Why SMEs Are Becoming Cyber Essentials Plus Accredited
By Paul Colwell, CTO for CyberGuard Technologies
Cyber security is an ever-hotter topic in today’s business world, as brand perception and supply chain integrity join regulatory pressures to argue the case for maintaining best digital security practices in all enterprises, especially SMEs.
A vital foundation for SMEs in terms of cyber security protection is to ensure that government cybersecurity guidelines are in place. Cyber Essentials (level 1) is the entry point for all organisations, of all sizes, and in all sectors, and has been mandated for organisations handling personal information and providing certain ICT products and services to central government contracts, as well as health and telecoms sectors.
It is also worth considering that future market access or a close business supplier relationship with a ‘mandated’ sector will also require a business to carry the Cyber Essentials Plus (level 2) accreditation, so if expansion is on the cards now is the time to prepare.
Cyber Essentials is a government-backed, industry-supported scheme which launched in June 2014. It aims to help all organisations protect themselves against cyberattacks. When an organisation is fully compliant, they will receive a certificate to show stakeholders and customers that they have the necessary safety measures in place to reduce the risk of a cyber-attack. Cyber Essentials is a quality standard in many industries, and a necessity for businesses looking to win certain government contracts.
Cyber Essentials Plus – a valuable framework
According to the Cyber Security Breaches Survey 2018, 42% of SMEs had experienced at least one cyber-attack in the past year and are at a higher risk of data breaches when compared to large organisations.
Against this backdrop, while the basic Cyber Essentials accreditation can reduce the risk of becoming a victim of cybercrime, the Cyber Essentials Plus certification delivers additional peace of mind and business benefits. The level 2 certification builds on the self-assessed Cyber Essentials, by having an accredited third-party test that anti-cybercrime measures have been implemented correctly. The benefits of gaining the level 2 certification are significant, offering a higher level of assurance as well as a visible compliance logo that can be displayed at key company collateral, from online to tender responses.
Cyber Essentials Plus is ideal for SMEs that operate in a supply chain environment or are consumer-facing. Although traditionally the supply chain terminology is applied to manufacturing or similar logistics-based business structures, today most digital firms have some supply chain exposure, often without recognising it, such as serving third-party ads on a website, for example.
A recent nationwide survey undertaken by CyberGuard Technologies found that 81% of businesses wanted to reassure their customers that they were taking a proactive approach to cyber security, and this was the reason why they invested in the Cyber Essentials certification. The same survey highlighted that 84% of businesses found that having the Cyber Essentials Plus accreditation made it easier for them to win contracts.
Cyber Essentials Plus – the process
A key decision for SMEs engaging with the Cyber Essentials framework is whether the increased visibility and trust of the Plus certification will be valuable in a particular vertical or niche. A Cyber Essentials certificate is not required to apply for Cyber Essentials Plus, although implementing the basic controls and systems are of course a vital part of the process.
Organisations will need to recertify once a year, a simple process that is based on vulnerability testing of the system(s), both externally and internally. This penetration (pen) testing not only enables certification, but also provides a better understanding of an organisation’s cyber risk levels. The process of preparing for the assessment will also provide clear visibility of internal cyber security processes and protocols, as well as demonstrating internally the importance of adhering closely to those best practices.
Cyber Essentials Plus – the breakdown
There are essentially five simple steps in the Cyber Essentials Framework, which will prepare an organisation for Cyber Essentials Plus:
1. Implement a firewall to secure the internet connection
This can vary from Windows and MacOS-based software firewalls for the smallest SME, through to dedicated hardware configurations in a small office environment. Some standard routers incorporate this feature, so it’s worth checking with your ISP.
2. Ensure the most secure settings are enabled for devices and software
Much of this is best practice for any size of organisation, such as changing default passwords, removing services and software that are not in use and deploying two-factor authentication for banking and IT services.
3. Protect from viruses
Windows and Macs have built-in antivirus packages, or there are many commercial options to choose from. These offer some protection from malware and viruses and should be enabled by default.
4. Enable auto-updates
Ensure that all devices have the very latest software versions running. Manufacturers will regularly issue updates that patch the latest known vulnerabilities, which must be installed before hackers take advantage.
5. Control access
The idea here is to minimise potential damage by restricting powerful ‘admin’ accounts to the minimum possible, and only providing everyday user accounts with the core privileges and software they need. In addition, locking devices down to only use official software sources (such as Google Play or the Apple App Store) can also prevent unwanted incidents.
Next steps
To gain a Cyber Essentials Plus accreditation, SMEs can engage a security testing provider that is recognised by an externally accredited governing body, such as CREST. At CyberGuard Technologies we have helped many SMEs gain their Cyber Essentials Plus accreditation – through our work, we confirm that an SME is adhering to a set of cyber security requirements outlined by Cyber Essentials Plus requirements. This is done by simulated phishing attacks and basic hacking procedures and assisting SME’s to pass a technical audit.
For more information, please visit: www.cg-tech.co.uk