The internet and the rise of technology have revolutionised how businesses work. While companies both large and small can conduct transactions on a global scale, there are now an unprecedented array of channels through which consumers can engage with a brand. Such increased reliance on the digitisation of the marketplace has, however, brought with it a whole host of challenges, and businesses regularly find themselves exceptionally vulnerable to cyber-attacks.
Barely a week goes by without some major organisation reporting disruption caused by cyber-crime. According to recent research, individual organisations receive over 100 cyber-attacks each year on average, with one out of three proving successful. To make matters worse, the revelation that a cyber-attack has breached any given organisation is frequently discovered by third-parties rather than by those from within the company that has been compromised itself. Cyber-crime affects organisations both large and small, with high-profile targets of late including British Airways, the NHS, and the UK Parliament. From the theft of important data to the actual loss of revenue, cyber-attacks can have serious consequences for businesses across all kinds of sectors.
With cybersecurity becoming one of the utmost concerns for businesses globally, a Cyber Essentials certification can help ensure that your company’s IT systems are prepared for any number of cyber-attacks, including malware, phishing, and hacking. While the technical standards established by this scheme help protect against the exploitation of network vulnerabilities, compliance with its recommendations offers customers, shareholders, and staff members confidence in the commitment of any given company to cyber security. The following article will highlight why achieving certification should be a priority for your organisation and how you can go about it.
What is the purpose of Cyber Essentials?
It is a scheme sponsored by the UK Government and launched in 2014. Following on from 2012’s successful 10 Steps to Cyber Security programme, it is a product of collaboration between government experts and industry leaders that has aimed to produce a security standard which would help organisations adhere to these recommended cyber security steps.
Focusing on encouraging businesses, charitable groups, and other organisations of any size to implement basic cyber security systems in their daily operations, the scheme provides a framework of technical standards against which companies can be judged. Organisations which meet the simple criteria receive an Internationally-recognised certification which is evidence of their compliance. The criteria to achieve certification is clearly defined, and any kind of organisation could and, certainly, should take steps to meet the requirements of the scheme.
The scheme is based on three levels of engagement. Fundamentally, it intends to increase understanding of basic cyber security terminology amongst the general populace, which is intended to give individuals the confidence and wherewithal to secure their own IT systems. It provides practical information about five technical controls that all users of the internet should put in place, including how to use UTM Devices to secure internet connections, how to amend and secure configuration settings, how to control device administrator privileges, how to defend systems from viruses, and how to go about keeping software and devices up to date through patching. While there is a useful, jargon-free guide that covers all these topics available on the Government’s cyber security microsite, they have also provided much more specialist advice aimed at IT professionals.
The programme begins with raising awareness of cyber security issues, but there are also two levels of certification that compliant organisations can be accredited with. Companies that aspire for a greater sense of certainty regarding their own cyber security practices can seek basic certification, while those that wish to take this further may aspire to achieve a more advanced kind of certification in the form of Cyber Essentials Plus.
Cyber Essentials versus Cyber Essentials Plus
The difference between the basic and advanced certifications relate to the way in which they are assessed.
The basic level of certification is essentially a self-assessment for the organisation seeking to fulfil the requirements of the scheme. The company director or IT department will need to answer some 100 questions about the organisation’s IT infrastructure. Once these have been completed accurately and honestly, a third-party certification body then examines the responses. After the certification body has reviewed this questionnaire and has conducted an external vulnerability scan against the company’s internet facing systems, they will then decide whether to accredit the company with a pass. The certification comes with Cyber Liability insurance up to £25,000 (for UK based organisations with less than £20m turnover who pass the assessment). Organisations that have achieved the certification are entitled to display the scheme’s badge as proof of certification.
Cyber Essentials Plus certification is similarly based on a questionnaire; however, an additional step involving an external audit of the given answers by the third-party certification body takes place. This involves a consultant visiting the organisation under assessment’s premises to gauge the accuracy of their responses. The opportunity to have an expert examining your network can also flag other areas where cyber security can be tightened, and this is an additional benefit associated with this more stringent certification. This more comprehensive certification, then, is somewhat broader in scope than the basic certification and takes into consideration more extensive aspects of any given IT network, such as a review of mobile devices, an examination of individual workstations, and a test relating to email and web attachments. The advanced certificate is, therefore, a way in which an organisation can indicate that it has taken considerably more substantial measures to prove that it is secure.
Initiating the process of the basic or advanced certification could not be easier and consists of three steps. The first stage is to select a certification body. Certification bodies are managed by one of five accreditation bodies, who ensure the standards of the scheme are satisfied. Accreditation bodies audit their certification bodies, and in turn are themselves audited by The National Cyber Security Centre (NCSC). Verifying that your IT corresponds to the standards set by the Government and leading industry bodies is the second step, while the completion of the self-assessment questionnaire is the third and final stage before certification is achieved. Accreditation associated with either the basic or advanced programme do not expire, but it is recommended that they are renewed on an annual basis to avoid lapses in cyber security.
