Being able to demonstrate your organisation has stringent cyber security in place is increasingly becoming a requirement for customers, partners, funding bodies, procurement lists, government contracts, insurance policies and other organisational stakeholders. Not being able to evidence your cyber security management, could have a significant impact on your revenue through lost business opportunities.
For many SMEs, cyber security can be quite daunting to address especially when trying to achieve stringent security controls whilst balancing cost. In recognition of this, the UK government has backed a cyber security certification scheme, Cyber Essentials/Cyber Essentials Plus. This is a simple but effective scheme that helps organisations protect themselves from a range of the most common cyber-attacks. The scheme is designed to be achievable regardless of organisation size and structure.
A growing number of organisations are now mandating that their supply chain must hold this, and occasionally even more complex certification, to continue to do business with them.
Achieving certification does require a level of audit and testing to ensure any vulnerabilities identified are fixed.
A traditional approach to this is by ‘penetration testing’. But these tests always prove to not only cost a lot more than an SME business can afford but only give a ‘snapshot in time’, against known threats on that day – as we all know, a lot can change month to month especially as new threats are emerging daily.
According to IBM this traditional approach to cyber security has led businesses to take 292 days on average to undercover that they have been breached.
Setting yourself apart from the crowd with enhanced cyber security protection for your customers, often makes the difference when someone is choosing a supplier.
The Cyber Essentials Plus scheme is an excellent starting point and for more established global businesses the ISO 27001 standard should be considered. But to further help businesses reduce the implementation costs around their cyber security, they should also consider implementing a solution which will provide them with 24/7 penetration testing (rather than one-off) and monitoring of their infrastructure.
This will provide them with up-to-date scanning against the latest known threats and will highlight areas of vulnerability at the earliest point, enabling immediate remedial work to eliminate the threat.
Using this type of service ensures that businesses are fully in control of the cyber security across their infrastructure and are fully aware of potential vulnerabilities and the severity/impact they could have on their business. This also makes re-certification to schemes like Cyber Essentials Plus quicker to achieve without the exercise being labour-intensive or costly – ensuring a fixed known cost annually.