Dealing with security due diligence
This week on 24 April 2023, the standard to pass Cyber Essentials changed.
Without getting technical, our blog reviews what business owners should know and why more organisations are getting certified. If you’ve been sitting on the fence about getting certified, we go over why you should consider it. For instance, according to the National Cyber Security Centre’s (NCSC) analysis of insurance data, SMBs with Cyber Essentials are 60% less likely to make a cyber insurance claim. Being certified could save you a lot of time, hassle and money.
We also cover what the changes are and why they are important for businesses.
The article is intended to help when you next get asked why you do or don’t have Cyber Essentials certification.
Why are more businesses finding certification valuable?
The NCSC reported that in the second quarter of 2022 after major Cyber Essential updates, the overall level of certifications rose by 16%. When the standard is becoming more demanding, why do more organisations want to certify?
It’s the government-backed certification scheme intended to demonstrate that the UK is a cyber safe place to do business.
The NCSC set the technical standards which are designed to cover the most common threats and IASME is the delivery partner for certification.
If you want to do business with the government, you probably have to be certified. For other clients and prospects, it demonstrates you take seriously the fundamentals of cyber security.
For some, it shortcuts the increasingly onerous task of the due diligence needed when someone first starts doing business with you.
Certification provides a degree of peace of mind (remember – it’s the minimum level you should be at) as it helps you understand where you are in terms of your level of security.
When the worst happens, and we should all expect to fall victim at some time, Cyber Essentials includes basic insurance coverage. You can get crisis management support for technical, legal, legislative, reporting to ICO and PR issues up to a liability of £25,000.
And, of course, it’s no small matter that certification helps you fulfil your legal and moral responsibilities to keep staff, clients and your own organisation safe from criminals.
What do the changes mean for you?
In January 2022, the Cyber Essentials standard underwent the most significant changes since its inception in 2014. This was because cyber crime and the way we work had both moved on considerably. An update was due to keep the standard rigorous and reflect current circumstances.
Implementing the changes produced feedback about the challenges in interpreting and applying the new standard in the real world. The changes from 24 April 2023 are about clarifying and improving guidance, whilst remaining true to the scheme’s five core control measures.
For those carrying the responsibility of overseeing their organisation’s security, it’s important to put Cyber Essentials into the context of your overall risk assessment and security planning. One small example is device unlocking. Criminals attempt multiple logins in a very short timeframe, looking to gain access by exploiting commonly used passwords. To defend against this Cyber Essentials sets a standard that devices should lock out after a set number of failed login attempts.
However, some manufacturers make devices that cannot be customised to comply with the standard. If that happens to you - do you buy new devices or accept you cannot pass Cyber Essentials? These are the kinds of real world clarifications provided for in this recent update. But they highlight the fact that security is a business decision, as well as a technical decision. This is why security is not just an annual snapshot of your compliance but an ongoing process of planning, budgeting and reviewing. It should be part of an overall risk assessment and budget setting process.
If you want to understand more of how CE fits into a wider cyber security context, see our Cyber Security page, and in particular the download for our Risk Assessment process. For a more in-depth look at Cyber Essentials certification, such as the fact it comes in two versions, download our Cyber Essentials guide.