What are the benefits of the scheme?
In a nutshell, the scheme offers organisations of all sizes an invaluable opportunity to perform stress tests on the integrity of their IT systems and network. Gaining the accreditation demonstrates that a company has taken all reasonable precautions to prevent external intrusion in the form of cyber-attack from affecting daily business.
Some of the more specific benefits associated with achieving certification are as follows:
- Firstly, it is helpful for reassuring clients about the security of your organisation’s IT systems, giving them certainty regarding the fact that their data is safe from cyber-attack.
- Secondly, certification can attract new business based on a commitment to cyber security measures, and some Government contracts insist upon only dealing with companies that have achieved certification. As more companies have embraced the Government’s recommendations, it is now somewhat of an expectation that all companies are compliant in taking stock of their cyber security measures. Take, as an example, a supply chain, where a parent company deals with many third-party suppliers. If one of these suppliers does not comply with the principles of the scheme, all of these businesses, no matter how resilient the parent company and other companies in the chain are, can find themselves susceptible to cyber-attack.
- Thirdly, the process of achieving certification is useful for instilling a sense of confidence regarding one’s own cyber-security level – even companies that take cyber security very seriously can find themselves vulnerable because they do not audit their own IT networks. Moreover, evidence of engagement with the scheme is now something that many insurance companies seek when applications are made for business insurance policies.
The questionnaire that is used to judge whether an organisation can receive a pass is available in its entirety online, enabling organisations to work through it at their own pace before seeking the input of a certification body. Alternatively, companies are welcome to seek assistance throughout the completion of the questions, meaning that any organisation has the potential to achieve certification. A majority of businesses find that they already have most of the controls in place to achieve Cyber Essentials Plus accreditation, with many only having to implement minor changes within their IT networks. Auditing is non-invasive, quick, and all visits are treated with the strictest confidentiality.
The General Data Protection Regulation
In addition to the wealth of benefits listed above, certification also goes some way towards gauging whether your organisation can be considered GDPR compliant.
The General Data Protection Regulation comes into force in May 2018, serving to replace the outdated UK Data Protection Act 1998. Its purpose is to ensure that EU businesses that deal with personal data belonging to clients, suppliers or employees commit to doing more to protect this information from cyber-attack. Although this ruling is the creation of the European Union, it is still mandatory for UK businesses to comply with the legislation despite Brexit – organisations found violating this law risk a fine of up to 4% of global turnover or €20 million. While this legislation will be operational before Britain leaves the EU, the Data Protection Bill which is currently being passed through Parliament is heavily based on its principles. This law will still apply to organisations that trade inside the EU but are not themselves based in an EU member state, meaning that it is even more paramount that companies adhere to the requirements of GDPR.
GDPR is primarily focused on protecting personal data, whereas the Government’s cyber-security programme is more focused on making sure that organisations are protected from malware, phishing, hacking and other cyber-attacks. Although these approaches to cyber security are somewhat different in terms of scope, many of the requirements of the UK Government’s programme correspond with those of the General Data Protection Regulation and the new UK Data Protection Bill. The technical standard – with its emphasis on cyber security and preventative measures therein – that companies successfully achieving basic or advanced certification already have in place is a strong foundation that compliments this new legislation in many ways.
Verdict: why achieving certification should be at the top of your to-do list
The uptake of Cyber Essentials has dramatically increased over the last few years and this trend will continue. Given the frequency with which businesses are threatened by malicious individuals and groups who take advantage of lapses in IT security, certification is an inexpensive way to ensure that your company’s systems are secured. In turn, this offers customers and shareholders confidence in the integrity of your IT systems, while delivering peace of mind to company directors.
For organisations that become certified and either basic or advanced level, the benefits of the scheme are numerous. Achieving certification helps organisations to differentiate themselves from their competitors, opening opportunities to expand business and facilitating the realisation of new supply chains. It provides a sense of assurance to themselves and their customers that they are responsibly looking after data containing confidential information or intellectual property. On a wider level, the more organisations that meet the Government’s standards for cyber security has a direct impact on how safe the United Kingdom is to conduct business online, fostering a real sense of community that is based around security, trust, and mutual respect. Certification also helps with making sure any given organisation has the technical controls in place to make them compliant with new legislation, which will soon be in place
Business Computer Solutions offers first-rate advice regarding your cyber-security needs and can provide your organisation with expert guidance throughout the process of achieving standard or plus certification, having achieved both ourselves.
Contact us now on 01843 572600 for more info!