Cybercriminals constantly target large organisations in the quest to exploit their networks, steal data and extort money. However, it’s well known that SMEs are also targeted with the same level of enthusiasm by cybercriminals. The reason is simple; an attack on a home user gives access to their email passwords which can then be used for social engineering, but an attack directly on a company can lead to the theft of intellectual property and sensitive strategic data.
The problem with cybercrime is that it knows no borders – many companies trade internationally or have international offices – so for this reason, cybercriminals see SMEs as a viable target.
SME Cyber SecurityCybercriminals continually target SMEs in the quest to exploit their networks. The Department for Business, Innovation and Skills (BIS) recognises this is a growing issue and has taken measures to help SMEs manage cyber security risks.
The Cyber Essentials scheme is designed to reassure small businesses from taking practical steps to defend themselves against cyber threats. Cyber Essentials is an information security standard that helps protect organisations against common internet-based threats.
Cyber Essentials SchemeCyber Essentials certification is a UK government-backed scheme to reduce cybercrime amongst businesses. It was initiated due to research conducted by No10 and the Cabinet Office into how businesses can protect themselves better from cyber-attacks. The aim of this unique and cost-effective scheme is that all firms with any size IT networks will be able to examine their systems for security issues and, where necessary, take corrective action before they suffer a cyber-attack. Cyber Essentials Certification will help organisations identify weaknesses in their defence mechanisms and ensure cyber security delivers business benefits.
Cyber Essentials CertificationA Cyber Essentials certification body performs the audit (a technical assessment) around these five technical controls of Cyber Essentials:
- Boundary firewalls and internet gateways – Cyber Essentials requires that all computer systems linked to the internet be protected with a firewall, also known as the first line of defence.
- Secure configuration – Setting your settings to the default setting is quite appealing to any criminal who wants to gain unauthorised access to your data. A secure baseline for systems configuration is key to resolve this issue, covered under the Cyber Essentials scheme.
- Access control – You want to reduce the likelihood of threat actors stealing your information. By restricting access to systems on a need-only basis, you can improve access control security. If you’re a crucial cog in the machine, for example, you’ll be able to administer things, but an intern will only have access to settings needed to do their job not the highest level permissions.
- Malware protection – Cyber Essentials scheme covers this element to check if enough endpoint protections are in place. It would help to protect your data from viruses, malware and other cyber threats to your organisation.
- Patch management – With each new release of that software on your phone, a developer has discovered a method to keep you safer in a more intelligent manner. All of your gadgets must be kept up to date for vulnerabilities to be identified and resolved. During the Cyber Essentials Plus assessment, a vulnerability scan uncovers such weaknesses.
What are the benefits of Cyber Essentials and Cyber Essentials Plus certifications?If your business is looking to improve security measures using penetration testing, you may want to combine it with Cyber Essentials to ensure two-in-one benefits. The benefits of Cyber Essentials are tangible improvements to your defensive controls and demonstrate that you take the security of sensitive data seriously.
0. Sets the business case for cyber securityDuring our CREST penetration testing (or other certain technical services around security) scoping exercises, we often ask these questions such as ‘When was the last time you had an internal penetration test done?’ , ‘What is your process around managing firewall security, endpoint security, protecting sensitive information and handling of sensitive data?’, ‘What password controls and security policies are in place?’, etc. Cyber Essentials Plus is a demonstration of your organisation about proactive approach to cyber security. The certification process involves third-party audit means that your security controls are tested and verified to confirm your organisation is ready to face the most common threats. Cyber Essentials basic certification is a self-assess process, meaning an organisation must be prepared to deal with the above-mentioned areas and verify they have such controls in place. It is not only going to help you pass the certification but help to prepare against cyber threats. Having this questionnaire signed by senior management stakeholders means the company board’s responsible for cyber risk. As a first step, it is important to uncover weaknesses to help the business start thinking about risk management proactively.
1. Cyber aware organisationThe Cyber Essentials designation is an accomplishment that demonstrates your dedication to safeguarding your own data and the data of your clients and customers. Taking proactive measures to protect your sensitive data against cyber attacks adds to the reputation of your business.
2. Win more businessPublic sector contracts such as working with the UK government and MoD require Cyber Essentials certification for your business as a must-have requirement when you bid for government contracts. Many private-sector organisations follow the same principle; therefore, having Cyber Essentials adds to your objectives of providing a safe and secure digital environment.
3. Protect your organisationFirewalls, secure configurations, control user access, anti-malware software, and phishing are the 5 technological protections employed in this strategy. These steps help a business to be compliant with the Cyber Essentials. When implemented securely, these controls help an organisation defend against common cyber attacks. Cyber essentials plus helps you to implement recognised and industry best practice cybersecurity controls and procedures. Internal security is a critical element and Cyber Essentials Plus makes it a central part of the certification process.
4. GDPR compliant and privacyThe GDPR (General Data Protection Regulation) requires businesses to protect the personal information of EU citizens against data theft and unauthorised access. If an organisation is found to breach GDPR provisions, fines run up to 4% of the global turnover. GDPR is a lot more than five control areas of Cyber Essentials. However, the Cyber Essentials scheme assists businesses in preventing such situations by preparing them for GDPR compliance. By auditing internal infrastructure, you find out the gaps in your information security at technical, functional and entire organisational levels. These gaps are then treated with risk management methods to improve your defensive control,s including data privacy.
5. Reduce future insurance premiumA Cyber Essentials Plus certification indicates that you take security controls beyond the basics to reduce cyber risks. Demonstrating ‘reasonable steps’ are taken to minimise risk in your business s, i.e. achieving Cyber Essentials Plus, your insurance company would consider this into your premium cover costs.
6. Demonstrate data security commitmentAs a Cyber Essentials compliant business, you demonstrated data security seriousness to your supply chain and customers. Your suppliers must be aware of your security measures and ensure that all guidelines are followed to help protect the supply chain. With Cyber Essentials Plus, organisations usually start with certain technical initiatives that add to a proactive cybersecurity approach. This is to tackle cyber threats before they arise, reduce the impact, limit the infection in case of an incident and prevent known attacks.
7. Free cyber insuranceEligible for free cyber insurance cover complying with the scheme might earn you free cyber insurance coverage, which may save you up to £25,000. This applies to businesses under £20 million turnover and domiciled in the UK. Cyber Security breaches survey 2021 identified that about 40% of businesses and 25% of charities suffered data security breaches or attacks last year. https://thecyphere.com/blog/cyber-security-statistics/ Threat actors are constantly finding new ways to attack computers and networks. There is no single permanent solution that will ensure your devices are 100% secure at all times, but taking the right precautions can help prevent hackers from accessing your systems.
ConclusionCybercrimes are a big threat to small and medium enterprises. Cyber Essentials is a scheme that helps SME reduce cyber risk by providing cyber security practices without any additional investment in new technology.SMEs need to fill in their gap and improve cyber hygiene with Cyber Essentials. Cyber essentials plus is an extended certification program focusing on security controls that are in-depth, effective offering supply chain protection and a way to demonstrate data security seriousness. Interested in becoming Cyber Essentials certified? Get in touch to discuss your concerns and requirements.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.