With approximately 2.39 million cases of cyber crimes affecting UK businesses over the past 12 months, taking steps to protect our businesses has never been more crucial.
To help businesses tackle many of the most common types of cyber attacks and threats, the Cyber Essentials Certification was launched in 2014.
Cyber Essentials is an effective, government-backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common #CyberAttacks. Cyber-attacks come in many shapes and sizes, but the vast majority are extremely basic in nature and are carried out by unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. Our advice is designed to prevent these attacks.
There are two levels of certification: #CyberEssentials – it’s a self-assessment that gives you protection against a wide variety of the most common cyber-attacks. This is important because vulnerability to basic attacks can mark you out as a target for more in-depth unwanted attention from cyber criminals and others. Cyber Essentials shows you how to address those basics and prevent the most common attacks.
#CyberEssentialsPlus - has the Cyber Essentials trademark simplicity of approach, and the protections you need to put in place are the same, but for Cyber Essentials Plus, a hands-on technical verification is carried out by a certification body.
Chris White, Head of Cyber and Innovation and Detective Inspector recently went through the Cyber Essentials journey to help The South East Cyber Resilience Centre achieve both the Cyber Essentials and Cyber Essentials Plus certification for the third year running. To help business owners understand the process and benefits, Chris has shared his experience in the blog below:
How long does certification take to complete? We downloaded the question set in advance, which was freely available from the website. Following the guidance albeit, some of the sections were technical for configuring our computer systems safer, we prepared our answers, which took the best part of half a day. This is an annual assessment and the certification costs £300 for a small business.
We then contacted one of our Cyber Essentials Partners as we wanted to complete Cyber Essentials Plus, and it made perfect sense to do it all at the same time. Our partners created an account for us, where we uploaded all the answers to our work. Once the questions were submitted, the assessor got back to us within 2 days. We passed 😊, for us we were then onto the next stage…
(Had we not passed, I know we would have had the ability to rectify the issues raised, update our answers, and then re-submit the application. The Assessor would have aimed to take no more than 3 days to remark the assessment.)
So, onto Cyber Essentials Plus, the technical audit of our systems… This higher level of assurance involves completing the online assessment followed by a technical audit of the systems that are in scope for Cyber Essentials. This included a representative set of user devices, all internet gateways, and servers with services accessible to unauthenticated internet users.
Our assessor got in touch and booked in the session for further testing, which was all completed remotely. On this occasion, we used Microsoft Teams to speak with him and show him evidence of what we had achieved in the self-assessment. The assessor remotely tested a sample of our systems (which I understand is typically around 10%) and then decided whether further testing was required. A couple of specialist applications were used to complete this process, which were all provided by the assessor. He explained everything during the process, and we could also see what was happening.
After the device scans were complete, the assessor had all that was needed for this assessment, completed the report, and submitted the application. The very next day we had email confirmation we had passed, with a follow-up certificate that included details of the free cyber insurance that accompanies this process.
Why did the auditors get involved? The first stage of the framework is a self-assessment, and the auditors in this case are called a certification body, they double-checked our work in case we had made mistakes, so effectively, we didn't mark our own homework!
The process in total took approximately 3 days on and off, reviewing our systems, and making changes here and there to configure our systems safer, which reassures us it will stop the majority of cyber-attacks.
To business owners, there are also extra benefits you might not have thought of: Win your customers' trust with a certified badge - Customers, vendors, and suppliers, will see you have already taken certain steps to make your systems safer.
Receiving a Cyber Essentials certification - gives you peace of mind that your defenses will protect against most common cyber attacks simply because these attacks are looking for targets that do not have the Cyber Essentials technical controls in place.
Protect your business from online threats effortlessly - you can demonstrate and be proud to third parties that you have a process in place for your organisation and its computers. Rather like you highlight that you follow procedures for fire safety and first aid, you now have an answer for your devices.
Credibility – allows you to bid for certain government or third-party contracts that require you to demonstrate you have taken action steps to secure your systems.
Every year we use a different partner, so thanks go out to SupPortal UK Ltd, Jeremy Lloyd Coded Systems, Fortis Information Security & Risk Management, and Arculus Cyber Security for completing the hands-on technical verifications so far.
If you would like to learn more and get some help to get started, join us at www.secrc.police.uk