What is Cyber Essentials?
Cyber Security seems to be always in the news today, doesn’t it?
Cyber Essentials (CE) is a government-backed Security Standard to help organisations protect themselves against common cyber attacks.
It’s backed by industry including the Federation of Small Businesses, the CBI and a number of insurance organisations which are offering incentives for businesses.
Cyber Essentials defines a clear set of controls which, when properly implemented, will provide organisations with essential protection from the most prevalent forms of cyber threats coming from the Internet.
In particular, it focuses on the types of threats which require low levels of attacker skill, and which are widely available online. Those are the very threats faced by most SME businesses and other organisations.
And why do I need it?
Put simply, the Cyber Essentials certification allows you to advertise that you meet a Government-endorsed IT Security standard. Furthermore, it demonstrates to your customers, stakeholders and supply chain that you take IT security (and the protection of information you hold on them) seriously.
Let’s examine a few facts taken from the 2017 Cyber Security Breaches Survey about why that’s vital today…
You can see the survey in full here.
Let’s repeat the important number there:
According to the UK Government, 80% of cyber attacks could be prevented if businesses put simple cyber security controls in place!
Yet 39% of SMBs still think they’re too small or off the radar of cyber attackers and cyber criminals.
Cyber Essentials is already mandatory for suppliers of Government contracts (and increasingly their supply chain too!) which involve handling personal information and providing some ICT products and services. However, it’s also a sensible certification to obtain if you want to be sure they you have the essential elements of IT Security in place for your organisation – and show that you take it seriously to your customers, suppliers and other stakeholders.
Why should you become Cyber Essentials Certified?
Threats Requiring Mitigation
By implementing Cyber Essentials, organisations are mitigating against the following common types of cyber attack:
1. Phishing: malware infection through users clicking on malicious e-mail attachments or website links.
2. Hacking: exploitation of known vulnerabilities in Internet connected servers and devices using widely available tools and techniques.
What’s required for Cyber Essentials?
To mitigate the threats identified above, Cyber Essentials requires implementation of the following controls for basic technical cyber protection:
- Boundary firewalls and internet gateways
- Secure configuration
- User access control
- Malware protection
- Patch management
At the very least, you need to have in place an effective patch management system for your software to swiftly push out security updates. This should be combined with effective, layered cyber-defences around your data, properly configured firewalls and other CE techniques to provide strong protection against malware strains & evolving (so-called zero-day) threats.
There are other non-CE aspects that are key to cyber security such as a reliable back-up regime with fast recovery that is regularly tested. Finally, include regular training of computer users to be vigilant for unexpected or suspicious emails, links and attachments!
Need some help to achieve your Cyber Essentials Certification?
The Cyber Essentials certification process includes a self-assessment questionnaire (SAQ) and an external vulnerability scan to check that there are no known vulnerabilities present on your network.
Grant McGregor’s Guided CE Services further aid you in navigating the whole certification process to virtually guarantee you a first-time Cyber Essentials pass. As a multi-award-winning, Managed Security Services Provider, we add a wealth of proven security expertise to recommend best practices to you & review the most common areas of risk to provide you with a tailored Security Action Plan.
What’s involved and what’s the cost?
Based in Edinburgh in the Central Belt of Scotland, Grant McGregor has various Cyber Essentials services to enable you to become certified. We can process your DIY questionnaire only or we can walk you through the whole process to virtually guarantee you a pass. We can not only provide Cyber Essentials in Scotland but can provide this service anywhere in the UK.
Cyber Essentials fees start from as little as £295+VAT but it’s best to talk to our Cyber team first to ensure the right fit of service for your needs and shape of organisation.
Some more background to why we do this…
In 2016, Grant McGregor sought to be in a position to help our service customers and other client businesses that want to work towards and attain these standards.
- The Cyber Essentials and Cyber Essentials Plus Schemes
- IASME and IASME Gold
- The General Data Protection regulations (GDPR)
Grant McGregor is proud to have been accredited as an IASME Gold Accredited Cyber Essentials Assessing & Certifying Body. We can now certify your organisation against these standards for both the self-assessment and the audited levels of Cyber Essentials and IASME. The new General Data Protection Regulations (GDPR) will also come into power in May 2018. When the GDPR takes effect it will replace the existing Data Protection directive and make information security an essential element of Business risk management.
Want to find out more about how you can become certified?
Or how we can help you to achieve that certification and more?
Give our Cyber Essentials team a call on 0808 164 4142