Launched by the National Cyber Security Centre (NCSC) and backed by the UK Government, Cyber Essentials is a Cyber Security framework designed to give UK businesses a baseline level of defence against external cyber threats. At its most basic, Cyber Essentials is a checklist of basic technological and procedural security controls. If you can prove that you can tick enough of the boxes, your business can become certified- so what does being ‘certified’ against the Cyber Essentials standards actually mean?
Cyber Security s an ongoing battle to protect your business, your assets and your customers from all manner of ever-evolving cyber threats. Aside from being a stamp or a check in the box to show your business has attained some level of security, being Cyber Essentials certified allows your business to ‘qualify’ for working on government contracts, and perhaps enjoy lower cyber insurance premiums. But aside from this, achieving Cyber Essentials certification shows that your business has spent time and effort in considering the cyber threats that it could be vulnerable to, and taken steps to mitigate the identified risks. Cyber Essentials then, goes beyond a mere checklist. Securing your business is not about ticking boxes, it’s about understanding common threats and how you can protect against them. Cyber Essentials can help you do this.
A large factor in Cyber Security is the technology. Cyber Essentials can suggest what you need, but not necessarily what to do with it, how to deploy it and where. More importantly though it cannot, without interpretation, tell you how the technology will not only fit in with your business but how it can help define your business, in terms processes and in terms of your employees and how they go about their work.
So how can you be more sure you’re covered? By learning about the fundamentals of cyber security, applying your knowledge to your business against the Cyber Essentials framework, and then gaining the certification to validate your practices. You might see some consultancies offering ’24-hour’ certification for Cyber Essentials, but with this your business will only learn how to pass a test. If you were learning to drive is this a route you’d choose to get your license? Your instructor (who is also your examiner by the way) might get you through your test. When it’s just you alone in the car on the motorway surrounded by potential threats however, how confident will you be in your ability to navigate through safely?
Cyber Essentials is aimed at helping your business adopt good, sound cyber security practices to help defend against external threats. Being certified may mean that you have indeed better protected your business- but what if the worst happens, and your business suffers a breach? The main focus of Cyber Essentials is prevention and mitigation, but if you’ve already been hit then pointing to your certificate isn’t going to be much help. How you respond to security incidents is just as important as how you try to prevent them, and this is something that Cyber Essentials doesn’t cover. In most cases of a security breach the time it takes your business to recover is critical. The proper training can help you recover faster, restoring not only your business systems and your ability to trade, but restoring your clients’ confidence in your business.
Cyber Essentials cannot only affect your business directly, but also those companies whom your business relies on. If you are evaluating businesses in your supply chain, you want to know that they too have solid cyber security practices in place to protect your business and your interests. One maybe certified and one may not be, but does this necessarily mean that one is going to take better care of your data than the other? The certification alone won’t necessarily tell you that, but knowing the right questions to ask of those companies can help you decide for yourself who to trust your business with.
So as you can imagine, how your business approaches Cyber Essentials and the partners you seek to help you become Cyber Essentials certified, is key in determining the value the program will bring. Here’s some things to look out for:
- Who is carrying out the assessment? With many ‘quick win’ certification offerings, the consultants that come in to advise your business on cyber security practices are the same consultants that will assess you for certification. Can you really be confident if the assessors are marking their own work?
- Are you being told you what your business needs to do in order to certify, or are you actually being educated in the technologies and controls the NCSC included in the framework, and how they amount to effective cyber security for your business?
- What do you want to get out of Cyber Essentials- a piece of paper to point to, or a fundamental knowledge of how best to protect your business today and as your business grows?
Engaging a partner to help your business understand the Cyber Security threats that it faces and how to tackle them, far outweighs being instructed on which boxes to tick to get a certificate. The right training can equip your business with the tools it needs to navigate the cyber threat landscape with less risk. Gaining Cyber Essentials certification should be the validation of those measures, and not a measure in and of itself.
Your business and your customers deserve more than having a piece of paper to point to.