Make Cyber Essentials Plus a key objective for 2023

Richard Brown, CEO, Melius Cyber

With cybercrime an ever-increasing threat to business, Richard Brown, chief executive at Newcastle-based Melius Cyber, says it is vital firms put investment in online security at the top of their new year to-do list.

Most businesses invest in technology

out of necessity, rather than to seek growth or innovation.

And many do so reluctantly, often solving a problem that could have been avoided with planned investment. 

The same is true with cybersecurity; businesses play Russian roulette under the impression that it won’t happen to them.

But while 39 per cent of UK businesses reported a cyberattack during 2022, the levels of prevention and response remain surprisingly low.

The security of your business and its data is only as strong as the weakest link in your IT infrastructure.

In recognition of this, the Government backed a cybersecurity certification scheme, known as Cyber Essentials/Cyber Essentials Plus.

This is a simple, but effective, scheme that helps organisations protect themselves from a range of the most common cyberattacks.

The scheme is designed to be achievable regardless of organisation size and structure.

While awareness of Cyber Essentials is growing, a recent Government survey states only 16 per cent of respondents were aware of the scheme. 

With Government suppliers now required to be certified, uptake has increased and IASME not too long ago announced the issuance of its 100,000th certificate as companies seek public sector contracts from lower credit risk clients. 

Compliance is not just confined to Government procurement, though.

Latest data shows 27 per cent of medium-sized firms and 44 per cent of large firms are now screening the cyber risk posed by their supply chains, with Cyber Essentials Plus seen as the benchmark to offset risk. 

Additionally, a number of industry bodies, including the Law Society, now recommend members gain certification.

The above scenarios are exactly why Cyber Essentials and Cyber Essentials Plus were designed; to provide a cost-effective way of ensuring the key pillars of cyber hygiene are addressed in an organisation.

The basic Cyber Essentials certification is a self-assessment option that gives protection against a wide variety of the most common cyberattacks.

This is important, because vulnerability to simple attacks can mark you out as a target for more in-depth, unwanted attention from cyber criminals.

Certification gives you peace of mind that your defences will protect against the vast majority of common cyberattacks, simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place.

Organisations assess themselves against five basic security controls, and a qualified assessor verifies the information provided.

Cyber Essentials Plus is a higher level of assurance, which involves completing the online assessment and then a technical audit of the systems that are in-scope for Cyber Essentials.

This audit includes a representative set of user devices, all internet gateways and all servers with services accessible to unauthenticated internet users.

Your assessor will test a random sample of these systems (typically around ten per cent) and then make a decision whether further testing is required.

While the costs vary according to the size and complexity of the IT estate, testing fees for Cyber Essentials range from £300 to £500, and from £1500 for Cyber Essentials Plus.

These fees exclude the work involved in preparing for the audit, but in general, when compared to penetration testing and other solutions, they represent real value for a business; particularly when their achievement can open up new opportunities or secure valuable long-term customers. 

When considering the average cost of a cyberattack to UK SME businesses is £11,000, the cost of certification appears good value.

In addition, there are ongoing annual savings, as SME-certified companies were 60 per cent less likely to make a claim on cyber insurance, thus reducing premiums and claims experience.

Finally, Cyber Essentials can highlight inefficiencies in your IT security and allow surplus products and services to be cancelled or streamlined – so the investment can certainly yield dividends.

Both qualifications last for 12 months, and it is worth noting your business will need to be tested annually.

The implementation costs of Cyber Essentials and Cyber Essentials Plus can be reduced by adopting a solution which provides 24/7 penetration testing and monitoring of your infrastructure.

This will provide up-to-date scanning against the latest known threats, and will highlight areas of vulnerability at the earliest point, enabling immediate remedial work to eliminate the threat.

Using this type of service ensures businesses are fully in control of the cybersecurity across their infrastructure, and are fully aware of potential vulnerabilities and the severity/impact they could have.

This also makes re-certification to schemes like Cyber Essentials Plus quicker to achieve without the exercise being labour-intensive or costly – ensuring a fixed known cost annually.

The message is clear; don’t think cyber solutions cost the earth and are a drain on your budgets – there are cost-effective solutions out there, aimed at businesses of all sizes.

At Melius Cyber, we specialise in helping businesses and professional services firms achieve Cyber Essentials and Cyber Essentials Plus, using our remote monitoring tools to assist in achieving certification and continuously monitor your business throughout the year.

If you would like to discuss your cybersecurity, and learn more about how Cyber Essentials can help your business, please get in touch.

Share this post:
Contact
  • Newcastle office: 0191 249 3003
  • London office: 0203 793 9679