More businesses are choosing to undergo Cyber Essentials certification. Tayla Ansell finds out why
We often hear of large organisations suffering security breaches, the likes of Tesco and Yahoo, but cyber-criminals don’t just target household names; small businesses are equally at risk and need to take cyber security just as seriously as their biggest customers and suppliers. But where to start?
For more and more organisations, the answer is to become Cyber Essentials certified. Launched by the Government in June 2014, the Cyber Essentials certification scheme aims to educate organisations of all sizes in the basics of cyber security and to provide a mechanism for countering the most common attacks.
The scheme doesn’t offer a silver bullet against all cyber security risk – additional measures will need to be taken to protect against advanced, targeted attacks – but it does provide cost-effective basic cyber security, and is a good way of demonstrating a commitment to safeguard data held by the company.
Developed in consultation with insurance companies, the scheme is backed by AIG, Marsh, Swiss Re, the British Insurance Broker’s Association (BIBA) and the International Underwriting Association. Some insurers even offer preferential rates to certified businesses when they take out cyber insurance policies.
Since October 2014, Cyber Essentials has been mandatory for suppliers of Government contracts in which sensitive and personal information might be handled. Growing concern about cyber attacks means that it could soon become a criterion for winning business in other sectors.
There are two levels of certification, Cyber Essentials and Cyber Essentials Plus. Cyber Essentials certification focuses on five key controls: boundary firewalls and internet gateways; secure configuration; access control; malware protection; and patch management. Certification requires an organisation to self-assess their implementation of these controls. This is then verified by an independent Certification Body to assesses whether the appropriate standard has been met.
Cyber Essentials Plus provides a more thorough assessment, with additional external testing of an organisation’s cyber security status, through penetration testing, for example.
Prices for the foundation certification start at around £300, though cost varies depending on the certification body used. Certification bodies can be contacted via a Government-approved Accreditation Body (e.g. QG Management Standards, IASME, CREST, APMG, IRM security). On successful completion, certified organisations can display a Cyber Essentials or Cyber Essentials Plus badge.
Take the highway
The Cyber Highway online portal, launched in September 2016, provides companies with a cost-effective and efficient route to Cyber Essentials certification, with built-in guidance to help businesses of any size or level of IT capability through the certification process. A spokesperson for Cyber Essentials Direct Ltd, the company behind the portal, said that it challenges basic or conventional ‘tick-in-the-box’ self-auditing systems and ‘presents a fresh and practical approach to Cyber Essentials certification in line with the latest Government standards’.
The spokesperson added: “The Cyber Highway portal provides access to a range of explanatory tools and has a dedicated helpline. We also offer a range of policy templates that companies may purchase to help in the compliance process. Based on our understanding that many companies might require additional technical security assistance to implement some of the necessary controls for Cyber Essentials certification, we have a team of Accredited Cyber Essentials (ACE) Practitioners, Trainers and Consultants qualified to provide the optimum level of remote or on-site support that businesses might require to progress towards Cyber Essentials certification.”
The cost for businesses to become certified and maintain certification with The Cyber Highway starts at £300 per annum for companies with 1-10 employees, £600 for companies with 11-50 employees, £900 for companies with 51-250 employees, and so on.
One of the key feature of the portal is a Cyber Highway Dashboard, which guides the user through each stage of the journey to Cyber Essential certification, even providing an alert when it is time to re-apply for certification.
Business Info spoke to two businesses that have become Cyber Essentials certified to find out why they did it and what the process entailed.
Jigsaw CCS, a direct mailing and creative hand fulfilment specialist based in Binley, Coventry, was motivated to get certified by media coverage on the growing cyber security threat.
Operations director Lorna Harling, said: “Not a day seems to pass without cyber-crime being in the news headlines. We know that any business is at risk regardless of size, so we want to do everything possible to protect our clients and ourselves. Our work with clients is based on trust. We treat their businesses, and the data we process, as highly confidential. And we wanted to carry out a health check to ensure our own systems supported that, which is why we decided to apply to the scheme.”
Jigsaw CCS worked with Risk Evolves, a risk management and security company, and with Zenzero, its IT provider, to help prepare for the certification process. Harling found the whole process quite straightforward. “It was easy for us as Zenzero had already helped us build a robust infrastructure and we already had good technical controls in place, so we didn’t need to spend any money on improving this,” she said.
The only cost for Jigsaw CCS was for the certification itself, which Harling thinks was an investment worth making. “The cost of accreditation is outweighed by the added peace of mind and assurance we can offer our clients that their data is safe with us. The whole process from start to finish took less than a month and the scheme has been designed to be relevant, achievable and affordable to even the smallest company.”
She added: “We are now one of approximately 3,000 companies with this certification, which allows us to differentiate ourselves in the market.”
Data Interchange, a provider of electronic data interchange (EDI) and eBusiness integration solutions, is another company to have recently achieved Cyber Essentials certification. John Knights, operations director at the company, said that growing public awareness of the scheme encouraged them to become certified.
“We have always had a strong focus on IT security, as we specialise in secure file transfer and integration solutions, and have previously targeted industry specific and international standards for certification, like ISO27001. We are starting to see more customers looking for Cyber Essentials from their suppliers, so this seemed like a good time to gain certification,” he said.
Since the company was already on top of its security, Knights found the certification process straightforward.
“The whole process only took a few hours of our time, since we were already following the recommended practices. Certification via a third party auditor was under £500. Depending on the gaps found, this could obviously cost more, but it is better to highlight and understand the potential risks and mitigation than to assume that everything is OK,” he said.