CEO Detective Superintendent Nick Bell said, “As a small business, we are extremely proud that we have not only internally looked at our cyber resilience but also had our controls verified by an independent company. Cybercrime is something that impacts businesses across the country – no matter the size of the organisation, the location or the sector. As a small organisation and still a relatively new company, it was very important for us to achieve Cyber Essentials Plus certification. This government-backed scheme is effective in helping protect organisations, whatever the size, against a whole range of the most common cyber attacks. My thanks to Andrew Dodd of ADAS Ltd, who, with his experience and professionalism, helped the company to achieve the certification”
Cyber Essentials is an assessment to review whether the basic cyber controls are in place, which helps reduce the risk of a cyber attack being successful. There are two levels to the Cyber Essentials scheme, Cyber Essentials (CE) and Cyber Essentials Plus (CE+), and it is run by IASME on behalf of the UK’s national technical authority, the National Cyber Security Centre.
Nick said, “The way that the National Cyber Resilience Centre Group (NCRCG) approached this was to achieve Cyber Essentials first and then look at the plus certification. This allowed us to review what we could do ourselves before we needed to seek paid expertise.”
CE is a self-declared questionnaire, which is free to download and work through, and this is then reviewed by an independent expert to ensure the answers meet the control requirements with pricing starting at £300+VAT.
“We had excellent help from our certification body, Andrew Dodd Assessment Services Ltd (ADAS-LTD), who answered those tricky questions that we couldn’t work out alone about how to structure our answers and which of our systems were in scope. We also had help from our external IT provider, who was able to answer the technical questions our internal team couldn’t.
“It did take a little time, but finding the questions for the questionnaire highlighted that some of the system controls that we thought were at the highest setting weren’t and some policies needed updating to the newest systems and controls that we were enforcing.
“When it came to the CE+ assessment, we found a couple of interesting issues. These were easily changed by IT, but it was unlikely that this would be picked up without the assessment. This small change demonstrated to us that the independent assessment verification was worth doing.”
Cyber Essentials lasts for 12 months before it needs to be re-certified, however just like your car might be fine the day the MOT is tested but it could be unroadworthy the next day, the NCRCG is conscious about the impact that changing the systems or adding devices could impact the cyber security and next assessment.
Cyber Essentials also provides a level of Cyber Liability insurance, so if your firm is UK-domiciled with a turnover under £20m and you achieve Cyber Essentials certification covering your entire organisation you will be able to opt-into the included cyber liability insurance. This does not involve any additional cost or forms. The insurance cover includes a 24hr technical and legal incident response service.
The network of Cyber Resilience Centres is ready to help any business that is thinking of increasing its cyber resilience and achieving Cyber Essentials. They can talk to you about the benefits of Cyber Essentials, direct you to the questionnaire and introduce you to a local Cyber Essentials Certification Body so you can build a relationship with a local expert. Find your local CRC here.