Cyber Essentials is an annually renewable baseline cyber security scheme. It centres around five technical controls that help protect any organisation from the most common cyber attacks. The scheme is backed by the UK government and is part of the UK’s National Cyber Security Programme. Here are some of the key benefits of obtaining Cyber Essentials certification:
Protect your organisation against most common internet attacks
Cyber Essentials has been proven to reduce an organisation’s vulnerability to common cyber attacks (including ransomware). Research from insurers show that organisations with Cyber Essentials certification are 92% less likely to make a claim on their cyber insurance than those without.
Demonstrate commitment to cyber security
Reputation is a valuable asset and customers are increasingly demanding evidence of a trusted, secure service provider for their sensitive data. Businesses need to show that they are taking cyber security seriously. By achieving Cyber Essentials certification, an organisation can publicly demonstrate its commitment to cyber security and this can help to build trust with customers, suppliers, and stakeholders.
Bid for contracts that mandate Cyber Essentials
Cyber Essentials is now widely recognised as an industry standard and is frequently asked for when applying for contracts, funding and grants. Most UK government contracts require suppliers to have Cyber Essentials certification and many of the UK’s largest banks have recently pledged to incorporate Cyber Essentials into their supplier requirements.
Insurance incentives
Some insurance companies offer incentives such as lower premiums to businesses that have achieved Cyber Essentials certification, as it indicates a lower risk profile.
Additionally, If your firm is UK-domiciled with an annual turnover of less than £20m and you achieve Cyber Essentials certification covering your entire organisation, you will be able to opt-into the included cyber insurance.
Increasing the UK’s cyber resilience
The majority of cyber attacks rely on techniques and vulnerabilities that are well known. The Cyber Essential’s technical controls are based on the knowledge and the capability to defend against these. The mass adoption of Cyber Essentials by organisations of all sizes is at the forefront of the UK’s national cyber resilience.
Compliance and Data Protection
Cyber Essentials can help organisations comply with regulations such as the Data Protection Act 2018 by ensuring that personal data is protected against unauthorised access and cyber threats.
Education and Awareness
No matter who is looking after the technology, cyber security remains the risk and the responsibility of the senior management within an organisation. The process of obtaining the certification educates people about cyber security, creating a more informed workforce that is better equipped to recognise and prevent cyber threats. Small steps that are inexpensive and simple can become embedded into an organisation’s every day working practises and this will develop a security conscious culture. Many firms say that working towards the certification acts as a useful checklist to ensure they have not overlooked anything, and describe the process as highly educational.
According to Pye Tait Consulting’s Cyber Essentials Scheme Impact Evaluation, commissioned by the Department of Science, Innovation and Technology (DSIT), there is greater risk awareness among those organisations with Cyber Essentials, fuelling a heightened sense of concern about the potential threats around them.
Supply Chain Security
Even if an organisation has strong cyber security basics in place, cyber criminals can try and find their way into a system by using the weakest link in the chain. Organisations are only as safe as the security of their trusted partners and suppliers. Business to business assurance is now vital to winning new business within a supply chain, with more contracts mandating cyber security. To simplify this process, many contracts simply mandate a recognised security certification. Cyber Essentials certification provides a tangible way for organisations to gain confidence that their suppliers, or other third parties, have effectively implemented fundamental technical controls.
Organisations using Cyber Essentials within their supply chain risk management processes report increased efficiency and cost savings in the due diligence process. Requiring evidence of standardised minimum expectations reduces the time spent assessing suppliers. It is also helpful for the suppliers themselves, especially SMEs, who benefit from clear, tangible expectations rather than responding to long, complex and duplicate questionnaires.
One of the UK’s largest pensions & life companies, St. James’s Place asked its partnership network of over 2,800 independent businesses to certify to Cyber Essentials Plus.
“In such a large supply chain, this had its challenges, but the decision is already showing a positive impact. Security incident numbers have significantly reduced… we have seen around 80% reduction in cyber security incidents, which directly correlates to controls and best practice implemented through Cyber Essentials.”
Matthew Smith, Divisional Director of Cyber Security, St. James’s Place.
The Cyber Security and Resilience Bill, expected to be introduced to Parliament this year, will update the country’s cyber security laws to protect supply chains. It is expected that prime contractors in various critical sectors will introduce strict cyber security requirements into their supply chain which in turn will trickle cyber security standards down to organisations in other sectors and parts of the economy.
Continuous improvement
Cyber Essentials certification requires annual renewal. This encourages organisations to regularly review and improve their cyber security measures.
As a baseline scheme, Cyber Essentials is a really solid foundation, yet it just the start of the cyber security journey. As an organisation matures, more comprehensive cyber security strategies can be introduced which will importantly include creating and exercising an incident response plan.