Cyber Essentials – the cyber security starting point for all small and medium businesses
All organisations with an Internet presence are at equal risk from automated cyber attacks, but not all organisations have equal resources to deal with them.
Although smaller businesses face the same threats as their larger counterparts, many lack the security posture and incident response plans necessary to defend against, and react to, attack.
This actually ends up costing them more.
According to Ponemon Institute’s 2015 Cost of Cyber Crime Study: United Kingdom, the cost of cyber crime has increased 14% year-on-year to an annualised average of €4.1 million per UK business. One of the major factors affecting this cost is the size of the organisation, with smaller organisations incurring “a significantly higher per capita cost than larger organisations.”
PwC’s 2015 Information Security Breaches Survey found that 74% of smaller organisations have suffered a security breach, up from 60% in 2014.
Every SME wants to prevent the expense, disruption and reputational damage that a cyber attack will cause, but many are daunted by the prospect of implementing enterprise-wide cyber security controls.
Smaller businesses needn’t put themselves at risk, though: addressing the majority of cyber security threats is actually relatively straightforward, even if your organisation lacks technical expertise.
Most data breaches are caused by companies failing to implement basic security measures. The government’s Cyber Essentials scheme sets out the means of doing this.
The business benefits of implementing Cyber Essentials
The Cyber Essentials scheme provides five security controls, which, according to the government, could prevent “around 80% of cyber attacks”.
Whether or not you achieve certification to the scheme, these controls provide the basic level of protection that you need to implement in your organisation to protect it from the vast majority of cyber attacks, allowing you to focus instead on your core business objectives.
Properly implemented cyber security has the additional advantage of driving business efficiency throughout the organisation, saving money and improving productivity.
Cyber Essentials certification also reduces insurance premiums. A government report in March 2015 (UK Cyber Security: The role of insurance in managing and mitigating the risk) found that the majority of insurers believe “that Cyber Essentials would provide a valuable signal of reduced risk when underwriting cyber insurance for SMEs, allowing them to use a reduced question set and informing their decisions to underwrite”, and that “participating insurers operating in the SME insurance sector have agreed to build reference to the Cyber Essentials standard into their cyber insurance applications, and will look to simplify the application where accreditation has been achieved by the applicant.”
Implement these five Cyber Essentials controls to help your business stay secure:
- Secure configuration
By ensuring your computers and network devices are configured properly, you can identify systems or databases that you no longer need or use. You will have the opportunity to reduce your overall storage and bandwidth consumption, as well as reducing the level of inherent security vulnerabilities.
- Boundary firewalls and Internet gateways
Using boundary firewalls to monitor traffic to your server(s) enables you to better understand and manage your bandwidth requirements, potentially allowing you to renegotiate your hosting costs, as well as blocking attackers and external threats.
- Access control and administrative privilege management
Managing access control and administrative privileges erodes the opportunity for staff to install time-wasting software on to their computers, as well as removing the insider threat.
- Patch management
Keeping on top of software patching and licencing makes your company more productive, as well as more secure. Patches often improve the performance of the products they apply to, and remove issues that slow down employees, such as crashes and poor performance caused by congested networks.
- Malware protection
Implementing appropriate malware protection has its obvious security advantages, but an often overlooked hidden benefit is the time and cost savings that result from avoiding devices being out of action.
Cyber Essentials for SMEs
If you’d like to know more about how Cyber Essentials can help you improve business efficiency throughout your organisation, download this free guide.
The free guide will be sent to the email address you submit above.
The benefits of Cyber Essentials certification
Having implemented the Cyber Essentials controls, the next step is to apply for certification. You don’t have to do this, of course, but having got this far there seems little point in not capitalising on your new security controls.
A Cyber Essentials or Cyber Essentials Plus badge will enhance your business’s reputation and open up new commercial opportunities by proving to your customers that you take the security of their information seriously and are taking the necessary steps to reduce cyber risks.
If you supply larger organisations that want to manage their third-party risks, the independent verification of your security posture provided by certification demonstrates that you won’t put the supply chain at risk.
If you want to apply for government contracts you’ll need Cyber Essentials certification too. The UK Government now requires “suppliers of most contracts and services to hold a Cyber Essentials certificate.”
Cyber Essentials implementation
Whatever your organisation’s cyber security budget or level of technical expertise, implementing the scheme’s five controls is well within your reach.
As digital minister Ed Vaizey said in November 2015: “I’d like to see all businesses operating online adopt Cyber Essentials. Cyber Essentials isn’t just for the large prime firms – it also helps them to manage their third party risks, which is why we have made the scheme suitable for smaller businesses, including those who are part of larger supply chains.”
IT Governance’s fixed-price Cyber Essentials implementation packages have been put together to suit every budget and preferred project approach.