In recent years, it has become increasingly important for businesses to secure their IT systems to reduce the chance of falling victim to a cyberattack. In the UK alone, 39% of businesses were targeted by a cyberattack in the last 12 months. Whilst most newsworthy cyberattacks target large businesses and enterprises, it is just as common for small businesses to be attacked, as they are less likely to have invested in securing their IT systems. For this reason, all SMB owners should invest in strengthening their security posture and aim to achieve a Cyber Essentials certification.
What is a Cyber Essentials certification?
Cyber Essentials is a UK Government-backed scheme designed to protect organisations against a wide variety of common cyberattacks. There are two levels of certifications: Cyber Essentials and Cyber Essentials Plus. Cyber Essentials is a self-assessment, that ensures businesses have controls in place to protect against most common cyberattacks. Cyber Essentials Plus is a more in-depth certification and includes hands-on technical verification.
The Cyber Essentials certification covers many areas, including firewalls, secure configuration, user access control, malware protection, security update management and more. The certification lasts for 12 months and is regularly updated to ensure businesses are protected against novel attack methods.
Here are 4 Key reasons why you need to have Cyber Essentials:
Protection – Cyber-attacks are on the rise and your staff may not be as aware of cybersecurity as they should be, and with things changing all the time, it’s hard to keep them up to date. Without a robust security solution in place, your data is vulnerable to criminals. The Cyber Essentials prevents over 80% of the most common computer security breaches. It aims to provide businesses with a strong base from which to reduce the risk from these prevalent, but unskilled, cyber-attacks.
Assurance – Achieving Cyber Essentials certification demonstrates to your customers, suppliers and other partners that you take data security seriously. It is a quick way to show that you have done your due diligence and are putting controls in place to protect information. This gives them more confidence that they can trust you and encourage them to work with you.
Compliance – You are legally required to protect the data you hold within your business, particularly if it belongs to clients/customers, whether these are existing or previous. The introduction of The General Data Protection Regulation (GDPR) in May 2018 means that you must have solutions in place to protect that data, and be able to demonstrate these.
Opportunity – Achieving Cyber Essentials can allow you to bid for contracts which involve the handling of sensitive information and the provision of certain technical services. The UK Government has set a good example to UK businesses, highlighting the importance of a secure supply chain for ongoing business. Not only does this defend the integrity of government information, it could even give your company a competitive advantage when bidding for public sector tenders. Cyber Essentials is fast becoming a prerequisite for doing business because the certification provides third-party assurance of the company’s cyber security.
The importance of cybersecurity for SMBs in 2022
All small businesses are at risk of falling victim to a cyberattack, with the most common cyberattacks being phishing, data breaches and ransomware attacks. All of these attacks can be devastating for businesses, both in terms of the cost of remediation, as well as the costs associated with damages to a business’s reputation.
Thankfully, many of these attacks are carried out by relatively unskilled cybercriminals and therefore can be stopped by implementing basic security controls. With a Cyber Essentials certification, these attacks are no longer viable.
Benefits of a Cyber Essentials certification for SMBs
Reduce the chance of falling victim to a cyberattack
The overall goal of Cyber Essentials is to reduce a business’s cyber risk. As the assessment covers most attack surfaces and the associated technical security controls, Cyber Essentials covers all the bases to protect from 80% of common cyberattacks. Although the methods that cybercriminals use are constantly changing, these technical controls will typically stop novel attack methods, especially if they are not highly targeted attacks.
Gain a competitive advantage
For small businesses within competitive industries, a Cyber Essentials certification can be a way to stand apart from the competition. The certification shows that your business takes security seriously, and any customer, either consumer or corporate, doing business with you is less likely to have their data leaked as part of a customer data breach. After a business obtains their Cyber Essentials certification, they can also display the certification badge on their website and other marketing materials.
Find new business opportunities
A Cyber Essentials certification is mandatory for businesses considering submitting a bid for a contract with the NHS, Ministry of Defence, and UK Government. Many private sector businesses also look for the Cyber Essentials badge of approval when seeking new suppliers.
Improve credibility and reputation
The technical controls necessary to obtain a Cyber Essentials certification are relatively simple to implement, and the self-assessment is a quick and easy process. This simple and affordable certification can add significant value to a business as it improves credibility and reputation. Cyber Essentials shows that a business is committed to protecting their customer’s data and taking action to reduce the chance of falling victim to a cyberattack.
Free Cyber Liability Insurance
Once a business has obtained their Cyber Essentials certification, they are automatically entitled to free Cyber Liability Insurance to the total limit of £25,000 of indemnity. This also gives businesses access to a 24-hour hotline to report a cyber incident, which will provide crisis management and incident response. For businesses that do not already have cyber insurance, this is a perfect option to recover from a small breach or incident. Many cyber insurance providers will also give discounts to businesses that are Cyber Essentials certified.
Whats are the 5 main controls in Cyber Essentials?
This control will apply to every business where employees have access to the internet. Internet gateways and firewalls will identify and prevent unwanted traffic gaining access to your network, computers, and systems. The controls you need to apply will include changing any default/admin passwords, ensuring firewalls are properly set up, etc.
2. Secure Configuration
A new computer or piece of software is rarely properly configured with its factory settings. This means if you carried on using a device on its default settings, it is open to cyber risks. All computers and network devices should be configured securely to reduce risk. This will include reducing or removing unnecessary software and changing default settings and passwords.
3. Access Control
A significant number of data and cyber breaches occur from abuse of administrative user accounts in a business. Organisations and businesses should aim to only let certain individuals have special access privileges according to their role and responsibilities. Companies can look to manage this by performing a number of controls, such as having unique usernames and passwords, and keeping all account information in a secure, protected location.
Where computers and systems are exposed to the internet, they will need to be protected from malware. Malware is a programme, or virus, that has been coded with the intent to perform unauthorised actions on one or more computers. Organisations should at a minimum look to protect all computers that are connected to the internet via cable or wireless. Other actions include having up-to-date malware software as well as setting regular (daily) full scans to ensure early detection of malware.
5. Patch Management
As with any software, there are often regular updates released to address security issues, add more features and improve performance. If there are any vulnerabilities in software that hasn’t been updated, this can become a weak spot that can be used to gain access to networks and computer systems. Organisations and businesses should ensure the following: remove out-of-date software, and ensure all security patches are updated as soon as they are available and no later than 14 days after release. For our clients we use a specialist software suite that keeps the patches up to date on all supported devices.
How we can help
For businesses that are not well versed in the world of cybersecurity, it can be difficult to implement the technical controls necessary to obtain a Cyber Essentials certification. We can help your business implement the technical controls, as well as provide additional security services to further reduce the chance of falling victim to a cyberattack.
To achieve Cyber Essentials we can assist your business in preparing then answering a questionnaire which will be reviewed and verified by a Certification Body Assessor
Before filling out the questionnaire, we can assist in ensuring all devices are within the scope of the assessment (any PC, laptops, mobile phones, tablets or servers that handle company data) and that they are compliant with the Cyber Essentials standard.
We also offer Cyber Essentials Plus (CE+) which builds on the entry-level CE certification. The protections you need to put in place are the same, but CE+ goes a step further. While CE is a self certified written assessment , CE+ includes a hands-on technical verification from our security auditors.
To find out more, contact us today.