Why shrewd companies are getting tested and certified for Cyber Essentials
It’s tempting to see the UK Government’s new Cyber Essentials scheme as not worthy of investigation if you’re an established organisation with good IT systems in place. But our experience as an IASME Certification Body has taught us that this isn’t always the case.
Grant McGregor works as both an assessing and Certifying Body for the Cyber Essentials and Cyber Essentials Plus certification schemes. We’ve guided new and existing clients through the process – or simply checked and certified organisations’ own self-assessments.
Our experience in doing this has thrown up some surprising results.
Organisations who thought they were just going through the motions have come away with some important actions and takeaways from the process.
Why Go for Cyber Essentials Certification?
There are good reasons for every small or medium sized business to go for the Cyber Essentials certification: to build trust and credibility in the eyes of their clients, and to demonstrate their commitment to good IT security and data protection practices.
Demonstrating good IT security practice has become more important since GDPR.
While many organisations start down the path of Cyber Essentials with these motivations, increasing numbers are realising that Cyber Essentials isn’t the same as Cyber Already-doing-it.
Cyber Essentials Are Essentials
Cyber Essentials is a baseline security standard – but it has been designed to protect organisations from the majority of security threats.
This is important because the Government’s own statistics show that 46 percent of all businesses identified at least one security attack or breach last year.
In fact, the true figure is probably much higher; since many attacks – and even breaches – go unidentified.
The Cyber Essentials scheme focuses on five main areas in order to protect against common threats. These are:
• Boundary firewalls and Internet gateways
• Secure configuration
• User access control
• Malware protection
• Patch management
Most organisations feel they already have these measures in place. Yet our work has uncovered that in many cases the management processes and, sometimes, the protection measures are inadequate.
How to Approach Cyber Essentials
The key areas where we are uncovering vulnerabilities include:
• Lack of clear patching policies
• Poor implementation of patching policies
• Lack of a comprehensive asset register – so some legacy software isn’t visible and, consequently, is not secure
• Poor practices around user management and off-boarding departed staff
• Poor knowledge and management of mobile devices
• Lack of mobile device management (MDM) processes for data on the go
• Important protections missing
While these are essential elements of any IT security policy, Cyber Essentials gives organisations the incentive and the breathing space to focus on a comprehensive assessment of these essential aspects of IT security.
And, in our experience – whether due to time constraints or other daily pressures – this breathing space is, in many cases, much needed.
We therefore recommend Cyber Essentials to businesses of all kinds – no matter how well-established your IT security policies are already.
The need for Cyber Essentials is already appearing in pre-qualifying requirements for Tenders and is cascading many supply chains from the Corporate and Government sectors.
So, why not find out how ready you are to certify before it becomes an emergency must-have!
Grant McGregor can adapt our approach to help guide organisations of any size and complexity through the Cyber Essentials process with as much (or as little) help and assistance as is required. What’s more, with our assistance guiding you through the process, you know you have the right support to help you address any issues as they arise.
Contact our team for more information on 0131 603 7912 or find out more here.