Cyber Essentials is a government scheme aimed at strengthening IT security in companies of all sizes. It is the first scheme of its kind; allowing organisations to become certified and thereby demonstrating to customers and business partners that cyber security is taken seriously.
In 2010 the Coalition Government formed the National Security Council which soon after published the first National Security Strategy. Four Tier One risks were identified as the highest priority for UK national security: International terrorism; hostile attacks upon UK cyber space; major accident or natural hazard; and international military crisis.
In the past cyber attacks have mainly targeted large or high-profile organisations, who in turn have responded by developing systems and staff to protect themselves. Now attention is turning towards smaller companies, whose less developed processes and access to security skills makes them far easier prey.
Business owners and senior management often discount the threat, telling themselves "It'll never happen to us." Sometimes they simply fail to understand who would be motivated to do such a thing. However, with malicious tools more readily available than ever before and very little specialist knowledge required to use them, the unfortunate truth is that it may happen for no other reason than you were an easy target.
In 2015 74% of small and medium-sized businesses had a security breach (up from 60% in 2014) and the average cost of the worst breach of the year ranged from £75k - £311k. Many small businesses never recover from a breach and cease trading within 6 months.
This is what Cyber Essentials is about. A manageable, cost-effective framework which demonstrates the presence of essential controls and can be assessed in a matter of days rather than weeks or months. [Source of statistics: Information security breaches survey 2015]
Her Majesty's Government (HMG) is ultimately in charge of the scheme. HMG appoints Accreditation Bodies who must develop and own a certification process. At this time, there are four Accreditation Bodies: IASME (Information Assurance for Small and Medium-sized Enterprises); CREST; QG Management Standards; and APMG. The Accreditation Bodies appoint Certification Bodies to work with organisations to assess and certify them against the Cyber Essentials requirements.
Organisations wishing to pursue a Cyber Essentials certification can choose to engage with any Certification Body; and therefore, by association, any Accreditation Body. The CyberEssentials.guide website is owned and maintained by Defigo Information Security Limited which is a Certification Body under IASME.
Any exercise in reviewing the cyber risks your organisation may face is worthwhile. Using a prescriptive framework like Cyber Essentials as the basis for review benefits from the controls being well understood and a consistent base level defence is achieved in a cost effective manner.
As of October 1st 2014, certification against Cyber Essentials is a mandatory requirement for anyone in the supply chain of central government contracts which involve personal information and providing certain IT and communications products and services. The procurement policy note with more information can be found here.
Government and industry alike are hopeful that the take-up of Cyber Essentials extends far beyond those who are required to have certification. Within the small and medium-sized enterprise (SME) space, there is little else in terms of widely supported certification.
Whilst determined and skilled attackers can break in to any systems, the investment required in order to set yourself apart and not be the 'low hanging fruit' favoured by the low skilled opportunist is modest when weighed against the alternative. Analysis of attack data has shown that having the basic controls in place can prevent up to 80% of the most common attacks.
The Cyber Essentials scheme was recognised with the Editor's Choice Award at the 2015 SC Awards.
"Cyber Essentials receives the Editor's choice Award for actually putting a bar in place for the first time, potentially having a greater impact on improving information security in the UK than any other single initiative."
Basic Level / Self-assessed
The Cyber Essentials certificate offers a basic level of assurance at a low cost by minimising the level of involvement required by a Certification Body.
A self-assessment questionnaire must first be completed and approved by a senior executive. An independent Certification Body will then review the answers provided to determine whether the standard has been achieved and whether a certificate can be awarded.
The Cyber Essentials Plus certificate offers a higher level of assurance through greater involvement of a Certification Body.
The audited certificate combines self-assessment with independent vulnerability analysis. Typically, the process starts with the basic self-assessment questionnaire. However, in addition to assessing the answers provided, the Certification Body will also test the controls put in place to validate their effectiveness and robustness.
To ensure the review process is straightforward, people with knowledge of the control implementation will be required to answer questions. This could be an IT Manager or may be a third party who manages your organisations IT equipment.
Read the Cyber Essentials: Why Certify paper from Defigo to understand why all organisations could benefit.
Defigo specialises in working with small and medium sized companies to identify and understand risks, enabling our clients to protect themselves against the ever-growing array of information security threats. With IASME being focused on small and medium sized companies too - partnering with IASME was the perfect fit.
Defigo is both a Cyber Essentials and Cyber Essentials Plus Certification Body. Defigo is qualified to provide assistance to, and assess against the both standards.
Defigo are also assessors for the IASME Standard. Where Cyber Essentials is technically focused, the IASME Standard looks at the wider issue of organisational assurance for Information Security. Large organisations will often implement ISO27001 to address this, but the cost and effort required to do this can be extensive. The IASME Standard is along the same lines, but developed especially for small and medium size organisations who want to demonstrate maturity in this area but for whom the ISO route is not right for them at this time.
Complementing each other well, as they do, Defigo can guide and assist organisations through both certifications in a single exercise if this is of interest. Either can be pursued in its own right. To find out more about Defigo Information Security Limited, please visit our website at defigo.co.uk.
Defigo helps businesses understand the information security risks they are exposed to.
Protect What Matters