Cyber Essentials is the UK Government-backed scheme that aims to help organisations protect themselves against common cyber threats. Organisations who achieve Cyber Essentials demonstrate they have considered and committed to bolstering their defences against common threats of cybercrime and reduce vulnerabilities of businesses to an accredited government standard. Backed by the UK Government, the Cyber Essentials scheme is not mandatory for everyone.

The European Union’s GDPR has been enacted into UK law and its regulations and requirements are mandatory on all businesses regardless of size.

Cyber Essentials scheme is not covered by binding regulation, instead, it offers organisations and businesses a means to demonstrate their commitment towards addressing cybersecurity by achieving an accredited and registered certification standard.

However, for certain businesses Cyber Essentials is a mandatory requirement in order to secure contracts and in this blog post we describe the conditions under which certification can be necessary.

Government Contracts

Cyber Essentials is mandatory for businesses looking for specific government contracts.

Unless your business achieves Cyber Essentials, you will not be able to bid for such contracts at all. In general, these contracts will involve the handling of personal information or delivering certain IT products and services.

Essentially all government contracts where your business will be required to:

• Handle the personal information of any UK citizens; i.e. bank details or home addresses.
• Handle the personal information of any government employees, ministers, or advisors; i.e. payroll or expenses information.
• Deliver IT products or services designed to store, process, or transfer data at an official level.

Cyber Essentials certification is mandated for businesses entering into these contracts and demonstrates that they have achieved the standards and meet the technical requirements defined in by the scheme.

For all businesses looking to bid for government contracts that involve one of the above characteristics, it makes business sense to consider achieving Cyber Essential certification first and not waiting to the last minute.

Ministry of Defence Contracts

The UK Ministry of Defence (MOD) places further emphasis on businesses being Cyber Essentials certified and requires all its suppliers to comply with the Cyber Essentials scheme.

The MOD stated in its announcement that this requirement must flow down to the supply chain, effectively mandating that both organisations directly conducting business with the MOD, as well as organisations delivering to the MOD supply chain must be Cyber Essentials certified to carry on doing their business or to win contracts for businesses going forward.

Importance of Cyber Essentials

Should your business get a Cyber Essentials certification even if it is not mandatory for your business?

Yes.

Cyber Essentials is an increasingly important certification to achieve for all businesses of all sizes in the UK. Even where not mandatory, the rise of consumer and client awareness of the impacts of cyber attacks or the consequences of personal data breaches, have rightly seen an increased demand for evidence that your business takes its responsibilities seriously and invests in cyber protection.

Be prepared to be asked by your clients to prove that you are committed to maintaining cybersecurity and with Cyber Essentials certification being able to quickly respond to prove it.

There are additional benefits to achieving Cyber Essentials, other than bidding for a government or MOD contracts. For SMEs with little or no IT support or expertise, it provides a basic first step towards cybersecurity. Most SMEs lack adequate cybersecurity measures because they mistakenly feel that they will not be targeted. This is a misconception:

• More than 60% of SMEs suffered a breach in 2016.
• The average cost of a breach to these UK-based SMEs was £16,264.

It makes good business sense to invest the minor cost of certification to reduce this risk and mitigate any losses by achieving Cyber Essentials certification.

Conclusion

The Cyber Essentials scheme is mandatory for businesses and suppliers looking to bid for certain government contracts and all Ministry of Defence contracts. If you are a business that deals with the government or major industries in the UK, then it is essential you consider getting certified and maintaining your annual re-certification to keep the business contract.

For all other businesses, demonstrating to clients and customers that you have taken the essential steps to achieve basic cybersecurity, by being Cyber Essentials Certified, makes sound business sense.

CyberSmart is a cybersecurity service provider that helps organisations secure their systems and become Cyber Essentials certified. If you would like to discuss further on whether Cyber Essentials is mandatory for your business, contact us right away.

Over the last few years, cyber attacks have become an imminent danger for businesses. With this growing threat, cybersecurity is now a responsibility rather than a luxury.

Despite this, most SMEs are at risk of being breached either through a lack of awareness or the lack of action. This is a concern for SMEs since the fines and costs associated with cyber attacks can put them out of business.

A KPMG survey suggests that only 23% of small businesses prioritise cybersecurity as a top concern. This is being said even though 60% of small businesses have experienced a cyber breach that led to brand damage and loss of clients.

As an SME, this is the right time to act and move forward with the cybersecurity agenda. The UK Government is helping these businesses by providing a range of standards and guidelines. The most useful of these perhaps is Cyber Essentials, particularly for small businesses.

In this blog post, we highlight benefits of Cyber Essentials for SMEs.

What is Cyber Essentials?

Cyber Essentials is a scheme backed by the UK government that was launched in 2014. The standard provides simple but effective guidelines that protect organisations against cyber attacks.

The primary aim of this scheme is to encourage and guide organisations to adopt the best practices in their information security strategy. Once fully implemented, Cyber Essentials will provide organisations with basic protection against the most prevalent cyber threats.

