With 64% of cyber attacks happening to SME’s, the need to have adequate cyber security measures in place has never been greater. With the government’s desire to make the UK one of the most secure places in the world to do business, in June 2014 the Cyber Essentials scheme, backed by the Federation of Small Businesses, the CBI and a number of insurance organisations was launched.
What is Cyber Essentials?
Cyber Essentials is a government-backed, industry supported scheme which can help businesses prevent a cyber-attack and can help to improve your cyber security. The scheme is gathering traction and we estimate that in the next 12-18 months, many of your customers and partners will request that you have this in place.
How does Cyber Essentials work?
There are five different controls at the heart of Cyber Essentials. These five controls should eliminate 80% of common online threats to your business.
The five controls are:
• Secure Configuration
• User Access Control
• Malware Protection
• Patch Management
The Cyber Essentials certification is available in two different levels:
Cyber Essentials Basic
The Cyber Essentials Basic certification is a technical questionnaire based around the five access controls. This needs to be completed and submitted to a certification body, along with visual evidence (screenshots etc).
Once that has been completed, your business will be issued with a certificate, which will need to be renewed annually.
Cyber Essentials Plus
The CE+ certification includes the Basic measures, but in addition a security consultant from the certification body will attend your offices and test the controls. If your business works with any government organisations or local councils, they might insist you have the Plus certification.
Much like the Cyber Essentials basic accreditation, the certificate needs to be renewed annually.
How can I check if a business has the Cyber Essentials accreditation?
When thinking about engaging in services with a company, it would be wise the check whether they are Cyber Essentials certified. To do this, you can browse https://www.cyberessentials.ncsc.gov.uk/cert-search/ and enter their company name. There can be a delay of 2 weeks between a company gaining their certificate and appearing on the CE website.
What Cyber Essentials doesn’t include
There is a common Cyber Security framework from NIST that includes five functions that organisations are urged to comply with:
1. Identify – Cyber Essentials
2. Protect – Cyber Essentials
Cyber Essentials works with the ‘Identify’ and ‘Protect’ function. Cyber Essentials does not work with any controls from ‘Detect’, ‘Respond’ or ‘Recover’. For example, Backup would be considered a function from ‘Recover’. It is possible for a business to have Cyber Essentials Plus and not have a backup in place.
How can we help?
A subsidiary of Murray Harcourt, Cyber Focus can take your business through the whole Cyber Essentials process.
Cyber Focus will audit your IT network in conjunction with the five Cyber Essentials controls.
You will be provided with a full report which might include a list of remediation tasks to ensure you comply with Cyber Essentials.
We will re-test your network following remediation and submit the paperwork to a certification body.