Cyber Essentials is a government-backed, industry supported scheme designed to provide businesses with a set of measures to help them understand and guard against the common forms of cyber-attacks that they may be exposed to – threats which require low levels of attacker skill, and which are widely available online. According to the UK Government, around 80% of cyber-attacks could be prevented if businesses put simple cyber security controls in place. However, only 58% of businesses have assessed themselves against the governments “10 Steps” cyber security guidance and only 30% of boards receive regular cyber security intelligence (1). Cyber Essentials has highlighted the five most common issues and given a basic set of controls for those businesses that don’t know where to start (and may never have bothered with cyber security otherwise) can use as a step-by-step guide to reducing their vulnerability.
Cyberspace is changing the way we conduct business; it’s brought incredible benefits but also terrifying vulnerability. Frightening headlines have everyone scrabbling to catch up with IT security, and as things spiral seemingly almost out of control, it is becoming increasingly important for businesses to not only maintain a robust cyber security stance but also demonstrate this to clients. Most organisations have a disaster recovery plan, but most of them don’t mitigate for a cyber-attack (far more likely than a fire or a flood). Organisations that have suffered data breaches have been so badly damaged that they have had to completely change the way they do business, so ignoring cyber security is no longer an option.
Every business is a potential victim: commercially sensitive information, intellectual property and business strategies are attractive targets for cyber criminals, and failure to adequately protect against cyber-threats and prevent data loss can lead to share price and revenue impact, financial penalties and reputational damage. Not only that, but the new European Union General Data Protection Regulation, which will replace the 1998 Data Protection Act next May – don’t think Brexit will save you – will serve data-loss penalties worth up to 4% of a company’s annual global turnover.
Cyber Essentials has put a bar in place for the first time, potentially having a greater impact on improving IT security in the UK than any other single initiative. The framework shows clearly which organisations are committed to basic safety and which aren’t. People are becoming increasingly cyber security-conscious and are more likely to be assured by a government-backed certification that proves how seriously you’re taking it all. Cyber Essentials certification shows your commitment and demonstrates to your customers, employees, regulators, suppliers and stakeholders that data is safe in your hands, despite the ever-changing IT landscape.
Cyber Essentials certification makes a statement about you and your business. Achieving a certification in a scheme such as Cyber Essentials provides you with sound, commercially viable benefits and a competitive advantage. Even big names like Barclays jumped at the scheme when it launched in 2014, because it demonstrates compliance, lets you meet bigger expectations and gain status as a preferred supplier. The Cyber Essentials scheme levels the playing field and provides a baseline from which small and medium organisations can easily and quickly build their security – extremely important as around 90% of the UK economy is based on SMEs that typically don’t have the time, resources, or in-house skills to do so.
It can also be a powerful marketing tool. Not only will insurers, investors and auditors likely take your certification into account when assessing your risk profile, but commercial supply chains outside of those working with public bodies have also started to realise that it is in their best interests to work with companies that have at least a basic level of cyber-security. Just as underestimating security risks means you risk losing customers to elsewhere, Cyber Essentials certification can mean you get the pick of the business here and overseas. It is also now a mandatory requirement for all government suppliers and public service contracts, so offers up increased chances of securing business within the private sector, too. The UK government will also require all suppliers bidding for certain contracts which are assessed as ‘higher risk’ to be Cyber Essentials certified soon, and this will likely include ICT and personal/sensitive information handling contracts.
Cyber Essentials is for organisations of all shapes, sizes and sectors. It was designed in consultation with SME’s, to be low-cost and light-touch, giving businesses the freedom and flexibility to choose the level of assurance and costs that they want, wherever they want them in the business. Knowing that you’re protected from the vast majority of common cyber-attacks means you have more time to focus on your core business objectives and can drive business efficiency, save money and improve productivity by streamlining processes. Plus, insurance companies will love it, and you’ll see lower insurance premiums…
Most SME’s probably did not plan their IT strategy and just acquired hardware and software ad hoc as they – and technology – evolved, and the idea of change may seem daunting, a hassle and a lot of hard work but from the security industry’s perspective, Cyber Essentials is a huge step forward in securing UK PLC. Protecting commercially sensitive data and your company’s profits and reputation by avoiding the financial implications of a cyber-attack can only be a positive thing. The scheme supports businesses as it encourages a growing maturity to cyber-security, and certification cements you as a market leader in this, for whom IT risk assessment in operations is integral. This set of basic controls will go a long way in encouraging businesses to start addressing risk in the supply chain and limiting vulnerability against simple, common security attacks that you may already be victim to; simple attacks that can empty your bank account either from direct fraud or with huge fines from the ICO.
Osirium can help. Future-proofing your business is something you may as well do now, or you’ll only suffer further down the line. For many organisations, especially those with significant information assets or who are exposed to a wider range of threats, Cyber Essentials will become a practical component of a wider ranging cyber security posture, but for now, certification is a definitive ‘Step One’ and an opportunity for improvement, driving productivity and getting the right advice. Our team can help you to gain a more in-depth, holistic view of your IT security – something that needs to be designed into your systems from the start.
For more information on how the Osirium privileged access management platform can help you achieve Cyber Essentials certification, download our guide below.