Cyber Essentials Cyber Security Certification
The Cyber Essentials cyber security certification program has been in place since 2014. It is a certification that demonstrates to customers and partners that your company has a fundamental level of cyber security measures in place. Its value to businesses is growing, as customers, business partners and underwriters begin to understand its significance. This article will discuss the certification process in more detail and what it can help your business achieve. For more advice on the topic,
In 2012, the British government launched a guide called, ’10 Steps to Cyber Security’ a document that outlines methods companies can use to protect themselves from breaches, data theft and other IT security-related concerns.
It became clear that there was no way to demonstrate if a company elected to adhere to the principles in the 10 Steps document, so the Cyber Essentials certification process was created the following year and launched in 2014.
What are the 10 steps to cyber security?
The 10 steps to cyber security document outlines different areas and behaviours that should be addressed to create a secure working environment for businesses. These areas are:
- Home and mobile working
- User education and awareness
- Incident management
- Information risk management regime
- Managing user privileges
- Removable media controls
- Secure configuration
- Malware protection
- Network security
How does the Cyber Essentials program work?
The Cyber Essentials program provides a standard for companies to be assessed against. It identifies the security protocols a company must have in place to have an acceptable level of cyber security. Those companies that volunteer for assessment and meet the criteria are eligible to promote themselves as certified. This assures current and potential customers and partners of the safety of their data and interactions.
The Cyber Essentials program tests 5 areas (informed by the 10 steps listed above):
Boundary Firewalls and Internet Gateways: confirming that either hardware or software has been deployed to prevent unauthorised access to internal/private networks
Secure Configuration: confirming that systems are configured using the most secure and business appropriate methods
Access Control: ensuring tightly controlled authorisation and access to install software and make system changes, as appropriate
Malware Protection: ensuring malware and antivirus protections are installed and current
Patch Management: confirming that the latest versions of software and applications are in place, and any officially released patches have been applied.
There are two available levels of certification
Cyber Essentials: a self-assessment questionnaire is completed by the organisation and is verified by a certifying body.
Cyber Essentials Plus: in addition to verifying the self-assessment, the external certifying body will undertake additional testing of the company’s systems.
What does the assessment process involve?
Any business wishing to apply for certification must appoint a Certifying Body to undertake the assessment. CREST is an international not-for-profit organisation that focuses on developing consistent standards across the cyber security industry internationally. While various companies offer to be a Certifying Body for this assessment, CREST-certified assessors are guaranteed to undertake a uniform and high quality assessment.
The questionnaire seeks information about the secure configuration of the company’s computer systems and security controls. The certifying body then conducts remote testing of the systems to verify the answers and to provide additional assurance to customers.
The additional testing required for the Cyber Essentials Plus includes physical testing of workstations and the inclusion of a technical review. The review tests the porosity of web and email gateways for malware incursion, the ability of antivirus to highlight or stop breaches, and the likely consequences if a breach did occur (testing patch quality and implementation on workstations etc).
It is possible to access the questionnaire online (free of charge) and get your IT support to run through the checks. If the results show areas of improvement, it is obviously clear that action should be taken immediately. Bear in mind that certification (and therefore, external validation for consumers etc) is only available through certifying bodies.
What are the benefits of having Cyber Essentials certification?
There is a growing list of reasons why companies are better off having the certification in place. The UK government says that taking measures to bring your IT up to certification standard is enough to stop up to 80% of cyber attacks. This figure alone should be enough to convince any business owner of the value of the certification process, as 25% of all UK businesses are suffering a breach or attack each year. 1 out of 10 companies that do suffer from cyber attack must significantly change the way they do business – at major cost, inconvenience and blow to consumer trust. Implementing this scheme dramatically reduces the risk of such irreparable damage. Having a strong disaster recovery plan in tandem with this program strengthens the viability of your business long term.
There are also financial benefits beyond avoiding catastrophic operating interruptions. For example, insurance premiums have been observed to decrease when companies are certified, as the risk of cyber attack is identifiably lower. This is a simple way to decrease ongoing costs, particularly for small to medium businesses.
If any business intends to apply for government contracts that involve sensitive or defence information, it must be Cyber Essentials certified. This supports the government’s thrust toward implementing it’s Cyber Security Model.
A final word
The Cyber Essentials certification scheme is a fantastic step toward bringing cyber security ‘front of mind’ for businesses and consumers alike. The checklist makes implementing changes seem within reach and achievable for smaller businesses, and highlights the very real risks of failing to maintain cyber security. We strongly encourage any business to engage with the checklist and the certification process to strengthen the security of their data and sensitive information.
Please contact us for more details of how to get certified