According to the latest version of the Cyber Security Breaches Survey the Cyber Essentials scheme it is not widely known in the UK amongst small and medium sized organisations. Today I'd like to talk about why this scheme may deserve your attention. This is not going to be about the scheme and the technical controls, if you want to learn more the Cyber Essentials website is a good place to start.
For now I'll just introduce the scheme in a few words only: the Cyber Essentials scheme is part of the UK Government's National Cyber Security Strategy programme aimed primarily at SMEs offering a low cost, achievable and a relatively simplified way for businesses to protect themselves from the most common threats online. Obtaining this accreditation is mandatory by law for Government contracts and suppliers only. If your organisation does not fall under this category I think you should still consider the scheme. Let me tell you why...
Get the basics right
I still remember when I took my first karate lessons a long long time ago when my sensei told me: "If you want to do it properly you need to start with the basics". I was very excited and fascinated by all the action movies I saw on TV back in the 90's and I thought on my first karate lesson I was going to do all those magical moves, flying kicks, roundhouse kicks and so on...Needless to say I learned shortly afterwards that skipping the basics and trying the more advanced stuff very often ended up getting bruses and injuries, so there were no shortcuts, I had to learn the basics first...
When it comes to information security the same applies. I'm sure you have visibility of your security threats and issues and might even know a cost effective way to remediate some of those - if you don't you should as actually that's amongst the first steps. A security standard or scheme could give you a guiding hand and a good starting point with a structured approach not just in identifying your risks but with priorities. The Cyber Essentials scheme gives you 5 controls to work with but other standards and frameworks are a bit heavier than that...yes, I'm looking at you ISO/IEC 27001/27002, PCI DSS, CIS and so on :) Start small and get the basics right.
Can I trust you?
This question sometimes indicates a dramatic moment in a romantic movie when couples fight over something dramatic only to make amends later or the other way around. The context changes slightly and even though you might not agree with me now but please bear with me on this one. As I mentioned previously security breaches and cyber in general is a hot topic for a reason. When you look for a 3rd party service provider or review your suppliers do you evaluate their security? Are you concerned about how their security (or lack of it) may impact your business? How can those suppliers give assurance that they take security seriously?
What about your customers? Have your customers asked about security in your organisation? Data breaches are more and more common these days and became part of our lives. A security accreditation such as the Cyber Essentials could go a long way in building customer trust and company brand and recongition. I know you think an accreditation does not automatically mean you are protected and it definitely doesn't mean you are secure.
Everybody likes low(er) cyber insurance premiums
If you haven't heard about cyber security insurance products in general they are a way to support and to protect your business in the case of a data breach or cyber attacks. The survey I mentioned previously concluded that nearly half of organisations have identified a breach or an attack in the last 12 months. I almost immediately thought, "what about the other half? Are they on top of their security game or simply they didn't know they had issues to begin with?" Well, I think you know the answer to that one...
Even if you think you are in good shape you should consider cyber security insurance. With Cyber Essentials or Essentials Plus you could demonstrate you have a structured approach to reduce certain types of cyber risks to your organisation. This should have a positive impact on the insurance quote or help reducing your insurance premiums. By the way there are other ways to reduce certain types of cyber insurance premiums. Do you have a business continuity and disaster recovery plan? Are you confident in those plans? If your answer is YES to both questions you are in a better shape than almost 60% of SME organisations in the UK. If your answer is NO having DR on public cloud and AWS is a great use case to start your cloud journey.
Stand out of the crowd
This is an easy one. According to the survey awareness of the Cyber Essentials scheme is low so there is a good chance your competitors may not have it either (yet). If they have it already you better keep up. A good product is even better with an accreditation as a differentiator and it could also help to improve your bottom line.
It's not as easy as it looks...
I don't know about you but when it comes to any security accreditations, they are kind of like running the 5 mile...or 8 kilometers if you use the metric system just like other reasonable people do :). At the beginning it looks easy, you are enthusiastic and you think this is going to be an easy ride...but as you do it you realize it's not that easy as it seemed first, it takes a lot longer and halfway through you wish you hadn't started in the first place :) Infosec experise can help you along the way to make sure your Cyber Essentials and Cyber Essentials Plus accreditation improves the security health of your organisation.