Even though it is not the silver bullet to cybersecurity, it is the first step in the right direction for SMEs to protect themselves in this age of cyber warfare.

Benefits of Cyber Essentials for SMEs

There are a number of benefits that SMEs can look forward to when getting certified for Cyber Essentials. Here are four reasons why Cyber Essentials is important for SMEs.

1.      It helps protect against common cyber attacks

A majority of cyber attacks exploit basic weaknesses in organisations such as the lack of updated software or well-configured firewalls. Often, these types of attacks are simple to defend against with straightforward strategies and Cyber Essentials provides those.

While there is no security strategy that will stop a hundred per cent of the attacks, Cyber Essentials helps organisations mitigate the risks of the most likely ones by providing a strong base for SMEs to work with.

2.      It prepares you for being GDPR compliant

The General Data Protection Regulation (GDPR) came into force earlier this year across the EU. As part of this regulation, organisations that are processing personal information of EU citizens need to protect this data against data theft and unauthorised access. If an organisation is found to be negligent to the GDPR in the event of a breach, the business could face fines of up to 4% of their global turnover.

Following the Cyber Essentials scheme can assist businesses in preventing these heavy fines and prepare them for compliance with GDPR. Even though the GDPR requires a lot more than the five controls in the Cyber Essentials scheme, the latter allow you to audit your internal security and fend off the basic security threats. It is the first step towards preparation of GDPR compliance for SMEs.

3.      It enables you to bid for government contracts

The UK Government has made it mandatory for suppliers to be compliant with the Cyber Essentials scheme to be eligible to bid for government contracts.

If a contract involves certain technical services or handling of sensitive information, then you need to be Cyber Essentials compliant. Therefore, for SMEs that are looking for a government contract, Cyber Essentials is the only way forward.

4.      It shows customers and vendors that you take cybersecurity seriously

Customers and even vendors can often be sceptical in dealing with you if you display little or no concern for cybersecurity. Becoming Cyber Essentials certified can help you establish the trust of clients and partners.

Once you are certified, you will be able to display a Cyber Essentials badge on your business website. This badge proves to customers, vendors, and investors that you take the security of systems and integrity of data seriously. This is particularly important if you are storing, processing, or transferring personal information or hosting sensitive data.

Conclusion

SMEs are as likely, if not more, as large organisations to be at risk of a cyber attack. An important step that SMEs can take to improve their cybersecurity is to get Cyber Essentials certified. This has a number of benefits including protection against prevalent cyberattacks and a competitive advantage for bidding on government contracts.

CyberSmart partners with SMEs to advise them on how to become compliant with leading schemes and standards such as Cyber Essentials. If you would like to learn we can help you become Cyber Essentials certified or Cyber Essentials in general, get in touch.

Following on from our last blog post, “Steps to prepare and pass Cyber Essentials” this post builds on that advice and discuses the time it takes to achieve certification.

Cyber Essentials scheme encourages businesses to adopt best practices to protect themselves against common security threats. With time, the variety and complexity of these cyber threats are increasing, consequently, cybersecurity standards such as such as Cyber Essentials are constantly evolving their requirements.

This is the reason most standards and schemes have a validity period for their certification. Cyber Essentials is reviewed annually and the UK Government recommends that all certificate holders must review their certification annually to remain on the official register of certified businesses.

In this blog post, we discuss the validity period for Cyber Essentials and how the recertification process works.

How much time does it take to get your business certified?

When you apply for Cyber Essentials, and following payment of £300 plus VAT (at the time of publication), you will receive a self-assessment questionnaire. You have up to 6 months to submit the questionnaire to the certifying body for review and a decision on your certification. If you fail to submit your self-assessment questionnaire within this period, your application will be cancelled, and you will have to make the payment again.

On average, we have found that it takes small businesses around 2 weeks to complete their assessment.

Following submission, it usually takes on average 3 days for the certification body to give you a response. If everything is in order, they will award you your Cyber Essentials certification.

In the case of Cyber Essentials Plus, the process takes a little longer and will typically involve an additional on-site audit and a system vulnerability scan from a registered competent contractor.

Depending on the time and size of your business, it can take up to 6 months to receive a Cyber Essentials Plus certification.

How long is your certification valid for?

There is no definitive period of validity for a Cyber Essentials certification. But, the UK government recommends that businesses renew their certification annually. If you fail to renew your certification within a year, you will be removed from the list of certified organisations.

Cybersecurity is continuously evolving with new requirements and best practices being established every day. To keep your business protected, it is important you stay updated with these new developments. Re-certifying helps demonstrate to your clients that you are improving your security to counter newer threats.

Your accreditation body should inform you by email around a month before you are expected to re-certify. When you receive this email, it is a good time to start preparing for the re-certification process.

How long does will it take to re-certify?

The recertification process is almost the same as the certification process.

Therefore, time durations are similar and you should receive your updated certification within 3 days of you submitting your assessment.

You should factor in the personal time and investment to re-enter all the original information from your previous applications to the recertification questionnaire as the sequence and content do change annually to reflect the changing security environment and requirements for cybersecurity.

