Cyber Essentials is a UK government information assurance scheme operated by the National Cyber Security Centre that encourages organisations to adopt good practice in information security. In the space of just a few years, Cyber Essentials has become a widely recognised scheme. While there are many information security schemes and certifications, Cyber Essentials is different in that it is aimed at organisations that don’t deal with sensitive and confidential information. In other words, the scheme is designed for small businesses. Cyber Essentials is a step in the right direction and should be encouraged. But it is not enough. Here is why.
Cyber essentials by numbers
The Cyber Essentials scheme was launched in April 2011. At the time it swept aside the older CHECK scheme as organisations were not able to attain CHECK compliance. Today, more than 37 500 organisations have recognised Cyber Essentials status. There are presently 326 certification bodies that have been recognised by the NCSC to conduct certification activity under the Cyber Essentials scheme.
What does Cyber Essentials mean?
Cyber Essentials is a set of standards that consider the level of cyber risk faced by organisations, from the perspective of data protection and the damage that could be done if there was a breach or a hack. Since its inception in 2011, the scheme has been updated twice in order to expand coverage to include risks such as the potential impact of a cyber attack and the importance of keeping software updated. Here is some information about the Cyber Essentials scheme.
Increase your chances of being a victim of a cyber attack
In its Q1 2018 threat report, Trend Micro presented data from the fourth quarter of 2017. The research found that the supply chain is the number one issue in web security (40.9 percent), followed by software flaws or vulnerabilities (36.3 percent) and web browsers (32.7 percent). Simply put, the internet continues to be an insecure place and is often used in ways that its creators didn’t intend.
What are the risks involved?
The potential dangers of not complying with the Cyber Essentials standards are huge. Breaches can cost a business dearly in terms of time, money and reputation. For example, in 2015, a data breach at a US company resulted in the employment records of 21 000 current and former employees being placed on the internet.
A ransomware attack at a US hospital caused the cancellation of 600 appointments. A hacking group called the Shadow Brokers stole from the National Security Agency and published classified files.
What do the standards entail?
There are four Cyber Essentials standards:
- Access management. This means ensuring that all systems and networks have an access control configuration that can defend against threats.
- Data protection. This standard calls for encryption where appropriate, to reduce the risk of data loss or theft.
- People, skills and awareness. This requires that employees are appropriately trained, including how to avoid the introduction of malware, how to respond to a security incident and how to use firewalls.
- Patch. All security updates should apply to all devices and computers on the network.
What benefits does cyber essentials provide?
The government provides a non-exhaustive list of the potential benefits that Cyber Essentials provides, including the following.
- Business continuity. The Cyber Essentials scheme covers useful aspects of business continuity, such as the ability of a company to sustain operations following an attack.
- Data protection. Cyber Essentials covers encryption.
- Data privacy. Cyber Essentials covers data breaches.
- Compliance. Cyber Essentials lets businesses know what to expect when entering into contracts with the government.
- Staff training. Cyber Essentials addresses staff training.