you didn’t get a few perks along the way!
Of course, the primary benefit, and the reason why any company should pursue certification, is the reduced cyber risk and improved security posture, not to mention the peace of mind that comes with this. In fact, the NCSC surveyed a selection of certified organisations and found that an overwhelming 93% felt more confident that they were well protected against cyber attacks. Compromising on your security is just not worth it. Cyber attacks cripple businesses every day with financial losses and damages to reputation, but taking a small step like Cyber Essentials reduces the danger of this.
Not only are you more protected against attacks, getting that Cyber Essentials badge to show off on your website and sales collateral shows your potential clients, partners and suppliers that you take cyber security and their data protection seriously. Businesses are much more likely to work with someone that maintains a secure environment, and as previously mentioned, more and more companies in both the public and private sector are requiring Cyber Essentials, so you’re bound to increase opportunities for new business with a certification under your belt.
You’ll also look more favourable in the eyes of insurance providers which could result in reduced premiums - even just getting Cyber Essentials grants companies with a turnover of under £20m free cyber liability insurance with up to 25k cover. A certification that improves your security, enhances your reputation, and saves you money - what more could you want?
Whatever size or sector your business, Cyber Essentials is a proven way to protect yourself against the ever-growing cyber threat landscape, but don’t forget it is only a point-in-time assessment and this is why it has to be renewed every year. Achieving certification, however, provides a great stepping stone to ongoing security solutions which you can implement to cover that time in between, maintaining a good level of security all year round.