Why should I get my business Cyber Essentials Certified?

You might need to get your business Cyber Essentials certified because it is a requirement passed down the supply chain, or you deal with a government department directly that requires it, most now require it even before you can submit tenders. Some of the biggest UK businesses have also pledged to adopt Cyber Essentials requirements in their supply chains such as Airbus, Barclays, BT, & Vodafone.

But aside from the scenarios where your business must be certified, why should you get your business cyber essentials accredited?

Addressing other areas of IT security

Whilst only covering the basics, the cyber essentials standard will certainly cover some of areas you need in other areas, or on the way to achieving higher standards of IT security. Examples would be in helping you with GDPR compliance, setting a baseline for moving up to the IASME governance standard, or even ISO27001.

Demonstrating Security

Meeting the standard will show clients, investors, employees or any other interested parties that you take your cyber security obligations seriously and therefore your handling of their data.

New Opportunities

Being Cyber Essentials certified will mean you can bid on government contracts, but also that you may be seen in a more favourable position for private sector work.

Save Money

Insurance companies will look favourably on those companies with Cyber Essentials resulting in lower premiums.

Avoid your business being a victim of avoidable attacks

The Cyber Essentials Standard was found by the university of Lancaster to either mitigate completely, or part of over 99% of all common cyber-attacks. If that’s not enough, then what is?

Even if your business has a higher degree of IT security Governance in place, Cyber Essentials is still being pushed by the government as an accreditation that is practical and highly efficient at blocking some attacks seen in businesses even with ISO27001.





What is Cyber Essentials?

Cyber Essentials is a scheme launched in 2014 and sets out the baseline standards for basic Cyber Security in businesses. The Government consulted and worked with industry organisations to come up with what we now know as the Cyber Essentials Accreditation.

Cyber Essentials come in two levels of certification

Cyber Essentials - an independently verified self-assessment. Organisations assess themselves against five basic security controls and a qualified assessor verifies the information provided.

Cyber Essentials PLUS – a higher level of assurance. An independent assessor examines the same five controls, testing that they work in practice by simulating basic hacking and phishing attacks.

So, what are the five controls that Cyber Essentials tests in our business?

·       Boundary firewalls and internet gateways

·       Secure configuration

·       Access control

·       Malware protection

·       Patch management

Between these five areas, 64 questions are asked to see if you meet the required standard that together mitigate over 99% of[II1]  the most common, unskilled cyber-attacks that businesses fall victim to every day.

Cyber Essentials has become the minimum standard required for working with some central government departments, and this is pushed down the supply chain, and is widely expected to be required across government departs and local government over time.

Let's take each of those 5 controls and give some examples as to what is expected:

1.     Boundry firewalls and internet gateways

This area looks to check that only safe, and necessary internet traffic is accessed by correct configuration on the firewall and also that the firewall configuration is protected with strong credentials, and restricted to only those that require access.

2.     Secure Configuration

The secure configuration checks are there to reduce the level of vulnerabilities that are in systems as default and that machines or services run with the minimum level of security for the role being fulfilled. An example of this would be to remove administrative privileges for employees and change all default password to secure ones.

3.     Access Control

This area looks at user accounts and makes sure they are assigned to authorised individuals only, and that they provide access to only those applications, computers and networks actually required for the user to perform their role.

4.     Malware Protection

This is the one that’s always in the news currently, and this area is used to confirm that you have adequate security to stop the running of known malware and to prevent harmful code from causing damage or accessing data. This is the area that most people concentrate on protecting themselves for, but without the other controls within the Cyber Essentials standard it is not effective.

5.     Patch Management

Patch management is the process for which you ensure that devices and software are not vulnerable to known security issues for which fixes are available. Software vendors regularly release fixes and patches for vulnerabilities that the standard requires are installed in a timely manner.

As you can see the 5 areas cover all the basics, but they are basic areas that most SME's do not control within their businesses, if they do some of them, it's rare that small businesses do them all, and to a good standard.



What is the difference between the the NCSC Cyber Security Small Business Guide and Cyber Essentials

Launched on the 11th October you may have already seen in business headline the new 'Small Business Guide' from the National Cyber Security Centre (NCSC).

It's been getting a lot of press, and rightly so for something that may help in part to save your business from a cyber-attack, so what is it, and how does this differ from the Cyber Essentials scheme, also run by the NCSC?

What's the Small Business Guide?

This guide is billed as the quick, easy and low-cost way to improve your businesses cyber security, and it comprises of 5 key areas of advice.

1.     Backing up your data

2.     Protecting yourself from Ransomware

3.     Keeping your Smartphones (and tablets) safe

4.     Using passwords to protect your data

5.     Avoid Phishing Attacks

I'm not going to run down all the tips they provide under these sections, but provide an explanation of the difference between the two schemes as there has been a bit of confusion among some people who have contacted us about the latest advice.

So, the Small Business Guide is just advice, the absolute minimum of what you should be doing to protect your business and advice is all well and good if you follow it continuously!

What's Cyber Essentials?

Cyber Essentials is a way of testing these basic (and other) controls you have in place and a certification method (with CE+) to have it independently verified so you can tell the world that you have.

In our opinion the Small Business Guide is most probably more suited to the very smallest of business such as sole traders, where for any business employing staff you should just jump straight to Cyber Essentials.