In the wake of increased cyber-attacks on UK organisations, businesses, small and large, are looking for ways to increase their cybersecurity and online resilience. Sadly, just an antivirus software upgrade will not be the quick-fix many businesses hope for. A lot of analysis and implementation needs to go into ensuring networks are protected as best they can.
Cyber Essentials (CE) – a UK government backed scheme run by the National Cyber Security Centre, was launched in 2014 and has been designed to help businesses guard themselves against the most common cyber threats – routinely carried out by relatively unskilled individuals, gaining themselves certification once they achieve certain thresholds that determine good online security.
Demonstrating your organisation’s commitment to cybersecurity sounds great, but, why should you get it, how long does it take and is it worth it? Read on to find out more.
Why do I need Cyber Essentials certification?
There are two levels of certification available, Cyber Essentials and Cyber Essentials Plus – both offer businesses a framework to help assess and reduce their risk against common cyber-attacks. However, the basic level (CE) is a questionnaire relating to your businesses’ security processes, policies and controls but is not verified by The Assurance for Small and Medium Enterprise Consortium (IASME) – the certification body for the UK.
The Cyber Essentials Plus assessment requires an audit of the business infrastructure to determine if the standard is reached for certification.
Both levels of certification show to your customers that you value their data with high security levels, thus also offering reassurance to potential new business.
If you are an organisation looking to work with the government, many government contracts require Cyber Essentials certification – so ensuring you have achieved this beforehand will put you in good stead.
How long does Cyber Essentials Certification take?
The Assurance for Small and Medium Enterprise Consortium (IASME) is the only partner that handles the process of certification for organisations across the UK.
Both assessments ensure organisations use five fundamental technical controls laid out in the framework.
These are – Firewalls – Secure Configurations – User Access – Malware Protection, and – Patch Management.
When each control is correctly implemented, the risk of cyber threats is reduced by up to 80%.
Once organisations are happy that their security is in control and ready to submit their assessment, or be audited for the ‘Plus’ certification, then IASME works hard to ensure a quick turnaround, usually around 1–3 days.
Once certification is processed, it will be valid for 12 months.
Is Cyber Essentials worth it?
Cyber Essentials certification is a recognised industry standard that offers peace of mind to those you do business with. It proves that you take your security seriously and protect your data from hackers.
Gaining certification doesn’t mean your business is secure, but it’s the implementation of what’s required from Cyber Essentials that will heighten security levels.
We believe, as long as organisations use the certification as more than a tick-boxing exercise, and more of a way to drive improvement in their online security, then the process is definitely worth it.
The cost of Cyber Essentials starts from £300+VAT for a micro-organisation, up to £500+VAT for large organisations of 250+ employees. The cost of Cyber Essentials Plus depends on the complexity and size of the organisation’s network.
If you’re interested, the National Cyber Security Centre and IASME have put together a Cyber Essentials Readiness Toolkit, so organisations can see where their security is currently and the changes that need to be made to become certified. Even if you don’t want to go through the certification process, the toolkit is a really great way to check the security procedures your organisation already has in place.