Cybercrime is everywhere, but how, as a business, how can you begin to start to protect your data online? We recommend getting the Cyber Essentials Certification for every business.
This blog is all about what Cyber Essentials is, the levels of certification, cost and benefits.
So what is it?
Cyber Essentials is a government-funded scheme launched in 2014. It is both simple and effective in helping to protect businesses from cyber-attacks. It is available to companies of all sizes and beneficial to all.
Levels of Certification
Cyber Essentials consists of two different levels of certification.
Cyber Essentials – a self-assessment questionnaire sent off to a cyber essentials assessor. Some belief this not to be very reliable as it is purely self-assessed.
Cyber Essentials Plus – a self-assessment questionnaire and a Cyber Essentials assessor testing the IT network to confirm the correct answers have been provided. This is seen as a more reliable certification as an external assessor ensures the certification.
The basic level certification of Cyber Essentials costs around £350 per annum. Small businesses that require in-house IT knowledge may require assistance via an IT service/company to complete the self-assessment. Therefore, additional fees will stack on top of the standard price.
Cyber Essentials Plus requires £350 for self-assessment, but the independent assessor costs £1200+ depending on the location and size of the business.
If any of the controls are broken or insufficient and fail the assessment, money will need to be spent on them, therefore, adding more costs on top of these prices.
What are the tests?
- Firewalls and internet gateways
- Secure configurations
- User access control
- Malware protection
- Patron management
Firewall & internet gateways
The testing in this section looks at the firewalls that protect your network. They need to be robust, correctly set up and configured. This, therefore, provides adequate protection for your network. If you or your employees work from home, routers would’ve been tested, but from January 2022, this has been discontinued as part of the assessment.
Each business computer will be tested to ensure there is a software firewall set up and installed properly as well as working correctly.
When a PC is initially installed, they are not usually very secure, and software may already be installed. If this is not removed or maintained, it can become a security risk for the business. If a product is no longer in use but still has software installed, it also must be adequately supported, or it becomes a security risk.
The quality of passwords that access any computer system will also be tested, and it will be made sure that all passwords are unique.
Patching and Updates
Software on computers will be tested; for example, using an old version would fail the assessment as software needs to be as up-to-date as possible. Servers and computers must have the up to date security patches, and any updates should be installed within 14 days.
Personal mobiles must be checked to ensure the latest version of the software is available if any work emails or work data is on them.
User accounts on computers can have different levels of access. Standard accounts mean they won’t to be able to install software or change settings; however, with an Admin account, you can do both. However, if a full-access account is hacked, the hacker will also have full access, meaning more damage can be done. Everyone in the business should have standard access to complete day to day tasks, and admin access should be restricted to IT personnel or specific admin tasks.
New starter and new leaver processed will also be checked here. It has been known for old employees to have still access to an old account that has not been deactivated weeks, months and sometimes even years after leaving. This is a security risk.
Hackers create malware to steal/damage company data, so every device in the organisation needs to have robust antimalware protection that has been installed and set up correctly. Ensure anti-virus software is installed, the license is in date, or there will be no protection against new malware threats.
So what are the benefits of having Cyber Essential Certification?
Having this certification shows your customers that your business takes cyber security seriously. This makes your customers and potential customers feel much more protected and know that any data shared with the company is protected.
Pursue new business opportunities
If your business is looking to work with government organisations, local councils or any public sector organisations, you must have a Cyber Essentials Plus certification.
Cyber Security as a business agenda
Cyber security is not an IT issue; it is a business issue. Everyone in your business should be educated and updated on Cyber security and threats.
Peace of mind
On top of these benefits for your business, you also get the personal benefit of having peace of mind that your business and data are much less likely to fall victim to a cyber-attack.
Because IT is an essential part of business, independent verification is necessary. The future is moving more and more online every day, and IT and Cyber security functions will become entirely separate.
What it Doesn’t cover
Cyber Essentials only covers the bare minimum you should have in place for your cyber security. It cannot offer immunity from any cyber-attacks nor mean that your cyber security is fool-proof.
Many essential IT functions are missing from this that should be put in place; however, as of January 2022, there have been more updates that the government have put in place. There is a blog available here and a YouTube video available here