For some companies, Cyber Essentials or Cyber Essentials Plus certification is a must-have. Usually this is because their position in the supply chain—e.g. supplying to central or local government—dictates that they must have it.
But, for the rest of us, is it worth it? Certification against any standard usually looks like a lot of effort. This post aims to give you a sense of some of the pluses and minuses of the Cyber Essentials approach.
Reasons for certification
There are various reasons why companies go for Cyber Essentials certification, but these reasons tend to fall into two main groups:
- supply chain requirement (they must have it) and/or marketing and customer assurance, and
- genuine concern to improve security.
Of course, these are not mutually exclusive, e.g. good security helps with marketing and poor security can be disastrous for customer retention.
In our experience, the former motivation is far more common than the latter, after all, businesses do need to focus on making a living rather than what can seem like peripheral concerns. There can be a substantial mismatch between how businesspeople and cyber security people see the question of information security. The cyber people see security as self-evidently important, but business people don’t always see it that way. We secure our homes without any need for a motivation beyond wanting to live in a secure home. When it comes to businesses though, having a secure business is rarely enough of a motivation to tackle security: additional reasons are often required.
Marketing v security
If your objective relates mainly to marketing and public appearance it is worth considering how well known the certification is in your sector. If it is not particularly well known, then the time and effort involved is probably better spent elsewhere.
On the other hand, if you are interested in improving business security is Cyber Essentials a good way to go?
Cyber Essentials is a hugely simplified security standard. You may be familiar with standards such as ISO 9001 which deals with quality control. The advantage of a standard is that you don’t have to figure out what needs to be done—someone else has already done all that work. All you need to do is follow the standard.
OK, easier said than done; nonetheless, a standard does take care of a lot of the grind. This is especially helpful when it comes to business and information security. Where do you start when it comes to information security? Of course, as with quality, there is an ISO standard for security: 27001. And, while ISO 27001 is a very comprehensive guideline for any business, it is a very big ask for smaller businesses.
There are other standards too, but Cyber Essentials has done a fantastic job in boiling things down to the absolute essentials: creating a standard that any business can follow.
Responsibilities and attackers
All businesses have a legal responsibility under GDPR and other legislation to protect the data they control. But businesses also have a responsibility to themselves, their staff and other stakeholders. If they knew how to do it, most businesses would like to protect themselves against fraud, theft and any of the other ways in which criminals might wish to exploit them.
Businesspeople are usually pretty good at making sure they have secure premises, safes for cash and so on but, very often, the IT system remains insecure and provides a very attractive way in for criminals. In fact, cyber crime is just too easy.
There is a lot of misunderstanding about how cyber criminals operate. One of the biggest confusions, shared by too many businesses, is the idea that businesses that have fallen victim to cybercrime have been specifically targeted for one reason or another. This misunderstanding leads to a false sense of security along the lines of, “why would they come after us when there are much richer pickings elsewhere?” The truth is that a huge amount of cybercrime works just like spam. It is a scattergun approach. Attacks are automated and do not have a specific target in mind, anyone who takes the bait is fair game. These kinds of attacks are known as commoditised attacks, they require no skill or specialist knowledge on the part of the attacker and any kind of business can become a victim.
The five controls
Cyber Essentials is specifically aimed at combating these commoditised attacks and, according to the National Cyber Security Centre, 90% of such attacks would be blocked by businesses which have implemented the standard.
So, how does it work? Cyber Essentials focuses on five key areas exploited by commoditised attacks:
- Firewalls (securing the connection between your network and the rest of the world)
- Secure configuration (e.g. default passwords)
- User access control (e.g. admin rights, file access rights)
- Malware protection (e.g. antivirus and web browsing protection)
- Patch management (e.g. Windows and other software security updates)
The advantage of Cyber Essentials is that it spells out exactly what must be done in each of these areas in order to comply and thereby block most commoditised attacks.
How to use Cyber Essentials
You can use the Cyber Essentials standard as a guide to secure your system or as a yardstick against which you can ask your IT support company to report. You can download the standard here. To demonstrate compliance, you can certify at the entry level by completing an online questionnaire which will be checked by a certification body after which you can be awarded a certificate and badge for use on marketing and other materials.
You can go a step further and apply for certification at the Plus level, which involves an internal and external assessment of your cyber controls.
Upsides and downsides
If you are interested in improving the security of your business, there are six clear advantages to taking the Cyber Essentials approach:
- Your ‘where do I start?’ question is answered for you along with clear guidance on exactly what needs to be done.
- You can hold your IT support company to account using the standard.
- You will find it easier to get management buy-in using a tried and tested approach.
- You will learn how to work with standards and, if you go for Plus, how to work with external assessors.
- If you are going to do the work, you might as well take an approach that gives your company the recognition of certification and badges.
- You know it works; blocking 90% of commoditised attacks is not a bad result.
So, are there any downsides? Not many, but there are a few points worth thinking about:
- The standard itself is free but, if you do want to go for certification, there are some fees involved.
- There is a considerable amount of work involved in securing your systems, though most of this should already be covered by your IT support company.
- Blocking 90% of commoditised attacks is great, but what about the other 10%? And, what about specific non-commoditised attacks?
- Cyber Essentials is a great way of assessing your security controls at a specific point in time, but things change quickly in business and it doesn’t tell you much about whether you are maintaining your controls.
These negatives hardly outweigh the advantages of the Cyber Essentials approach—in fact, they point to your next steps should you wish to maintain a focus on cyber security in your business. Once you have secured your system the key is to keep it that way. In order to do this, you need to be able to continuously monitor and report on your compliance with the five Cyber Essentials controls. With monitoring in place, you are in an excellent position to think about moving beyond Cyber Essentials to tackle the other chinks in your armour.
Please get in touch with us if you would like to explore Cyber Essentials or if you have already implemented it and want to figure out how to make sure you stay compliant.