Cyberattacks are a regular feature on the news these days. The threat is ever present. Today, we’re looking at how Cyber Essentials can help protect you from cyberattacks.
What is Cyber Essentials?
Cyber Essentials is a UK Government-backed scheme to help public, private and charity sector organisations protect themselves from cybercrime. It provides a set of five technical controls that all organisations should follow.
It’s designed for organisations of all sectors and sizes. If you can prove you’re following best practice on those five controls, you can get Cyber Essentials accreditation. There’s also a more advanced accreditation called Cyber Essentials Plus, which is achieved through an audit of your Cyber Essentials self-certification.
Why Cyber Essentials matters
Cybercrime is a constant threat for all organisations of all sectors and sizes. That may seem like a grand, sweeping statement, but the numbers confirm it.
Research from Statista suggests that the threat is growing worldwide. In 2022, the global cost in US dollars was $8.44 trillion. By 2028, they expect it to rise to $23.82 trillion. The UK and Ireland are far from immune.
As far back as 2016, the Government commissioned a report that estimated the annual cost of cybercrime in the UK at £27 billion. £21 billion of that cost fell on businesses. Over 80% of UK organisations experienced some form of attack in 2021/22.
Behind all these statistics are human stories. Reputations suffer, customers lose trust and costs stack up. People go out of business due to the fall-out. And while attacks vary in sophistication, the vast majority can be prevented by quite simple measures – like the five Cyber Essentials controls. That’s why the scheme matters. It gives you the best practice guidelines to protect yourself from most attacks, and the certificate to prove it.
What are the five Cyber Essentials controls?
Here’s a quick overview of the five basic steps to Cyber Essentials accreditation.
1. Firewalls
Step one is firewalls. This is about protecting your network and devices from malicious internet traffic, by ensuring that only secure websites and services are accessible.
2. Secure configuration
This is specifically about denying malicious actors a way into your devices and network. Steps here include password management and removing unnecessary software that could be exploited.
3. User access control
In essence, this is about controlling who has access to what systems, software, and devices. To meet the Cyber Essentials standard, you’ll need to limit each user’s access according to what’s necessary for their role.
4. Malware protection
Malware is any software designed to cause harm. You will need protections on every device within the scope of the assessment.
5. Security update management
Also known as patch management, this is about ensuring that software and operating systems are up to date. Software can often contain vulnerabilities. Once the developers identify these, they will release new versions (patches) to close those vulnerabilities. Routine patch management is about protecting yourself from known vulnerabilities.
There are lots of steps and checks with each of these controls. You can find out more about them here.
Is Cyber Essentials worth the investment?
The short answer: yes. The certification is designed to be achievable and affordable for any size of organisation, and becoming a victim of a successful attack would cost much more than becoming certified. Certification also comes with the option of £25,000 of free cyber insurance, subject to status.
Of course, like any cost, it must be justified. It’s also worth remembering that as well as the cost of the assessment, you will also need to put resources into preparing your business to pass the assessment.
However, in this case it’s hard to think of a reason not to go for it. First, there are the benefits of membership itself. For one, just by following the steps you need to get certified, you will be much less likely to suffer a successful attack. Second, it will reassure customers, partners, and any potential stakeholders in your business that you are protected from attack.
Ultimately, Cyber Essentials-certified organisations are less likely to be successfully attacked.
What’s the best way to get Cyber Essentials certification?
You can do this directly through a body called IASME, which issues the certification. However, we wouldn’t recommend jumping straight in, especially if you lack in-house cybersecurity specialists.
There are lots of steps you will need to take before being assessed. Unless you have a dedicated IT team with the skills and resources to manage the process, we would strongly advise that you seek outside support from a managed service provider or IT consultancy.
There are also excellent services to help you gain certification fast. CyberSmart, one of our Brigantia vendors, offers this as a managed service. There is simply no easier way of attaining Cyber Essentials, and we’d highly recommend it. CyberSmart also have tools to give you the ability to always remain compliant, something that would traditionally take significant extra time and resource but means your risk of attack is kept lower by identifying any changes that could cause a drift from compliance that could otherwise be missed.
Final thoughts
Not only is cybersecurity a growing concern – it’s also something that more businesses are wary of. Many businesses and public sector organisations simply won’t work with businesses unless they have Cyber Essentials accreditation. It’s no wonder. A breach at your business has the potential to affect not just you, but your customers, partners, and anyone else you hold information on.
For these reasons, no business can afford to be complacent. Cyber Essentials is a vital step, both in protecting your business and demonstrating to partners that you are safe to do business with.