In case of changes to the security infrastructure of your organisation, your answers should reflect the changes. If there are no changes, then you can copy and paste the answers from the questionnaire that you filled the previous year.

Conclusion

The bottom line is that you and your business need to re-certify annually to retain your accredited Cyber Essentials registration. The scheme’s current certified businesses are registered on a publicly accessible register, so there is no hiding if you have not completed your annual recertification.

The benefits of getting re-certified include improved protection against emerging cyber threats and reduced risk to your business through an annual review of your adherence to compliance standards.

CyberSmart is an automated compliance service that helps businesses seamlessly track and renew their Cyber Essentials certification. In our next post, we will look at how CyberSmart has been proven to speed up the process for you and your business, saving valuable time, effort and potentially cost. If you would like to learn more about how we can help you remain protected and compliant, get in touch with us right away.

The Cyber Essentials scheme provides a basic yet effective framework for businesses to protect themselves against cyber attacks. Getting Cyber Essentials certified is one of the first steps that any organisations can take to protect their digital assets and their personal data, and for those seeking to engage in the UK Government supply chain contracts, it provides the mandatory certification required to bid.

Like all official certifications, achieving Cyber Essentials requires preparation and business investment in time, cost and some technical awareness.

In this blog post, we present a guide on how to prepare and pass Cyber Essentials.

1.     Create an Information Security policy

The first step is to develop a well-planned information security policy for your organisation. Your policy should establish the requirements and rules for cybersecurity at your company and to achieve Cyber Essentials, your policy should include:

• The requirements for handling and processing personal data of customers, employees, and third-parties.
• A password policy that describes the minimum requirements for passwords (such as length and complexity).
• A set of guidelines that define what users can and cannot do, including access controls and internet usage.

Your security policy does not have to be long and complex document filled with technical details. Instead, it should document rules for cybersecurity in a simple, clear manner that all your employees and other third-parties with access to your systems or data can understand and readily comply with.

2.     Assign a Data Protection Officer

Although not mandatory for all organisations, appointing a single senior employee as a Data Protection Officer (DPO) can help you enforce the information security policy within your organisation.

For SMEs, assigning a DPO can be an important step as they can coordinate all the business security initiatives, and for external parties and IT users, they are the business’ single point of contact for queries and concerns related to security.

Cyber Essentials requires businesses to complete and submit a self-assessment questionnaire, and provide relevant evidence to support answers, in order to achieve certification.

Having a single point of focus in a DPO ensures that everybody understands who is responsible for completing the questionnaire and who to go to for best practise advice and guidance.

3.     Keep track of your digital assets

To make sure that all software and devices are protected, you should keep an inventory of digital assets. Ensure that you include the details of software versions and updates for both software and devices.

Knowing what and where your assets are is good practice and especially so with information security assets. It helps you keep software updated, which can often be essential, and the best first step to protect your systems and data.

Knowing what devices are present on, or can connect to your network, is the best way to identify unauthorised devices and to take action to remove or isolate them. Tracking your digital assets enables you to identify vulnerabilities and to keep a close watch on devices within your network.

4.     Enforce access control

Access control ensures that only authorised personnel have access to sensitive information and enforcing strong access control is an essential step for achieving Cyber Essentials certification.

Make use of a Role-Based Access Control (RBAC) system ensure IT users have only have the privileges that they need for their job role and access to only those systems they need to be effective and operate safely.

5.     Make use of the right tools and configurations

A firewall and antivirus are essential security tools required for Cyber Essentials.

Your firewall helps protect devices on a network from external threats such as those from the internet.

Your antivirus software protects your systems from viruses and other malware that can harm them, or corrupt or steal sensitive, personal or proprietary data.

You should ensure your firewalls are properly configured to disallow access to malicious content. Making use of a firewall and antivirus will help your business prevent the most common types of cyber attacks.

6.     Conduct regular security reviews

To ensure that your digital assets remain safe and protected, it is important to document, track, and review the effectiveness of the cybersecurity measures you have taken.

Knowing the strengths and weaknesses of your organisation’s network can help you fine-tune cybersecurity for better protection, especially as you grow. You should conduct regular security reviews to:

• Track all devices and software, including when they were last updated.
• Understand the types of devices being used throughout your organisation (e.g. laptops, desktops, servers etc).
• Determine the effectiveness of your information security policy.
• Ensure that all software and devices are properly configured for secure operations.

Conclusion

If you are a small to medium scale business getting started with cybersecurity can seem daunting, especially if you have no technical IT skills. However, achieving a Cyber Essentials certification is a great way to begin, and for a small investment of time and effort, it can significantly reduce your risk exposure. Take the steps outlined above and you will be well-prepared to pass Cyber Essentials.

CyberSmart is the automated platform to help businesses get and stay secure with recognised certification standards including Cyber Essentials. Businesses can gain certification as individual companies or can join the many organisations that have achieved Cyber Essentials by partnering with us today.

If you have any questions, whether it is preparing for Cyber Essentials, or how to protect your company systems and data, please reach out. We love to talk about Cyber Essentials and help companies with their data protection needs and smart certification