Cyber Essentials is the UK Government backed scheme administered through the National Cyber Security Center (NCSC) that aims to show organisations how to protect themselves and prevent the most common cyber attacks.
The NCSC claims Cyber Essentials can help eliminate the risk of 80% of cyber attacks.
Organisations who achieve Cyber Essentials show that they take their defences against the threats of cybercrime seriously and have reduced the vulnerability of their business by meeting an accredited government standard.
The Cyber Essentials scheme is not covered by binding regulation, instead, it offers organisations and businesses a way to demonstrate their commitment towards addressing cybersecurity by achieving a certified standard.
Not every organisation has the time or resources that are needed to develop a full-on approach to cybersecurity. So the Cyber Essentials scheme has been designed to fit with whatever level of commitment an organisation is able to sustain.
In common with many other sectors, the cyber threat level for the UK’s small business sector is significant and the number of reported incidents continues to grow substantially. And the extent to which criminals are looking to exploit digital technology to commit offences is increasing, with the goal to disrupt businesses, breach IT security and steal sensitive data and money.
Small businesses (SMBs) in the UK are the target of an estimated 65,000 attempted cyber-attacks every day, according to figures from a study from Hiscox, a specialist insurer.
The easiest way to begin is to familiarise yourself with cybersecurity terminology, gaining sufficient knowledge and awareness to start applying security measures to your IT and infrastructure.
If as an organisation you need more certainty on how you apply cybersecurity, you can obtain basic or entry level Cyber Essentials.
For those organisations who need to take their cybersecurity to a higher level, you can go for Cyber Essentials Plus certification.
The Cyber Essentials scheme addresses the most common Internet-based threats to cybersecurity and considers these threats to be:
According to Hiscox, almost one in three (30%) UK small businesses suffered a cyber breach last year – equivalent to over 4,500 successful attacks per day or one every 19 seconds.
Most small businesses recognise the threat that cyber criminals pose on a global scale but are less convinced of the risks facing their own operations, considering themselves ‘too small’ to be on the criminals radar, but this isn’t the case.
Attackers know that smaller organisations have less money and fewer resources to spend on security. The majority of cyber-attacks are automated and indiscriminate, exploiting known vulnerabilities with IT systems rather than targeting specific businesses.
So, vulnerability to a simple attack from a cyber criminal can mark you out as a target for a more in-depth sophisticated attack.
Cyber Essentials certification offers peace of mind that an organisation’s defences will protect against the vast majority of common cyber attacks simply because these attacks are looking for targets which do not have the appropriate technical controls in place.
Cyber Essentials Plus
Cyber Essentials Plus has the same Cyber Essentials protections that you need to put in place, but this time the verification of your cybersecurity is carried out independently a third party Certification Body.
There are three steps to certification:
Select a Certification Body through one of our Accreditation Bodies.
Verify that your company's IT is suitably secure and meets the standards set by Cyber Essentials.
Complete the questionnaire - your Certification Body will provide and verify.
Selecting a Certification body
Firstly you need to visit the Directory of Accreditation Bodies. Read the details about each of these and choose one which feels like a good fit for your organisation.
Once you have selected an Accreditation Body, click through to their websites and their directory of Certification Bodies. It is the Certification Bodies which will perform your evaluation and award your Cyber Essentials Certificate.
Verify your IT is suitably secure
Cyber Essentials has a detailed set of requirements for your Information Technology. You will need to make sure your systems and software meet these before you move on to the next stage of certification.
You may be required to supply various forms of evidence before your chosen Certification Body can award certification at the level you seek.
Complete the self-assessment questionnaire
Having understood the requirements which Cyber Essentials puts on the installation, configuration and maintenance of your IT, you are ready to complete the Certification questionnaire and submit this to your Certification Body.
The actual questionnaire which you complete will be supplied by your Certification Body.
What is an Accreditation Body?
There are five Accreditation Bodies who have been specially selected by the NCSC to oversee Cyber Essentials. They recruit and manage the various Certification Bodies, ensuring the standards set down for the scheme are met.
Each Accreditation Body:
Produces a questionnaire for their Certification Bodies to use when certifying
Has a process for auditing its Certification Bodies in place
Verifies that all of their Certification Bodies meet the NCSC’s demanding level of technical competence
Is audited at least every 12 months by the NCSC
Cyber Essentials and GDPR
The GDPR or General Data Protection Regulation is designed to unify data privacy laws across the EU, giving EU citizens more control over their personal data and prescribing how organisations may use and must protect their subjects data. All organisations that handle personal information of EU citizens must comply with the GDPR.
The regulation of GDPR in the UK and the notification of all data breaches is delivered via the Information Commissioner’s Office (ICO). By applying the technical controls of Cyber Essentials it helps you demonstrate to the ICO that you are trying to comply with the GDPR regulations. Cyber Essentials are recommended as a good starting point but it’s not a complete solution for all your GDPR obligations.
Importance of Cyber Essentials
Cyber Essentials is an increasingly important certification to achieve for all businesses of all sizes in the UK.
Even where not mandatory, the rise in awareness of the impacts of cyber attacks or the consequences of personal data breaches, have increased demand for evidence that your business takes its responsibilities seriously and invests in cyber protection.
For SMEs with little or no IT support or expertise, it provides a basic first step towards cybersecurity.
Will your business benefit from being Cyber Essentials certified?
Unless you are already fully prepared with an active cybersecurity defence strategy in place, with adequate resources to secure your network and infrastructure, you will certainly benefit from the certification process.
Undertaking certification will flag what are your current weaknesses and prepare the business for the majority of known cyber attacks going forward.
IT security practices are as important as locking your doors after you have left the office or putting expensive equipment away.
To make sure you get the basics right try to do the following:
Adopt safe best practices to doing business online to reduce risks of an attack
Keep on top of software updates, download them immediately as they may contain important security upgrades and patches for known weaknesses
Adopt strong password hygiene, don 't share passwords or use the same password for access to multiple applications
If the email looks suspicious, trust your instincts and delete it
Install anti-virus software on your computers, tablets and smartphones to protect against the transfer of viruses or malware and to protect your use of the internet
Educate and train your staff on how to identify potential risks and best practices
Keep your team up to date on the latest threats, but manage the sense of urgency so that staff are not permanently on edge
Cyber Essentials is just one step of the journey towards securing your organisation against cyber attacks. As an outside provider Worktools can do initial security assessments and ensure that everything is secure, both locally and through remote access.
We can also help create your cybersecurity plan so you know how to prepare and if necessary respond to an incident.
Image source: www.freepik.com