Talk to any security specialist and you’re guaranteed to be asked about Cyber Essentials. “Are you certified, do you plan to be and if not, why?“
Cyber Essentials – a security resiliency scheme from the National Cyber Security Centre (NCSC) – is one of today’s cybersecurity fundamentals. It’s held in the same high regard as vital defence measures like anti-malware, firewalls and email security.
Yet up to 94% of UK businesses still need certification. Node4 wants as many as possible to benefit from Cyber Essentials – which is genuinely game-changing – and we will work with an IASME certified assessor to help you achieve it.
Here, we clarify what Cyber Essentials is, the outcomes you can expect and bust some common myths you might have heard.
- What is Cyber Essentials?
- What are the benefits of Cyber Essentials?
- Busting the big Cyber Essentials myths
WHAT IS CYBER ESSENTIALS?
Cyber Essentials offers organisations a simple and affordable way to tackle worsening cybersecurity threats and digitalise with confidence.
An organisation (rather than individual users or product) achieves Cyber Essentials certification by assessing themselves against basic security controls designed to stop Internet-borne attacks, which are then independently verified. There are two levels of certification – Cyber Essentials and Cyber Essentials Plus, with the latter involving a technical audit.
With so many security vulnerabilities stemming from fragile processes and human error, the controls mandated by Cyber Essentials are a tangible way to make a real difference. The scheme controls cover five areas, which are:
- Firewalls
- Software updates
- Malware protection
- Access controls
- Secure configuration
Cyber Essentials also has a unique value-add in that it’s generally affordable. So, even if an organisation’s budget is limited, it can still benefit from significant security improvements.
DISCOVER MORE ABOUT CYBER ESSENTIALS
Each month, Node4 hosts Security Synopsis, our monthly webinar detailing an aspect of the ever-evolving world of security. Hosted by our Security Practice Director Andy Bates, we welcome a special guest to help us keep our clients up to date on the latest security trends.
Learn all about Cyber Essentials in our on-demand video, featuring Chris Ensor, the NCSC’s Deputy Director for Cyber Growth.
HOW CAN WE HELP
WHAT ARE THE BENEFITS OF CYBER ESSENTIALS?
Cyber Essentials has several advantages, but we see clients benefit almost immediately in three ways: resiliency, confidence and competitiveness.
CYBERSECURITY RESILIENCE
NCSC research finds that organisations can prevent up to 80% of cyberattacks by improved cyber hygiene, which comes with Cyber Essentials certification. Those odds are even more impressive when you consider the affordability of Cyber Essentials compared to technologies with lower success rates.
But why is Cyber Essentials – a relatively basic security defence – so remarkably effective? Because it’s focused on the Internet-borne threats most likely to target users.
The material covered in Cyber Essentials carefully considers a cybercriminal’s mindset and inroads. As a result, getting certified bolsters resiliency against the day’s most prevalent and disruptive threats – like phishing, ransomware, password compromise and network attacks.
GROWING CONFIDENCE
It’s widely accepted that falling victim to commercial cybercrime isn’t a matter of if, but when. We all see the news stories and rising numbers and worry that before long, it’ll be our turn to deal with the fallout of a successful attack.
Many business leaders want to restore their confidence in digital transformation, modernising without the fear of cybercrime slamming on the brakes.
Cyber Essentials helps you assess and control your cyber risk, regardless of how many employees you have or where they work. A recent NCSC survey found that 93% of certified organisations are confident that they are protected against Internet-based cyberattacks thanks to enhanced resiliency and understanding.
COMPETE FOR OPPORTUNITIES
Reputation is important when choosing a provider – and today, that includes a public commitment to protecting customer integrity. By becoming Cyber Essentials certified, an organisation offers reassurance that they care about and actively mitigate security risk.
For some, substandard cybersecurity is an instant dealbreaker. The UK Government, Ministry of Defence and a growing number of public sector organisations that manage sensitive information will only work with you if you hold a Cyber Essentials or Cyber Essentials Plus certification.
It would be a shame for any business to unnecessarily miss out on an opportunity. And although it’s not an easy process, a supportive certification provider can help you achieve Cyber Essentials certification in a responsible timeframe – so you can compete in any space you wish.
BUSTING THE BIG CYBER ESSENTIALS MYTHS
Despite being budget-friendly and backed by impressive data, only 6% of eligible organisations are Cyber Essentials certified. That may be due to lingering misunderstandings, such as these four big myths:
MYTH 1: I HAVE ISO 27001, SO I DON’T NEED CYBER ESSENTIALS
The two focus on different areas. ISO 27001 is interested in information risk management, whereas Cyber Essentials is interested in processes that manage Internet-borne risks. One is not more important than the other and ISO 27001 organisations can still and do get attacked.
MYTH 2: SERVICES SHOULD BE PROVIDED AS CYBER ESSENTIALS CERTIFIED
A product itself can’t be Cyber Essentials certified. When an organisation works with a client to provide them with a service – such as a cloud environment – the provider and client have different responsibilities. For example, it’s the client who is responsible for setting and managing access controls, which is one of the elements covered by Cyber Essentials.
MYTH 3: MY ENTIRE ORGANISATION NEEDS CERTIFYING
In most situations, the certification will apply to the whole organisation but that’s not always the case. For example, if an organisation has divided systems and only one area of the organisation is responsible for processing MOD data, then only that system and its associated processes need Cyber Essentials to be compliant. This may vary depending on procurement requirements.
MYTH 4: I CAN’T GET CERTIFIED WITH UNSUPPORTED LEGACY IT
Cyber Essentials is focused on Internet-borne risks – meaning if your unsupported legacy infrastructure doesn’t “touch” the Internet, it’s outside of the risk scope. That said, legacy technology is an unparalleled cybersecurity risk, and every effort should be made to upgrade or segment if not viable.
HOW CAN WE HELP?
If you want to join the tens of thousands of organisations that have become Cyber Essentials certified, don’t hesitate to contact Node4. Ask to speak to one of our cybersecurity experts at info@node4.co.uk or 0345 123 2229. To hear more about the value and intent of Cyber Essentials from a senior representative of NCSC, you can watch our Cyber Essentials webinar on-demand here.