What Is Cyber Essentials?
Cyber Essentials is a basic yet effective government-backed programme that will help you be aware of cyber threats and help protect your business against these threats.
You could think of Cyber Essentials like any kind of quality assurance accreditation, a bit like ISO 9001 and ISO 27001. Having gone through the Cyber Essentials process ourselves, we can explain how it works from the point of view of a business owner.
Cyber Essentials is like an MOT for a car. Most garages will not actually assess the MOT status of your car. They will send it to a qualified assessor that will check that it meets the MOT criteria.
It's the same for Cyber Essentials.
We, as an IT company, will do all the infrastructure work and all the cyber security work in order to get you to a compliant state. But it's not up to us to assess our own work. We want to put that to a third party and you as a business owner should also want to get checked by a third party so there is no bias involved.
Cyber Essentials Requirements
So, we understand that Cyber Essentials is probably a good way to get your foot on the ladder of becoming cyber secure as a business. But what does the programme actually entail? Well, the first thing you need to know is that it's self-paced and self-completed.
There is a more advanced version of Cyber Essentials called Cyber Essentials Plus, and for that one you have to engage with cyber security professionals who are IASME qualified.
But as Cyber Essentials is the most likely starting point for most businesses, we will focus on it for now and look at how you work through it.
The first thing you see is a standard set of 80 questions, which cover five main areas:
- Using a firewall to keep your internet connection secure
- Choosing the most secure settings for your devices and software, customising rather than using the device defaults
- Controlling who has access to data, including limiting administrator access and keeping permissions to a minimum
- Putting virus and malware protection in place
- Keeping devices and software up to date
One of the areas you will be asked about is home workers, right down to what the home workers are actually using to connect to the Internet. Any device that is a computer, a smartphone or a tablet that's within the corporate environment, or within the office environment, needs to be logged on this questionnaire.
Some of the other questions you'll get asked are pretty technical. If that's not your area of expertise you will need to engage with somebody who understands the technical side.
That might be somebody internally who knows about IT, your IT department, your managed services and security provider or your IT company. You can ask them to help you complete the questions that you are not sure about.
Cyber Essentials Accreditation
Once you've filled out the questionnaire, you then send it to the assessors to check. Where they find that you're not compliant, they will make a recommendation. They might advise you that you won't pass if you don't upgrade your operating system, for example.
Now these assessors are qualified through a consortium called IASME. You therefore know, as a business, that you are going to be audited and accredited by somebody who is not only knowledgeable, but also independent, to verify that you are compliant or cyber secure.
Cyber Security Insurance
Once you've completed your Cyber Essentials questionnaire and you've passed the assessment, IASME will provide you with £25,000 worth of cyber security insurance.
It's a great benefit if you don't have any kind of cyber security insurance already in place. But, be aware that if you already have cyber security insurance in place, or you need a more comprehensive policy, then you can't claim on two policies. You can only use one or the other.
So if you've already got cyber security insurance then this isn't of any advantage to you. But if you don't have it, then great. It covers you for £25,000 worth of cyber security liabilities.
By achieving the standard, you will be able to reassure your customers that you take cyber security seriously. You'll also get listed in an online directory of companies that have been successfully awarded the Cyber Essentials accreditation.
And, who knows, you may even attract new business because potential customers see that you're taking cyber security within your business seriously.
Preparation For Cyber Essentials Assessment
Before you get going on your accreditation journey, it's wise to download the Cyber Essentials self-assessment preparation booklet or use the Cyber Essential readiness toolkit, both of which help you understand where you currently are within your cyber security journey, how secure you are, and how far you have to go. A lot of it might not really land with you and that's when you have to engage with your managed services and security provider or your IT department to ask them how to get the information that's required to determine if you're actually adhering to the criteria.
All in all, even if you were just to go through the process and get an understanding of the requirements and just implement some of the policies, it would be better than doing nothing.
There are no prerequisites to getting started with Cyber Essentials. You can download the questionnaire for free from the IASME website and you can start filling it out. When you get stuck then that's when you start to engage with your IT professionals, your IT company, your managed services provider.
Between you as a business owner and your IT professionals, you should be able to go through and answer all 80 of those questions.
However, If you're unsure about where you want to go in your cyber security journey then the best thing is to get in touch with IASME. They're independent, they provide the assessment for all the cyber security assessors and they'll give you unbiased information about what's out there in terms of getting your business cyber secure or re-affirming how cyber secure your business is.
If you want to have the peace of mind that your business is secure, then I highly recommend making a start and downloading the Cyber Essentials questionnaire, looking through it and perhaps then engaging with a professional organisation to take you through the accreditation journey.
And who knows, you might feel that that's not enough and you can opt for Cyber Essentials Plus, but that's another topic.
For more information about Cyber Security please get in touch or book a free consultation.