19 Apr The Five Controls of Cyber Essentials
Cyber security is of the utmost importance in every organisation, no matter its size. It can be difficult to guarantee that your systems are as secure as possible, or to prove to your customers that cyber security – and in turn the security of their data – is at the forefront of your operational concerns for the business.
Introducing Cyber Essentials Accreditation. Launched in 2014, Cyber Essentials is a scheme backed by the government, which has been designed to help businesses reinforce their cyber defences and display their commitment to online security. The purpose of Cyber Essentials is to assist businesses of all sizes to protect themselves from any and every cyber attack that may target their systems. It does this through the implementation of five key controls (we will explore these in depth later in the series). Cyber Essentials is a certification scheme that is split into two tiers – achieving even just the first of these certifications will prove to customers, suppliers, and partners alike that you take the security of your technological landscape seriously.
The two tiers of Cyber Essentials Accreditation are as follows:
- Cyber Essentials
- Cyber Essentials Plus
Do you already think you are cyber secure? Why would you spend more money unnecessarily? Both are valid points, but let’s take a look at the business benefits of the Cyber Essentials Accreditation and find out how it can benefit you.
The Business Benefits of being Cyber Essentials certified
You’ll be protected against the majority of online threats.
The Cyber Essentials scheme doesn’t claim to make your business completely impenetrable to cyber criminals – that is an impossibility – but successful implementation of the five controls will help guard against roughly 80-90% of online threats. The scheme can act as a base for your cyber defences to be constructed around in the future.
You’ll be able to bid for more government contracts.
A wide range of government contracts require bidding companies to hold Cyber Essentials certification. All contracts involving the handling of sensitive information such as health records, confidential technical information or data pertaining to military activities fall under this category. Some contracts require Cyber Essentials Plus Accreditation; this is the case for many MOD (Ministry of Defence) contracts that involve high levels of risk and therefore demand extra cyber security assurances.
It will help you meet your GDPR obligations.
Cyber Essentials will help you to feel confident that you have the appropriate ‘technical or organisational measures’ in order to protect your sensitive information to a sufficient standard. The five controls of Cyber Essentials will at least help you satisfy the data security aspect of this important body of legislation.
Certification inspires confidence.
Once having achieved the certification you will be permitted to display a Cyber Essentials badge wherever you choose for one year. This badge will distinguish your business as one that cares about online security, in the process attracting customers and reassuring suppliers and partners that their data is safe in your hands.
You could see significant return on investment.
There are costs associated with the Cyber Essentials Certification, and these costs vary depending on the level of accreditation you desire, but they are relatively modest in comparison to the potentially substantial cost of a cyber breach.
Firms that have achieved the Accreditation also benefit from ‘Cyber Liability Insurance.’ This is available to firms with an annual turnover of no more than £20m who enjoy £25,000 worth of cover against cyber attacks.
Your Cyber Essentials certificate will also prove attractive to potential customers that are concerned about the security of their data and will almost definitely result in new revenue streams for your business.
The Assessment Process
Both tiers offer certificates valid for one year, although the assessment process differs depending on which of the two tiers of the certification you are trying to achieve.
The basic level of accreditation (and cheaper of the two) involves the successful completion of a self-assessment questionnaire carried out via an online portal. Following your initial purchase, you will have three months to complete the questionnaire and submit it for approval by the certification body. This three-month period allows you time to implement the technical security measures required to achieve the certification; once having implemented the appropriate measures you’ll only need a couple of hours to complete the questionnaire itself.
After submitting the assessment, grading will be carried out by an external certification body. If your submission doesn’t meet the required standard, you’ll get one chance – imposed under a time limit of three days – to implement the required changes and resubmit. If you fail again, you will be required to restart the entire process. The best option is to strive for success on your first attempt to avoid the disappointment and added work trying again will entail.
Cyber Essentials Plus
To achieve Cyber Essentials Plus Accreditation (the more expensive option) is exactly the same as the basic Cyber Essentials package but with one main difference – with ‘Plus’ your business’ cyber defences will also be subject to on-premise assessment by a qualified technical assessor. ‘Plus’ also requires the successful completion of the Cyber Essentials self-assessment within the preceding three months.
The on-premise technical audit is simply to guarantee that what you have claimed in the technical measures part of your self-assessment accurately reflects the technical controls implemented in your organisation.
As is the case with the self-assessment, failing the audit results in just one chance to make the required changes, and should you fail the audit process a second time you’ll have to restart the process from the beginning. Due to the considerable costs involved it’s wise to approach the technical audit with confidence. This is the stage at which you need to decide whether the technical prowess you have in-house is up to standard – if you don’t have extensive technical expertise in-house, it might be a good idea to seek consultancy services to prepare you for the process and to guide you through the deployment of the measures required.
The Five Controls of Cyber Essentials
We will explore the five controls in more detail as the blog series develops. For now, we will outline what the five controls are, rather than how to achieve them.
These technical controls (known as “the 5 controls”) are the components necessary to achieve Cyber Essentials Accreditation. If you have failed on just one of these controls you will also fail the whole assessment, so it’s important to become familiar with the requirements before starting the process.
The 5 controls are:
- Secure configuration
- Access controls
- Anti-malware measures
- Ensuring proper system maintenance
In the remaining blogs in the series, we will explore the 5 controls in more detail. We aim to give you the knowledge to sail through the accreditation with as few problems as possible and enable you to feel confident that you will pass first time.
Helping you achieve cyber Security in your organisation
Our team of experts will help you achieve cyber security in your business. We cannot stress enough that security is not a luxury but an essential part of protecting any business in the digital age – that is why we take a security-first approach. With the Cyber Essentials Accreditation, you can be sure that you have the infrastructure in place to guarantee a secure future for your business. We will educate your employees to guarantee they are doing their utmost toward protecting the security of your organisation. We go above and beyond in helping our clients and their teams get more value from their technology by providing education. We guarantee that our clients always come first, and employ a straightforward approach that provides a strong relationship between our team and yours. Contact us now and find out how we can help your business both to achieve the Cyber Essential Accreditation and to work securely when online.