With the world turning to remote working and using the virtual space for video meetings, the use of platforms such as Zoom, Skype and House Party has never been so high. But with stories of meeting bombing and the use of offensive content by hackers, it’s little wonder that Zoom is now reported to be bringing in more rigorous security measures to ensure its users are protected. This highlights once again the importance of cyber security for all organisations, large and small, across the globe. It has never been so important to put measures in place to minimise the threat and consequences of a cyber attack.
Cyber Essentials, which is a cyber security framework that has been created by the Government backed National Cyber Security Centre (NCSC), is designed to do precisely that – help to protect your business against hackers and allow you to demonstrate that by adhering to five basic security controls, you have done all you can to mitigate the risks involved. It is widely promoted that any organisation with IT equipment should certify because it means they are ensuring they have a base level of IT security in place. Once certified, you will also be able to display their logo badge on your website to show that you take cyber security seriously and are putting measures in place to keep your clients and their data safe.
Cyber Essentials has gone through a significant change this year. Until recently, there were five certifying bodies that had the authority to grant Cyber Essential certification. As of 1st April 2020, the IASME Consortium (IASME) is now the only Cyber Essentials accreditation partner and will handle all applications for the next five years.
Completed by self-assessment questionnaire, it is a valid certification for all companies looking to improve their security measures, and a good starting place for cyber security. Whilst there has been criticism of the Cyber Essentials certification as a box ticking exercise, if your firm ensures compliance with the requirements you will be able to sleep at night knowing you are better prepared for the fight against Cyber Crime. Additionally, it will now also be necessary to recertify every year so if an organisation was certified as compliant over one year ago, they are essentially not certified anymore and will have to reapply this year because the validity of the certificate goes down over time as change may have been introduced to your systems.
There are two Cyber Essentials levels available, according to the needs of your business. They are effectively both the same with a self assessment questionnaire requiring completion for both and an additional assessment for the Plus scheme.
Standard Cyber Essentials
Standard CE is designed to be easily accessible and has simple to follow guidelines. It aims to provide protection against most eventualities associated with cyber attacks and is recommended for all companies looking to protect the integrity of the data that they handle.
Cyber Essentials Plus
CE Plus is a higher grade level where an external vulnerability scan is conducted and a consultant is sent onto the premises to carry out a technical audit and validate the machines. Of course, if there are greater risks in your organisation, you may need to go even further and put more security measures in place which will incur further cost.
Whichever level you choose, in order to become CE certified, you will need to ensure that you take measures to satisfy the five basic security controls:
Once certified, the NCSC says that CE will protect against 80% of cyber attacks. Hackers are not specifically targeting businesses and don’t care if you’re a one man band or a large corporate. They are mostly automated bots searching for weaknesses and vulnerabilities and ways to access sensitive information.
Security protocols for accountancy and legal firms will need to be especially robust and include CE certification due to the large amount of sensitive information handled on a daily basis which they can’t afford to be vulnerable and accessible to all. Additionally, any company tendering for government supplier status will need to be CE compliant as standard.
At Lumina Technologies, we encourage all businesses to undertake the Cyber Essentials assessment. Please contact us for more information on how to choose the correct level of certification for your company.