Do I need Cyber Essentials?
It’s becoming increasingly obvious to business owners that cyber security is probably the most important thing to address if you want less risk to your business resilience, as most of the threats to business continuity are online these days – malware, ransomware, hacking, data-theft, spyware, and good old incompetence or just disgruntled employees can badly damage or destroy prospects, contracts, or even whole businesses.
As we are right now in the UK, many businesses have vastly improved their online and in-house cyber security, and awareness of threats and countering tactics are routinely taught and highlighted in organisations across the nation, but even with business owners and IT departments making inroads into safer business practices, there exists a very definite requirement for teams and organisations working in certain sectors and industries to provide services that meet a certain standard.
Why do I need contractors with robust cyber security?
If you are an aerospace manufacturer for example, it’s no good operating stringent security protocols for your in-house data handling whilst simultaneously retaining a business on contract to consult on design or finance when that company has little to no cyber security awareness or process. That is how leaks happen, which can have potentially disastrous results in terms of product launches, company data breaches and corporate espionage.
But how do you check that your providers or contractors have the security chops that you need to ensure safe and secure services? It goes without saying that the easiest way to achieve this is to have an accredited standard for cyber security that you know will guarantee a minimal level of security across all your suppliers, without you having to audit them individually or install compliance officers into their company infrastructure. Luckily, this exists, and it’s referred to as Cyber Essentials.
What is Cyber Essentials?
Cyber Essentials is a government-backed scheme, representing a system of best practices that ensure a reasonable level of safe and secure cyber operations in every type of network. Ostensibly, the Cyber Essentials certification declares that a certified organisation has gone through a set of technical checks and audits to make sure that there are no loose ends or open back doors on the organisation’s networks and endpoints. These are, by and large, common sense practices and contain such processes as checking to see which ports are open on a network firewall or router, and closing them if not used, or ensuring that all software in use inside an organisation is digitally signed and regularly updated. Networking equipment must be secure, with firmware under active support and with no factory-issue passwords. Endpoints, from phones to servers, must carry antivirus software and run no software that is not on an approved list specified by the organisations IT or security administrator.
Physical access to computer equipment may also need to be controlled, and with cloud services, admin level operations, and domain-based local logins, accounts must be locked with complex passwords, and multi-factor authentication (2FA or MFA) must be active across all accounts in the organisation.
Do I really need Cyber Essentials certification?
It depends, but our view on it is yes, you do need Cyber Essentials certification. For your business to operate in certain markets, it’s pretty much a requirement for gaining contracts. If you’re looking to supply for clients in the public sector, such as the Ministry of Defence, the Home Office, or the Foreign Commonwealth and Development Office, then you will need to be Cyber Essentials certified at a minimum. Many other businesses that supply into these public sector institutions will require you, as a subcontractor, to have Cyber Essentials or Cyber Essentials Plus certification. This is especially important if you are being considered as a provider in a SIAM or other distributed service model where you will be providing part of a range of services among multiple suppliers. You’ll be expected to provide assurances that your services or contributions will be secure to a specified minimum standard, and the easiest way of accomplishing this is to make everyone compliant with Cyber Essentials.
Cyber Essentials seems like a lot of effort…
It’s really not that bad. Yes, you may have to redesign areas of your network, and yes, you may have to purchase new equipment or ensure that any existing equipment is up to date and remains supported. You might even have to update internal policies and documents surrounding IT and device usage at work, as well as arrange things like cyber security awareness training. You could even be in the position where you have to move everything in your organisation to cloud services, ensuring they are removed from out-of-date infrastructure on your premises. Here’s the thing with all this though – you should be doing this anyway.
Cyber Essentials is common sense for business
We really mean it. You should be doing it. Regardless of whether you are contractually obliged to undergo an audit and certification, taking your business through the Cyber Essentials process is a bit like tidying up your workshop or garage. Everything is put in its proper place and recorded – any horded electronics, and anything extraneous or buggy software-wise is gone – it’s like a life-laundry for your business, and your staff and clients will appreciate it. At the end of the day you will have achieved three things; firstly, your staff will have a greater awareness of your, and their responsibility around making sure that business is conducted efficiently and securely; secondly, your network will be hardened, more secure, more streamlined, with authentication, regular updates, enforced backups, security software, firewalls, and telephony systems all functioning as they should, with nothing made difficult to find, overloaded, or cluttered; and thirdly, your clients will know at a glance that you take the security of your data and business (and therefore theirs) very seriously. It may even open avenues of business that weren’t available to you beforehand.
Get in touch for Cyber Essentials
Pearce IT, through our certification partner Assured Technical, is offering full Cyber Essentials and Cyber Essentials Plus auditing and certification services, and our team will work closely with you to make sure that everything is assessed, identified, and resolved so that you can be sure of gaining that all-important certificate. We offer all the solutions that you need to move forward with a secure, safe, and prepared business infrastructure. Get in touch with us today on 01452 222000 or contact us via the form on this site to arrange a visit and a chat about your business IT strategy.