An increased cyber threat to small businesses
In the past, cyber attacks have mainly targeted large or high-profile organisations, many of whom have developed comprehensive systems to protect themselves (network policies, hardware and software firewalls and up-to-date virus protection). Due to these system upgrades, attention is now turning towards smaller companies, whose less developed processes and access to security skills makes them an easy target.
Business owners discount the threat, telling themselves that it will never happen to them. Sometimes they fail to comprehend who would wish do such a thing. However, with malicious tools more readily available and very little specialist knowledge required to use them, the unfortunate truth is that it may happen.
In 2015 74% of small and medium-sized businesses had a breach (up from 60% in 2014) and the average cost of the worst breach of the year ranged from £70k - £300k. Many small businesses never recover from a security breach and cease trading within 6 months.
What is the Cyber Essentials Certification?
Cyber Essentials is a government scheme aimed at strengthening IT security in companies of all sizes, allowing organisations to become certified and demonstrating to customers and business partners that cyber security is taken seriously. Please click here for the government publication on this scheme, or if you want a more technical insight into the requirements, then please follow this link.
The Cyber Essentials certification is a manageable, cost-effective framework which demonstrates the presence of essential controls and can be assessed in a matter of days rather than weeks or months.
Her Majesty's Government is ultimately in charge of the scheme, they appoint Accreditation Bodies who must develop and own a certification process. At this time, there are five Accreditation Bodies: IASME (Information Assurance for Small and Medium-sized Enterprises); CREST; QG Management Standards; IRM security and APMG. The Accreditation Bodies appoint Certification Bodies to work with organisations to assess and certify them against the Cyber Essentials requirements.
Organisations wishing to pursue a Cyber Essentials certification can choose to engage with any Certification Body; and therefore, by association, any Accreditation Body.
As of October 1st 2014, certification against Cyber Essentials is a mandatory requirement for anyone in the supply chain of central government contracts which involve personal information and providing certain IT and communications products and services. The procurement policy note with more information can be found here.
To process for getting a Cyber Essentials certificate is as pictured below.
The next steps for your business
You can complete a quick questionnaire, to give you an idea on how well you protect yourself.
If you are interested in getting Cyber Essentials certified, then please have a look at the Cyber Essentials common questionnaire.
Confused? We can assist, but not certify you. Some parts of the questionnaire are easier for us to fill in, but the process can be time consuming, as all machines/devices in your company will have to be compliant. Costs to you could be reduced, if you are willing to do some of the work.
As a general guide, all machines on or accessing your network must be compliant, they need to be cleaned up and secure. Make sure that all unnecessary software is uninstalled, all other software is licensed and fully supported. Default usernames and passwords should be removed or amended and you should have AV/malware protection.
A good IT policy should also be in place, which should cover new user setup request, file access permissions, backup, etc.
Obviously, there is far more than that involved, but this would be a good starting point to get you on the right path to getting Cyber Essentials certified.