Cyber Essentials was introduced in 2014 by the UK Government in collaboration with the National Cyber Security Centre (NCSC). The aim of the scheme is to improve the baseline cyber security posture of small businesses. In essence it is a practical, no-frills approach to addressing the key areas of cyber security.
The basic concept is to address the most critical areas of cyber defence and make yourself a harder target so that attackers will pass you by in favour of a softer option. According to the NCSC Cyber Essentials webpage, “Certification gives you gives you peace of mind that your defences will protect against the vast majority of common cyber-attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place”
Why Implement Cyber Essentials
The most common reason why companies get Cyber Essentials certification is for commercial reasons because customers or prospects require them to do it. Supplier security is a very important aspect of security management and asking suppliers to achieve recognised standards like Cyber Essentials is a good way to get the assurance they need, especially if data is shared as part of the service.
Supplier security due diligence and invitations to tender documents often start by asking about security certifications. In some regulated sectors it would be difficult to do business without them.
Ideally you would want to look at Cyber Essentials as something more than just a box ticking exercise to keep customers happy but more as a means to implement good business practices.
If you’re looking for robust assurance in relation to cyber risks, Cyber Essentials is a good start, but it needs to be embedded within a proper cyber security strategy within your business. Cyber Essentials does provide basic assurance that cyber security is being give consideration by management but, ideally, it would be just one part of a wider framework to manage Information Security.
How is Cyber Essentials Assessed
What the standard is trying to do is get your business up to a baseline standard of best practice in 5 ‘technical control themes’, without being excessively complicated. The following areas are considered: –
Firewalls – make sure that your work network is secure from external attack
Secure configuration – ensure the devices on your network are locked down to be less exploitable
User access control – the accounts that you give to your users are limited to what they need to do
Malware protection – there is effective malware/antivirus protection on devices
Security update management – ensure that the devices are patched and kept up to date
Details of how the five control areas are fulfilled in your business can be uploaded to the IASME Consortium via a questionnaire.
Cyber Essentials Plus
Cyber Essentials Plus still has the Cyber Essentials trademark simplicity of approach, and the protections you need to put in place are the same. The difference is that with Cyber Essentials Plus a hands-on technical verification is carried out by a qualified assessor.
The Cons of Cyber Essentials
For some organisations Cyber Essentials may not go far enough. Cyber Essentials accreditation is a baseline assessment of your security systems and processes, but it doesn’t cover everything. You may also wish to look at the following topics as part of a wider framework.
- Risk assessment and management
- Training and managing people
- Change management
- Monitoring
- Backup
- Incident response and business continuity
Or possibly look at implementing the ISO 27001 standard for Information Security Management
In Summary
Cyber Essentials will improve your business for the following reasons: –
- Reassures customers that you are working to secure your IT against cyber attack
- Attracts new business with the promise you have cyber security measures in place
- Gives you a clear picture of your organisation’s cyber security level
- Some Government contracts require Cyber Essentials certification
However, it is a baseline standard and you may also wish to implement a broader framework for security management.
Whichever approach you take, if you have concerns about cyber security controls and security testing, Krypsys will be able to give you the help and peace of mind you’re looking for. Please feel free to get in touch www.krypsys.com/contact-us/