Cyber-attacks are making the news headlines almost daily. We are constantly hearing about major businesses that have been crippled by things like hacking and ransomware. The victims of such attacks are finding themselves out of pocket and with their reputations in tatters. Those responsible for finance or IT are spending sleepless nights worried about the impact that a cyber security breach could have on their organisation.
The impact of a cyber-attack on an organisation is also about to get more serious. With GDPR looming, organisations find themselves not only concerned with the impact that an actual attack will have but also the legal implications in the aftermath. After 25th May 2018, organisations that suffer a data breach will be liable for fines of up to 4% of their global turnover or €20 million, whichever is greater. The fines will be based upon the severity of the data breach and how the organisation has taken steps to protect the personal data that they are responsible for.
A lot of small businesses don’t know where to start when it comes to making sure their cyber security is up to scratch or being GDPR compliant. One way to get started is with the government Cyber Essentials scheme. In this blog, we thought we would explain how Cyber Essentials works and what it could do for your business.
What is Cyber Essentials?
Cyber Essentials is a government endorsed standard that ensures you are taking the precautions needed to protect your business against a cyber-attack. The aim of the Cyber Essentials badge is to not only make sure your business has adequate cyber security but also to show your customers that you take the responsibility of holding their data seriously. You are no longer able to bid for government contracts without a Cyber Essentials badge. It is also supported by the Information Commissioner’s Office, making it a good step towards ensuring GDPR compliance.
What do you have to do to get Cyber Essentials?
There are two different avenues for this badge, you can either go for Cyber Essentials or Cyber Essentials Plus. Cyber Essentials will require the completion of a questionnaire which you can do yourself. You will be asked a series of questions and your responses will be reviewed independently by an external certifying body. It’s important to note that you will want to be able to pass Cyber Essentials before you complete the questionnaire, so you may need to do some remedial work beforehand.
Cyber Essentials Plus is the next level of the standard. It includes the same questionnaire as Cyber Essentials and then you must also go through testing by an external certifying body who will use a range of tools and techniques.
How much does Cyber Essentials cost?
The basic Cyber Essentials standard will cost you only £300 a year and after you submit your questionnaire you can become certified within 3 days. Again, remember that you want to pass Cyber Essentials. While it may only cost £300 to be certified, it may cost you a bit more to enable your business to pass. It’s a bit like when you get a qualification, you must pay for the exam but you should also pay for your tuition to make sure you can answer the questions correctly. If you do need to do any remedial work this should never been seen as something you just have to pay for to get a badge. At the end of the day, the point of Cyber Essentials is to make sure you are doing what you need to do to protect your business. It might be a lot cheaper to do the remedial work rather than losing business down the line because your business’ IT systems are down.
If you pass Cyber Essentials and your turnover is less than £20 million you will also get automatic Cyber Insurance cover with a limit of £25,000 in case you do experience an issue. The insurance will be able to cover you for any legal and forensic work that needs to be carried out as well as things like data restoration and PR assistance.
What questions are asked in Cyber Essentials?
The Cyber Essentials questionnaire asks around 60 questions about your business and the security controls that you have in place. You will be asked questions specifically about your business such as your number of employees. You will then be asked about the security you have in place. You will be asked about the Firewalls on your personal computers, passwords, software applications and administrative access. The full list of requirements needed to pass Cyber Essentials can be found on the National Cyber Security Centre’s website.
Should your business complete Cyber Essentials?
We believe that Cyber Essentials is a good step to showing you are taking your cyber security seriously. The scheme is backed by the ICO and is therefore a good start in your GDPR compliance journey. As a small business, if you pass the Cyber Essentials we are confident that you are doing all the right things to protect your business in the current security climate.
If you have found this blog interesting or want to ask us any further questions, please do get in touch on 01675 469020 or emailing us at firstname.lastname@example.org. We would love to hear from you.