Cyber Essentials is a Government-backed and industry supported scheme to guide businesses in protecting themselves against common cyber threats and here Rob May, Managing Director of Surrey based IT reseller ramsac, provides their take on why channels should become involved in the certification process.
The main objective of the Cyber Essentials assessment is to show that your organisation has effectively implemented the controls required by the Scheme, in order to defend against the most common and unsophisticated forms of cyber-attack.
Cybercrime is a worldwide issue that affects all organisations, of all sizes and in all sectors. It is vital all organisations focus on basic cyber hygiene, to ensure they are better protected from the most common cyber threats. The Cyber Essentials Scheme has been developed as part of the UK’s National Cyber Security Programme and in close consultation with industry.
Comms Business Magazine (CBM): What are the benefits of getting Cyber Essentials certification?
Rob May (RM): In addition to the obvious benefit of reducing the chances of a cyber-attack (and the UK government has said implementing the Cyber Essentials 5 security controls could prevent around 80% of cyber-attacks!), Cyber Essentials is also an easy way for a business to show their customer, suppliers, prospects and partners that their data is adequately protected and that they take cyber security seriously. The assessment for Cyber Essentials will lead to improved controls which will reduce the impact of attacks or breaches and in turn improve GDPR compliance. Finally, it will help your organisation win business, as in many cases, this ‘badge’ is becoming a prerequisite in bidding for new contracts, particularly in the public sector.
CBM: How likely is a cyber-attack on any given organisation?
RM: Unfortunately, a cyber-attack (or attempted cyber-attack) is extremely likely. In fact, according to the FBI, there are two types of business: those that have suffered a data breach and those that don’t know they have! The thinking used to be that you quickly became aware of cyber-attacks, but in reality we really don’t know most of the time when a breach happens. What we do know is that every business is a target and if you’re not aware of a breach yet, it is only a matter of time.
CBM: How does Cyber Essentials help GDPR compliance?
RM: GDPR is the buzzword of 2018. For anyone who hasn’t heard of GDPR, it stands for General Data Protection Regulations, it came into force in the UK from May 2018. It will change the way all UK companies store and manage their business and personal data, including employee data, with the intent of strengthening and unifying data protection for all individuals. Organisations have worked hard to become GDPR compliant, but compliance didn’t stop on the 25th May, it is a journey not a destination and organisations need to work continuously to ensure their data processes are secure compliant. Cyber Essentials helps organisations protect sensitive data by ensuring they implement solid security measures, which by default helps with GDPR compliance. Cyber Essentials certification is done annually, which will ensure organisations keep working on their cyber good practices, and as a result, their GDPR compliance. Cyber Essentials isn’t the answer to GDPR, but it’s certainly a very large part of the jigsaw!
CBM: What’s involved in Cyber Essentials certification?
RM: There are two levels of certification that can be achieved. Cyber Essentials and Cyber Essentials Plus. Cyber Essentials requires the organisation, with help from a practitioner, to complete a self-assessment questionnaire, with responses independently reviewed by an external certifying body. Cyber Essentials Plus covers the same requirements as Cyber Essentials but tests of the systems are carried out by an external certifying body, using a range of tools and techniques.
CBM: Where is Ramsac helping their customers?
RM: ramsac have trained Cyber Essentials practitioners that can be bought in to undertake a gap analysis of where customer networks and general IT practices sit against the standard for Cyber Essentials certification. The result of the visit will be a gap report will help organisations to understand what they may need to do before applying for certification, and of course, assistance with helping you get there as quickly as possible!