Cyber-attacks are making the news headlines almost daily. We are constantly hearing about major businesses that have been crippled by things like hacking and ransomware. The victims of such attacks are finding themselves out of pocket and with their reputations in tatters. Those responsible for finance or IT are spending sleepless nights worried about the impact that a cyber security breach could have on their organisation.
The impact of a cyber-attack on an organisation is also about to get more serious. With GDPR looming, organisations find themselves not only concerned with the impact that an actual attack will have but also the legal implications in the aftermath. After 25th May 2018, organisations that suffer a data breach will be liable for fines of up to 4% of their global turnover or €20 million, whichever is greater. The fines will be based upon the severity of the data breach and how the organisation has taken steps to protect the personal data that they are responsible for.
A lot of small businesses don’t know where to start when it comes to making sure their cyber security is up to scratch or being GDPR compliant. One way to get started is with the government Cyber Essentials scheme. In this blog, we thought we would explain how Cyber Essentials works and what it could do for your business.
What is Cyber Essentials?
Cyber Essentials is a government endorsed standard that ensures you are taking the precautions needed to protect your business against a cyber-attack. The aim of the Cyber Essentials badge is to not only make sure your business has adequate cyber security but also to show your customers that you take the responsibility of holding their data seriously. You are no longer able to bid for government contracts without a Cyber Essentials badge. It is also supported by the Information Commissioner’s Office, making it a good step towards ensuring GDPR compliance.
What do you have to do to get Cyber Essentials?
There are two different avenues for this badge, you can either go for Cyber Essentials or Cyber Essentials Plus. Cyber Essentials will require the completion of a questionnaire which you can do yourself. You will be asked a series of questions and your responses will be reviewed independently by an external certifying body. It’s important to note that you will want to be able to pass Cyber Essentials before you complete the questionnaire, so you may need to do some remedial work beforehand.
Cyber Essentials Plus is the next level of the standard. It includes the same questionnaire as Cyber Essentials and then you must also go through testing by an external certifying body who will use a range of tools and techniques.
How much does Cyber Essentials cost?
The basic Cyber Essentials standard will cost you only £300 a year and after you submit your questionnaire you can become certified within 3 days. Again, remember that you want to pass Cyber Essentials. While it may only cost £300 to be certified, it may cost you a bit more to enable your business to pass. It’s a bit like when you get a qualification, you must pay for the exam but you should also pay for your tuition to make sure you can answer the questions correctly. If you do need to do any remedial work this should never been seen as something you just have to pay for to get a badge. At the end of the day, the point of Cyber Essentials is to make sure you are doing what you need to do to protect your business. It might be a lot cheaper to do the remedial work rather than losing business down the line because your business’ IT systems are down.
If you pass Cyber Essentials and your turnover is less than £20 million you will also get automatic Cyber Insurance cover with a limit of £25,000 in case you do experience an issue. The insurance will be able to cover you for any legal and forensic work that needs to be carried out as well as things like data restoration and PR assistance.
What questions are asked in Cyber Essentials?
The Cyber Essentials questionnaire asks around 60 questions about your business and the security controls that you have in place. You will be asked questions specifically about your business such as your number of employees. You will then be asked about the security you have in place. You will be asked about the Firewalls on your personal computers, passwords, software applications and administrative access. The full list of requirements needed to pass Cyber Essentials can be found on the National Cyber Security Centre’s website.
Should your business complete Cyber Essentials?
We believe that Cyber Essentials is a good step to showing you are taking your cyber security seriously. The scheme is backed by the ICO and is therefore a good start in your GDPR compliance journey. As a small business, if you pass the Cyber Essentials we are confident that you are doing all the right things to protect your business in the current security climate.
Cyber Essentials for small businesses
What cyber essentials does a small business need? Here are some elements you need to get started with their IT security and protecting their businesses and data.
- Firewall: A Firewall is your network security that protects your perimeter. It will control all the traffic coming in and out of your network and stop things like malware entering your environment. You need to have a recent or next generation Firewall to make sure that you are protected.
- Anti-Virus: Anti-virus will scan your PC for any viruses and remove them. It’s important that you invest in a business-level anti-virus, a free one will not be fully effective.
- Anti-Spam: Spam can be dangerous because sometimes phishing emails can be sent that can contain malicious links or attachments, as well as asking for your sensitive information or money. An anti-spam solution will rid you of most of the emails, making your inbox a safer space to work in.
- Patch Management: Updating your software regularly is critical to your security. Software vendors will often make updates available to overcome a security flaw. You need to make sure that you have processes in place to ensure that you are always using the most up to date software available to you.
- Back up and Disaster Recovery: A back up and disaster recovery plan is your insurance policy if something goes wrong. Making sure that you have access to back ups of your data ensures that you experience as little downtime as possible and makes sure you can get back to your normal operations quickly.
- IT Policy: We always recommend having an easy to understand IT policy in place for your staff. If you have pages and pages for people to read the likelihood is that they will not look at it. We recommend that you have a clear and concise IT policy that is easily accessible to your staff.
- End user education: In our opinion, end user education is the most important thing that any business can do to protect itself and its assets. Making sure that your staff are fully versed in what they need to do to stay safe online is the most effective form of protection.
If you have found this blog interesting or want to ask us any further questions, please do get in touch on 01675 469020 or emailing us at firstname.lastname@example.org. We would love to hear from you.