Insights

Alan Hunt: 4 min read

Cyber Essentials: What is it and why it is an essential stamp?

Without the essentials in life, we are like a wall without foundations, shaky and uncertain, prone to falling over. With nearly a million Malware threats per day, cyber-security is an essential requirement for any organisation and cannot be an afterthought. Without the basics, you will be left vulnerable.

Cyber Essentials cover these basics. Some businesses may find that extra protection is required, such as banks or hospitals but without the basics, the advanced enhancements cannot flourish. Basic protection such as that which is depicted in the Cyber Essentials scheme is essential. It means that all organisations are operating off of the same framework and basic intrusions can be kept at bay.

The Cyber Essentials accreditation was launched in 2014, developed by the Government to provide a universal framework for all organisations. It provides a base level that businesses of all sizes can adhere to, ensuring confidence when working with other organisations. Partnership working is key and the Cyber Essentials accreditation was designed as a badge of honour to show that you were committed to cyber-security.

In addition to providing confidence externally, it also provides an additional level of confidence internally, as Managers can feel safe in the knowledge that a best practice framework exists in the organisation. The accreditation has been developed on the basis that bringing organisations to the table with the same basic level of security processes will reduce risk and increase confidence.

It is a strategy that has paid off, with more than 200 organisations implementing the framework in its first few years of operation. The more advanced version of the framework, Cyber Essentials Plus, has also seen impressive uptake. Roughly one in four accredited Cyber Essential organisations also adopted the additional certification.

Ten Steps to Cyber-security

Taking into account the rise of mobile devices and the need to protect businesses from common cyber threats in the 21st century, GCHQ launched the ten steps to Cyber-security document. The document was originally launched in 2012 to help businesses understand the cyber environment and acknowledge the damages that can occur from an attack. It was updated in 2014 and then again in 2016 to take into account the continually changing landscape within cyber-security.

In 2014 the number of mobile devices overtook the number of human beings.

The department of Business Innovation and Skills (BIS) 2014 Information Security Breaches Survey reported that 81% of large organisations had experienced a security breach of some sort. The estimated cost to each organisation being, on average, between £600,000 and £1.5 million. These figures have naturally increased in the last few years.

The Cyber Essentials accreditation has emerged from these steps, which are

1. Risk management regime

2. Secure configuration

3. Home and mobile working 

4. Incident Management 

5. Malware prevention 

6. Managing user privileges 

7. Monitoring 

8. Network security

9. Removeable media controls 

10. User education and awareness 

You can read the updated version of the ten steps document here.

Cyber Essentials Plus

The basic Cyber Essentials framework offers a successful best practice solution for organisations, with the more advanced offering independent testing. The additional testing is undertaken by an external certifying body, such as OLM, using a range of tools and techniques. During this process, the independent organisation will attempt to access the system to test the rigidity of the organisation’s procedures.

Why is this important?

This shows potential clients that you are adhering to the accreditation and that your system has been rigorously tested by experts in the field. You have been deemed robust enough for certification. The basic certificate is completed by the organisation itself and will remain untested until a threat arrives. This additional level of certification could prove to be that extra spark that gets you the contract.

Why should we invest in Cyber Essentials?

It conveys to other organisations that you are serious about your clients and their security. While it is not a “Magic Bullet” and does not remove all risk associated with cyber-security, it does remove everyday risks that can be easily avoided. It provides a cost-effective, basic level of protection that defines what cyber-security is and why it is important. It provides a framework that can be adopted by the entire organisation, it is a best practice example and one that would be beneficial to organisations of any size.

More advanced attacks are much harder to defend against. Cyber Essentials will not provide the protection that is required to defend against these intrusions into your system but it hasn’t been designed that way. To roll out a certification that included prevention against all types of cyber-attack would be a monumental undertaking and not a cost effective one. What Cyber Essentials does well is that it treats businesses of all sizes the same. It provides them with an even playing field, with additional measures to be invested in if the business feels that they are appropriate.

For these types of attacks, you need to look into managed security services.

A new approach to cyber security – Managed Security Services

Many organisation struggle to maintain the skills and the tools to ensure their organisations cyber protection. Managed Security Services are managed cyber security service that sit behind the scenes guarding organisations against attack. It is not a limited product such as a simple virus scanner. It actively shares intelligence with other like-minded services from around the world. By sharing threats and coming up with solutions together you can get ahead of the trends and fend off attacks whilst you sleep. 

Cyber Essentials help you to get your organisation to the basic level of protection and then Managed Security Services can sit on top of them. Managed Security helps to re-energise defences and prevent attacks before they arrive. It forms an additional layer of defence but may not be suitable for everyone. The first port of call for every organisation should be to ensure that they are Cyber Essentials certified.

As an organisation, our mission is to take the complexity out of people's lives through innovation in software and services. Our ECLIPSE platform is the personification of this goal, containing solutions to case management, multi-agency working practices, finance and more. It is a one of a kind platform that enables unique efficiency gains, providing more time for practitioners to spend with the most vulnerable.

Cyber-security considerations form a major part of our ECLIPSE Software and Services Platform. Our ECLIPSE Security and Governance team assist local authorities, healthcare providers, care providers, private sector clients and education providers with their security postures. We believe in cyber-security and the essential part it has to play in keeping the private information of those who are cared for, safe.

Conclusion

Cyber Essentials should form the initial foundations of your organisation as they provide a universal framework from which you can be confident of moving forward. For partner organisations, they are an accreditation that showcases that you are serious about data protection and the management of online security.

By having the accreditation you are showcasing to the world that you are serious about cyber-security and by testing it through the Cyber Essentials Plus certification you are ensuring that your defences are up to scratch and that every part of your organisation is ready. We are Cyber Essentials Plus certified and we also help organisations to reach this level too.

You can, of course, take your protection to the next level with Managed Security Services such as Central Bedfordshire Council, London Borough of Bexley and Buckingham County Council have successfully done.

By going through the Cyber Essentials Plus process and gaining accrediation it shows the world you are serious about your information governance and cyber security. It is a standard all buyers should be looking for before they purchase from an organisation.