The cyber threat landscape is evolving at a frightening rate, leaving businesses with the difficult task of trying to keep up, reduce their risk exposure and stay secure. For SMEs, this can be particularly tricky as they won’t necessarily have the budgets or resources to invest in comprehensive technical solutions for their cyber security. However, without proper cyber defences, it can be even more likely that a cybercriminal targets an SME. They are seen as an easy, or ‘soft’ target and often an entry point to other businesses higher up in the supply chain.
In 2014, the UK Government’s National Cyber Security Centre began to develop a standard based on the evidence they had of common types of cyber attack. This led to a set of controls that, if implemented, would offer an organisation a good level of protection against these attacks.
The Cyber Essentials standard was designed with SMEs in mind, focusing on the most important technical controls that would make a real difference to a business’ security posture. With 60% of small businesses experiencing a security breach that year, it was clear that many SMEs did not have these controls in place, either because they were not aware of them or did not believe they would ever be attacked as a small business.
What are the technical controls?
The NCSC outlines five critical technical controls that make up the Cyber Essentials standard to help businesses lay secure foundations. These are a bit like safeguards that are incorporated into computer hardware, software, or firmware.
Malware Protection: The right anti-virus and anti-malware software should be activated, protecting systems from allowing the download of malicious software.
Secure Configuration: Devices need to be correctly configured before use, with default passwords changed, and only approved applications installed.
Boundary Firewalls and Gateways: This protects your internal networks from the wider internet and should be switched on at all times to protect from harmful and unwanted traffic.
Security Updates: Keeping all devices and software up to date hugely reduces the risk of security vulnerabilities which hackers will likely take advantage of.
Access Control: Managing access rights within an organisation, especially keeping admin privileges to a minimum, helps to protect data and other important assets.
How does the Cyber Essentials assessment work?
To make sure your business is complying with these controls, there has to be an assessment. There are two levels to the Cyber Essentials certification, marked by the slightly different way they’re assessed. In its basic form, Cyber Essentials involves an online self-assessed questionnaire. Your IT Provider or your IT department must fill out a series of questions relating to each of these controls and submit them via an online portal. You’ll then pass the assessment and achieve certification if your answers suggest that your business has implemented the required controls.
Cyber Essentials Plus is testing for the same things, but instead of self-assessing, an external third party is required to actually scan your systems and confirm that you’re doing everything right according to the standard. This is usually the preferred certification because you’re getting proper validation of your security from a qualified Certification Body. There are several Certification Bodies with approved assessors operating under IASME, the NCSC’s sole delivery partner for the scheme.
Do businesses really need Cyber Essentials?
Essentially, Cyber Essentials is a recipe for good basic security which every business should be adhering to but for many reasons plenty of businesses, especially SMEs, struggle to do this. It may be limited resources or budgets, lack of cyber security awareness, or cyber security just isn’t seen as a priority. Cyber Essentials offers these businesses a straightforward and affordable way to check you have the proper controls, processes, and policies and if you don’t, it will tell you where the gaps are.
Of course, aligning with the standard means you reduce your cyber risk, but being able to prove this with a certification badge can open doors to other benefits too. The certification has grown in popularity since 2014, now being required for public sector contracts including MoD and NHS, and we are steadily seeing this trend in the private sector as well. Being certified to Cyber Essentials demonstrates a certain level of security that may also convince insurance providers to reduce premiums, lower any regulatory fines in the instance of a breach, and attract new business opportunities because prospects can feel more confident that their data is safe with you. In fact, 93% of certified businesses themselves also feel greater peace of mind that they’re better protected from attacks.
We’re likely to see Cyber Essentials becoming more recognised and accepted across different sectors, and signs are already starting to show that industry specific regulatory bodies are keen for companies to meet this standard. With attacks continuing to escalate, cyber security can no longer be an afterthought and measures should be taken to get these core basics under control in order to best protect your organisation.