What is Cyber Essentials and why do you need it?

“What is Cyber Essentials and why do I need it? ” This is something we get asked a lot at MFG, so I figured I would create a short blog post explaining what it is and what the benefits are of obtaining the Cyber Essentials or Cyber Essentials Plus accreditation.

About Cyber Essentials

Cyber Essentials is a government backed scheme which launched in June 2014. It allows you to demonstrate that you are taking the right steps to reduce your chances of falling victim to cyber-crime and more importantly, prove that you’re taking data protection seriously.

There are two different levels of badge that your company can apply for:

  • Cyber Essentials: the standard Cyber Essentials certification which is a self-assessment questionnaire and is reviewed externally.
  • Cyber Essentials Plus: this includes all the assessment for the Cyber Essentials certification, but system tests are carried out by an external certifying body.

In addition to Cyber Essentials, the next level of assessment is Cyber Essentials Plus. This is a technical audit of your systems that are in-scope for Cyber Essentials. An assessor will visit the business and conduct a series of tests on your systems to establish the level of security in place.

It’s worthwhile finding out which level of Cyber Essentials is required when bidding for projects to ensure you hold the correct one.

Does Self-Assessment mean we can do it ourselves?

As the process is self-assessment, you can do it yourself, but we would strongly advise working with an expert like your IT provider. Rather than guessing or trying to muddle through, allocating time to work with experts who understand your systems will make the process a lot easier.

As well as understanding the terminology the assessment body will be looking for, your IT provider will also be able to work with you to rectify any gaps in your security and offer solutions to fix them. This could mean replacing hardware, addressing permissions or clarifying what aspects of the business are in scope.

Why do I need to worry about cyber security?

Can you afford not to worry? UK businesses are being urged to protect themselves against cyber-crime, after new statistics show over four in ten (43%) of businesses and two in ten charities (19%) suffered a cyber breach or attack in the last 12 months.

This figure rises to more than two thirds for large businesses, 72% of which identified a breach or attack.

How much would financial and reputational damage hurt your business?

“Cyber-attacks can inflict serious commercial damage and reputational harm, but most campaigns are not highly sophisticated.”

“Companies can significantly reduce their chances of falling victim by following simple cyber security steps to remove basic weaknesses.”

Ciaran Martin, CEO of the NCSC

Why do you need it?

Firstly – you’ll gain a certification that demonstrates to your customers and suppliers (and competitors), that you are committed to protecting your data and that of your supply chain and customers, but here are the top seven additional benefits:

  1. You’ll be a stronger supplier in a pitch for tenders and contracts as you’ll be providing certified proof of your commitment to data security and the GDPR.
  2. You can promote your compliance and use the logo on your website and documentation.
  3. You can widen your client base as you will be permitted to work with the UK Government. If you take the Cyber Essentials Plus certification, you will also be illegible to work with the MOD.
  4. Gain a better understanding of your devices and network security.
  5. Secure your devices and software.
  6. You’ll implement five security controls that will protect your data from 80% of cyber-attacks.
  7. A step in the right direction for GDPR compliance (or as compliant as you can be).

Most common attacks are fraudulent emails followed by cyber criminals impersonating an organisation online.

The most common breaches or attacks were via fraudulent emails – for example, attempting to coax staff into revealing passwords or financial information, or opening dangerous attachments – followed by instances of cyber criminals impersonating the organisation online, then malware and viruses.

This sort of attack can be mitigated by using simple controls, such as disabling auto-run and installing an Anti-Virus solution, both of which are implemented in the Cyber Essentials certification process.

Minister for Digital and the Creative Industries, Margot James, said:

“We are strengthening the UK’s data protection laws to make them fit for the digital age, but these new figures show many organisations need to act now to make sure the personal data they hold is safe and secure.”

Cyber Essentials may be mandatory!

On 1st October 2014 Cyber Essentials was made mandatory in order to secure Government contracts featuring the characteristics highlighted in the Government’s procurement policy, meaning without it, you are unable to bid for government contracts.

Some organisations are following suit and making the Cyber Essentials mandatory for partners and suppliers to conduct business with them.

Am I bovvered though?

(That was our best Catherine Tate impression).

If you’re not concerned (or “bovvered”) about cyber security or protecting your data, then Cyber Essentials isn’t for you! If, however you have a conscience like the rest of us and data security does matter, then Cyber Essentials is a perfect place to start and a great foundation to have in place for other security accreditations such as the ISO 27001.