Is Cyber Essentials Worth Doing

Cyber Essentials was introduced in 2014 by the UK Government in collaboration with the National Cyber Security Centre (NCSC). The aim of the scheme is to improve the baseline cyber security posture of small businesses. In essence it is a practical, no-frills approach to addressing the key areas of cyber security.

The basic concept is to address the most critical areas of cyber defence and make yourself a harder target so that attackers will pass you by in favour of a softer option. According to the NCSC Cyber Essentials webpage, “Certification gives you gives you peace of mind that your defences will protect against the vast majority of common cyber-attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place”

Why Implement Cyber Essentials

The most common reason why companies get Cyber Essentials certification is for commercial reasons because customers or prospects require them to do it. Supplier security is a very important aspect of security management and asking suppliers to achieve recognised standards like Cyber Essentials is a good way to get the assurance they need, especially if data is shared as part of the service.

Supplier security due diligence and invitations to tender documents often start by asking about security certifications. In some regulated sectors it would be difficult to do business without them.

Ideally you would want to look at Cyber Essentials as something more than just a box ticking exercise to keep customers happy but more as a means to implement good business practices.

If you’re looking for robust assurance in relation to cyber risks, Cyber Essentials is a good start, but it needs to be embedded within a proper cyber security strategy within your business. Cyber Essentials does provide basic assurance that cyber security is being give consideration by management but, ideally, it would be just one part of a wider framework to manage Information Security.

How is Cyber Essentials Assessed

What the standard is trying to do is get your business up to a baseline standard of best practice in 5 ‘technical control themes’, without being excessively complicated. The following areas are considered: –

Firewalls – make sure that your work network is secure from external attack

Secure configuration – ensure the devices on your network are locked down to be less exploitable

User access control – the accounts that you give to your users are limited to what they need to do

Malware protection – there is effective malware/antivirus protection on devices

Security update management – ensure that the devices are patched and kept up to date

Details of how the five control areas are fulfilled in your business can be uploaded to the IASME Consortium via a questionnaire.

Cyber Essentials Plus

Cyber Essentials Plus still has the Cyber Essentials trademark simplicity of approach, and the protections you need to put in place are the same. The difference is that with Cyber Essentials Plus a hands-on technical verification is carried out by a qualified assessor.

The Cons of Cyber Essentials

For some organisations Cyber Essentials may not go far enough. Cyber Essentials accreditation is a baseline assessment of your security systems and processes, but it doesn’t cover everything. You may also wish to look at the following topics as part of a wider framework.

  • Risk assessment and management
  • Training and managing people
  • Change management
  • Monitoring
  • Backup
  • Incident response and business continuity

Or possibly look at implementing the ISO 27001 standard for Information Security Management

In Summary

Cyber Essentials will improve your business for the following reasons: –

  • Reassures customers that you are working to secure your IT against cyber attack
  • Attracts new business with the promise you have cyber security measures in place
  • Gives you a clear picture of your organisation’s cyber security level
  • Some Government contracts require Cyber Essentials certification

However, it is a baseline standard and you may also wish to implement a broader framework for security management.

Whichever approach you take, if you have concerns about cyber security controls and security testing, Krypsys will be able to give you the help and peace of mind you’re looking for. Please feel free to get in touch