The Cyber Essentials Scheme has developed increasing importance to our clients over recent years. Cyber Essentials is often now seen as a key part of demonstrating both an awareness of cyber risks and a commitment to addressing them.
Many cyber security professionals derided the standard as simplistic when it was first launched. Rather than regarding Cyber Essentials as a complete answer though, it should be viewed as a solid cyber security foundation to be built on. It has become an expected standard through supply chains and is now widely recognised amongst stakeholders and the general public.
Why Cyber Essentials is Now Really Essential
The Information Commissioner’s Office (ICO) recommends Cyber Essentials as ‘A good starting point’ for the cyber security necessary to hold and process personal data. The ICO is responsible for policing GDPR in the UK, and with the widely publicised fines that can be levied in the event of a breach, it makes sense to take their recommendation seriously. In the event that a breach occurs and Cyber Essentials is not in place, the ICO would expect a compelling justification for its absence.
Cyber Essentials is being requested by customers as a pre-requisite for doing business. Not only is shortlisting during a tender process increasingly contingent upon a box being ticked that Cyber Essentials is in place, but may also depend on whether your whole supply chain is accredited. Central government contracts now require Cyber
Essentials Certification where they involve handling sensitive and personal information or the provision of certain products and services. We see this as an expanding trend.
Cyber Essentials Background
In 2012 the UK Government recognised that many organisations were ill-equipped to deal with increasing levels of cyber crime. In response, they launched 10 Steps to Cyber Security guide to encourage organisations to consider the cyber security measures that were necessary for them.
The guide was positively received but many business leaders were still not addressing the implementation of necessary security controls.
The development of an organisational standard for cyber security was therefore seen as the next step. This became the Cyber Essentials scheme after extensive collaboration between the Industry and Government.
The Cyber Essentials scheme provides a robust standard that organisations can be assessed and certified against. It identifies the security controls that an organisation must have in place to ensure that they are addressing cyber security effectively and mitigating the risk from Internet-based threats.
The key areas that the standard addresses are:
- Boundary Firewalls and Internet Gateways
- Secure Configuration
- Access Control
- Malware Protection
- Patch Management
There are a number of different certifying bodies, and organisations receive clear guidance on implementation. They can cost-effectively certify themselves, as well as independent certification being available for those who want or need it. Successful independent verification by a certifying body results in the award of Cyber Essentials Plus certification.
Whilst providing a basic but essential level of protection, the Cyber Essentials scheme enables organisations that believe they are practising robust cyber security to demonstrate this to their clients or stakeholders.
More information can be found at www.cyberessentials.ncsc.gov.uk
To understand how Cyber Essentials may be necessary for your business and how it can be achieved in mid-tier and enterprise organisation across a broad range of industries, please call us on +44 (0)1223 834 333Back to Blog