Cyber Security

An Introduction to Cyber Security Essentials

In April 2018 the UK government issued the latest survey of cyber security breaches; over four in ten businesses (43%) experienced a cyber security breach or attack in the last 12 months. 

In today’s business environment with the ever increasing reliance on digital technology, the emergence of new technologies and associated regulations, cyber security is now at the top of everyone's agenda. 

Three-quarters of businesses (74%) say that cyber security is a high priority for their organisation’s senior management. Whilst under three in ten businesses (27%) have a formal cyber security policy or policies.


Introduction

With the continued revelations in the media regarding lack of protection of data and the negative impact this can have both to brand and financially, FAC, as a member based group, is very aware of its responsibilities to demonstrate best practice. We are setting out a programme to focus on inter- and intra-company data security in the coming year. FAC believes that at a foundational level the government supported Cyber Essentials Scheme will help you guard against the most common cyber threats and demonstrate your commitment to cyber security. 

FAC and its partners can help. We can guide you through the essentials of cyber security, including the final certification process.
We have spoken to a FAC member and Cyber Essentials Certification Body, Authentic Associates Ltd, about how our members can take advantage of the Cyber Essentials Scheme. 

The Scheme

The Cyber Essential scheme comprises two levels:

Cyber Essentials Certification
  • A self assessment of your compliance to the requirements of Cyber Essentials. This is assessed remotely, and certification provided for 12 months.
  • This is appropriate for any company from a sole trader to a multi-national business, it is also sensible protection for your home environment. 
  • The cost for certification is £300 (this is a standard cost for all certification bodies). With some Certification Bodies this will include free cyber insurance.
  • The internal cost depends on your current approach to your security; implementation of good IT practise, the level of understanding of leadership and staff will reduce what you need to do. You can use your existing IT support or ask your certification body for support.

Cyber Essentials Plus Certification

  • You must have a Cyber Essentials certification before gaining Cyber Essentials Plus 
  • Your systems are tested for vulnerabilities to check the effectiveness of your self assessment. This is performed by the Certification Body and, if successful, certification achieved.
  • The decision to verify the effectiveness of your CE certification could be due to customer contractual requirements, reduce business risk or promotional opportunity for example. Whatever the reason it will enhance your security further.
  • The cost is dependent on the size and complexity of your infrastructure, if you are working with a Certification Body that can certify you for both Cyber Essentials and Cyber Essentials Plus they will be able to provide an estimate for you.
  • What is checked

The scheme covers the five key technical control themes:

  • Configuration - are your devices and software secure
  • Firewalls - Is your Internet connection secure
  • Access - Is access to your data and services controlled
  • Patching - how do you keep your devices and software up to date
  • Malware - how do you protect from viruses and other malware

How do you apply?

There are three steps to Cyber Essentials Certification:

  1. Select a Certification Body - If you know the Certification Body you want to use you can work with them directly or visit the Cyber Essentials page at the National Cyber Security Centre (NCSC) where you can select a certification body via the Accreditation bodies
  2. Prepare for self-assessment - Verify that your IT is suitably secure and meets the standards set by Cyber Essentials - your Certification Body can help with this.
  3. Complete the questionnaire - Your Certification Body will provide this and verify your answers. Once you’ve passed, you will be awarded your Cyber Essentials certificate.

For Cyber Essentials Plus, if you know you will require it, let your Certification Body know at the start of your Cyber Essentials preparation as it will enable them to plan in advance and reduce the time to complete.

Benefits

By achieving Cyber Essentials certification, you will have: -

  • Verified/ improved your cyber security.
  • Re-assured customers that you take cyber security seriously.
  • Become listed on the NCSC directory of organisations awarded Cyber Essentials.
  • The potential to attract new business with the promise you have cyber security measures in place.
  • Become eligible to quote for work which required businesses to be Cyber Essentials Certified.

Background

In the 2010 Strategic Defence and Security Review (SDSR) the UK Government considered attacks on UK cyber space a risk of the highest priority for UK national security.

The first UK Cyber Security Strategy was subsequently published to reduce risk and secure the benefits of a trusted digital environment for businesses and individuals.

In 2014, the Cyber Essentials Scheme was introduced. The initial work was performed by the UK Government, the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) who developed Cyber Essentials. 

Cyber Essentials is suitable for all organisations, of any size, in any sector and is backed by industry including the Federation of Small Businesses, the CBI and a number of insurance organisations which are offering incentives for businesses.

From 1 October 2014, Government required all suppliers bidding for contracts involving the handling of certain sensitive and personal information to be certified under the Cyber Essentials scheme (PPN09/14). At the time the MOD were to produce their own model, however in May 2016 the MOD decided to join the scope of the policy.

Summary

Today there are approximately 10,000 companies certificated to Cyber Essentials. With the increase in both public and private bodies requiring Cyber Essential certification as a pre-requisite for doing business, the need to comply with GDPR, preserve reputation and to mitigate risk the number of companies certified is going to rise quickly.


For further information please email Duncan Gillespie of 360Law Group

Contact us Regarding Cyber Essentials

Related Projects

Share by: