Struggling For A New Year’s Resolution?
Gain Cyber Essentials
The Cyber Essentials scheme was launched by the National Centre for Cyber Security in 2014. In recognition of the growth is frequency and impact of cyber attacks, one of the schemes key aims is to make Britain a safe place to do business. After a slow start in terms of uptake, Cyber Essentials is quickly gaining in popularity as a way for firms to ensure that they have confidence in their security infrastructure. The 2018 annual review published by NCSC indicates that over 8900 Cyber Essentials Certificates were issued in 2018. The legal sector in particular seems to be recognising the value in gaining the certification. The latest version of Lexcel now recommends that firms should get themselves certified. Any businesses that want to bid for government contracts must now hold a Cyber Essentials certificate and the ICO has recommended Cyber Essentials as ‘a good starting point’ in addressing the security requirements of the Data Protection Act 2018.
Who can gain Cyber Essentials?
In short, any business of any size. The NCSC recognised that SMEs form a key part of the UK economy and therefore are as vulnerable if not more so to cyber attacks caused by lack of basic protections. The self-assessment version of Cyber Essentials was designed to be accessible to SME’s. It’s a low-cost way of identifying vulnerabilities in your IT infrastructure and also of demonstrating through certification that you have taken care of all of the basics that will prevent the vast majority of attacks.
Firms with a more established Cyber Security program or greater resources may wish to gain Cyber Essentials Plus certification. This involves a site visit by an assessment body to verify your arrangements and also includes a vulnerability scan of your network. There is of course an additional cost to this, but the results could potentially save a much more expensive attack or data breech.
How to choose a certification body
There are many organisations who can issue your Cyber Essentials Certificate, but you should check that they have been accredited by one of the 5 Accreditation bodies. These organisations will have had to go through rigorous testing of the competence of their staff delivering Cyber Essentials services. This ensures the quality of the scheme is maintained.
Where possible, its best to choose a body who is an expert in your sector. Although security/IT generalists can provide good advice, it’s always advisable to work with a certification body who knows your industry, business model and sector specific challenges and who can provide advice that will suit your particular need.
It’s always a good idea to check that the certification body you use practices what it preaches. Certification Bodies will be required to have Cyber Essentials themselves before they are accepted by one of the 5 the accreditation bodies. Really, they should also have Cyber Essentials plus and ISO27001 as a minimum. Your chosen certification body should be able to provide these certificates to you.