Cyber Essentials is aligned with the primary objective of the UK Government’s National Cyber Security Strategy, which is to make the UK a safer place to conduct business online by building a resilient and secure cyberspace.
It was launched on 5 June 2014 with the aim of helping organisations of all sizes measure their defences against common forms of cyber-attacks. Cyber Essentials was developed in conjunction GCHQ and offers a sound foundation of basic hygiene measures, identifying some fundamental sound technical security controls that an organisation needs to have in place and can potentially build on to help defend against cyber threats.
The Security Circle recommend organisations adhere to the guidance given in the Cyber Essentials Scheme, which is suitable for organisations of all sizes. Accreditation should also be an ongoing requirement of the supply chain, forming a reasonable part of any organisational security process.
Businesses, public and private sector organisations and other institutions hold personal data, provide services and operate systems in the digital domain. The connectivity of this information has revolutionised every aspect of the way organisations operate. But with this technological transformation comes the responsibility to safeguard the assets which organisations hold, maintain the services they provide and incorporate the appropriate level of security into the products they sell. Consumers and society at large expect businesses and institutions to take all reasonable steps to protect their personal data and build resilience - the ability to withstand and recover - into the systems and structures on which they depend. Businesses and organisations must also understand that, if they are the victim of a cyber attack, they are liable for the consequences. These liabilities are due to increase considerably when the new GDPR (The General Data Protection Regulation of the EU) comes in effect in 2018.
The level at which the Government views the importance of cyber security is clear; since October 2014, the UK government has required all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme.
The Scottish Government has a similar arrangement for certain contracts but has also widened out Cyber Essentials as a soft requirement on many more tenders: although not mandatory, firms can gain a higher score by being accredited. As of January 2016, The Scottish Investment Bank announced that firms without Cyber Essentials Accreditation would no longer be able to
The certification is available in two stages, Cyber Essentials (Stage 1) and Cyber Essentials Plus (Stage 2). Both levels of award are assessed against the Cyber Essentials requirements; however Cyber Essentials Plus gives a higher level of assurance as a number of onsite tests are carried out. The scheme covers five key areas:
Boundary firewalls & internet gateways
Access control & administrative privilege management
The vast majority of cyber attacks use relatively simple methods to exploit basic vulnerabilities in software and computer systems. There are tools and techniques openly available on the internet which allow even low-skill actors to exploit these vulnerabilities. Properly implementing the Cyber Essentials scheme will protect against the vast majority of common internet threats.
Please contact us for information about becoming Cyber Essentials Certified