What is Cyber Essentials?
Cyber Essentials is a government backed certification scheme designed to help organisations to mitigate the risks of the most common cyber-attacks. There are two levels of certification:
- Cyber Essentials
- Cyber Essentials Plus
The first level is a self-assessment option aimed at making sure that you have the necessary defences in place to protect against cyber-attacks. The second level, Cyber Essentials Plus, involves an audit during which an Information Security Analyst will verify that you have all of the technical controls in place. This is done using measures such as internal and external scans as well as screen sharing on a sample of devices in order for the assessor to ascertain that they are configured correctly. Both of these certifications last for one year, so will need to be renewed annually. However, once you have all of the policies and controls in place, re-accreditation at both levels should be much more straight-forward on an ongoing basis.
After having gone through this process achieving accreditation we are able to say with 100% confidence to our clients that all of their data will be as safe as it can be with us. We now find ourselves in the 1% of businesses that have cyber essentials plus accreditation which makes trusting us an easy decision.
We had been looking at Lexcel Accreditation (more on this soon!) and one of the requirements for this is to have considered Cyber Essentials Accreditation. Our thought process was essentially ‘why not?’ We were already confident in our cyber security and felt that the costs involved with this accreditation would be justified by the extra credibility gained, particularly in the eyes of business clients. After all, in today’s landscape one of the first things that people look at is how securely their data will be looked after. On 30th March 2022 the government announced that their survey showed that in the previous 12 months, 39% of UK businesses identified a cyber-attack on their system, showing that this is not an issue to be taken lightly.
What did we learn?
To be frank, we underestimated how much work goes in to meeting the criteria and passing this self-assessment part of the Cyber Essentials process. That being said, we are glad that we have gone through this exercise as it forced us to consider aspects of our security that we had perhaps overlooked previously. Without wanting to get too technical (although you will have to get more technical than you can possibly imagine if you want to go through this process yourself!) we now have controls in place that allow us to rest assured that our networks are configured securely and that all devices and software automatically download all security updates and scan all downloads for malware.
So what necessary changes had we not foreseen? One was the requirement to have multi-factor authentication enabled not just for our remote desktop server but also for all cloud services that we are the administrators of and access organisational data. This is particularly important as it blocks 99.9% of account hacks. Another useful measure is changing the settings on your browser so that it asks where to save each file before downloading – this gives the end user the opportunity to cancel any download should they suspect it to be malware.