Cyber Essentials – Is it really essential?

it security

If you’re reading this, you’ve likely heard the term “Cyber Essentials”. Of course, hearing a term in your busy day is not the same as fully understanding it and thus, gauging whether or not your organisation needs it. This blog, then, might just represent a good use of your time. Most of Nemark’s blogs are around 1300 words, give or take, which is (on average) a 6-minute read. So, read on and decide for yourself!

For the uninitiated

“Cyber Essentials” is a Government-backed scheme designed to assist businesses of all sizes in the organisation of their defences against common cyber attacks. The longer version of this blog can be found here:-

https://www.cyberessentials.ncsc.gov.uk/

If you decided the read through the above, though, you’d burn far more than your 6 minutes! Nemark likes to keep its promises, so keep going here first, with a view to visiting that site later if you think it might be for helpful!

Cyber Essentials, and the process of becoming Cyber Essentials compliant, forces you to consider the following issues as they pertain to your business and its security. We also include a totally non-exhaustive explanation of each point, to provide background and context. We are proud to be a no nonsense IT Support provider.

1) Internet Connection

This takes into account the state of your firewall (the function of your network that prevents hackers from getting onto your Network via your internet connection). Other considerations here would include VPN’s (Virtual Private Networks) as well as Dial-In security, etc.

2) Device and Software settings

Think passwords (expiration policies, complexity requirements) as well as perhaps the implementation of 2FA (2-Factor Authentication) to require, for example, users to enter a secondary code along with their password, received via SMS or dedicated Authenticator app on a Smartphone.

3) Control of Data

Thinking about “who has access to what”. Who are your Admins? Policies relating to external access? Third party security controls. Endpoint security in the form of (for example) USB sticks. Drive encryption to guard against theft.

4) Viruses and Malware

This is the go-to thought when people are asked about Cyber Security. It’s a very wide topic area and covers things like email security (links, attachments, anti-phishing protection), file protection (crypto-style attacks) and browser protection (malware).

5) Software Updates

Policies and culture for the keeping up to date of all business software. A deeper dive is already covered in a separate Nemark Blog entitled “Windows Blog – Don’t hate on Update!” which focuses on Windows Update, but the concepts and business reasoning for updating are not confined to just the Operating System – they’re applicable to all installed applications.

Sounds like just a buzzword, no?

We get it. The IT Industry has a long history of “fashion trends” with various phrases over the years coming into (and going out of) vogue. Slightly older readers may recall the global excitement associated with the term “Information Superhighway”, aka. “The Internet”. What a fantastical concept that was! Many people found it difficult to wrap their heads around it!

Then there was the the whole drama of “Y2K” – not exactly the global meltdown that many pundits predicted would occur at midnight on December 31, 1999 was it?

So, what’s the difference with this one? Why is “Cyber Essentials” different? In short, it isn’t different at all. But that’s okay! It’s not the label (or “Umbrella Term”) that needs to be focused on here but rather, the ethos or culture of security awareness that Cyber Essentials seeks to promote and represent. In the same way that “Information Superhighway” helped us think about the Internet, Cyber Essentials seeks to help us think about Security.

For the reasons above, then, it doesn’t really matter if, in 10 years’ time, the term “Cyber Essentials” has itself been confined to the history books. The concept of respecting the building blocks of business security, in whatever form these blocks take, will endure for the foreseeable future. Cyber Essentials simply encapsulates this in a more easily digestible, adoptable form and in that sense, its relevance is current and will be continue to be.

Given the above, it doesn’t actually matter if it’s a buzzword, the next Big Thing, or the flavour of the month; its underpinnings are what counts, and the benefits it brings can be real and significant;

1) Reputational: Being a cyber victim is not good PR
2) Commercial: Being accredited is good for business
3) Productive: Secure Networks suffer less downtime than insecure ones,
and they can be restored more quickly on the few occasions that the security is breached. After all, nothing is unbreakable, so reading our other blog “How to Disaster-Proof your IT” would also be a good idea.

Do I need it?

The short answer is the usual one; “It depends”. You might need it if your firm operates in a sector (such as legal, accounting etc.) where the presiding body insists upon it for membership. If this is the case then there is a strong commercial incentive for doing so, as it not only creates a genuinely productive, security-conscious ethos but of course, opens the door to reputational credibility within the organisation’s market sector.

That’s not the full answer though. What about those organisations that are not required to have Cyber Essentials accreditation? Well, it may well still be highly advantageous to have it, as it would create a separation between your firm, and those without. Call it a Cyber-version of the old phrase “The haves and the have nots” – which faction would you like your organisation to be a member of?

Can I Self-Certify?

Yes. If you have the time, you can go through the self-certification route, which would mean purchasing a special pack from an Accreditor and then going through the various questions, correcting any items within your security provision as you go.

The questions themselves are not necessarily hard to understand as they’re written in a clear language, but arriving at the answers means undertaking a process of investigation that many respondents, especially those from a non-technical background, might find a little daunting.
A peripheral effect of this process, too, is that additional works may be required in order to properly achieve compliance. At this point, unless you are fully conversant with IT Security, you may be best advised see our assistance!

Assistance with Cyber Essentials

If you believe that Cyber Essentials is the right next step for your business, but you don’t feel like Accreditation can be achieved only through in-house means, then a great way to move forward would be with Nemark by your side. Our Cyber Essentials team has helped numerous clients with the following key issues pertaining to compliance;

1) Understanding the Compliance Pack questions and their applicability to the client organisation
2) Addressing any compliance issues
3) Completing the Compliance Questionnaire
4) Liaising with the licensed Accreditor to finalise the application and get Certification status

The only question that might leave you scratching your head is which office wall you put the Certificate on!

The actual cost of this will be dependent on how far away your Network currently is relative to the desired security standards but we can work with you on this so that there are no nasty surprises; every step will be taken in the spirit of transparency and flexibility. It’s not for nothing that most of our Cyber Essentials clients also become IT Support clients! Please, Contact Us to begin your journey to compliance, and perhaps win business that would otherwise be awarded to a member of “the haves”.