Cyber Security | Cyber Essentials
Cyber Security is a constant topic of conversation with our clients'. In fact next to their business processes, Cyber security is the next most asked for service from us after Microsoft 365 management.
Cyber threats are everywhere and it isn't just big businesses that are attack. In fact SMEs, Charites and Education institutions are very directly in the sights of the cyber criminals for the very reason that they are smaller and less protected that large businesses.
The UK Government, via the National Cyber Security Centre and GCHQ, have devised a basic cyber security accreditation scheme for smaller UK businesses (and Charites, third sector and education). This scheme is called Cyber Essentials (and Cyber Essentials Plus) and if you are bidding for central or local government contracts you may well have come across it already and it is now mandatory for many government contracts.
CE is self certified in that organisations wanting to get accredited appoint a certifying body and then answer an online questionnaire to do with a number of topics related to how the organisation is configured for cyber security. In order to get accredited you need a 100% pass in the questionnaire as CE/CE+ does not allow for any mitigations.
Most organisation - at least in our experience - are unlikely to pass CE without making a number of changes to their working practices as the requirements are quite prescriptive but after achieving CE/CE+ your business will have a good baseline for cyber security and the certification can include cyber insurance as part of the fee.
CE+ follows the same questionnaire as CE but also includes on-site tests. An external tester will come to one of your sites and test a random sample of your devices to ensure they they are configured as stated on the questionnaire, that they can't download (test) viruses, that MFA is enabled on cloud services, etc. CE+ is most often going to be encountered is you are bidding on MoD, F.O., or more secure government contracts.
Is it worth it?
Yes! We'd strongly encourage all our clients to get CE accredited and by default we configure clients' networks to be CE compliant or at least compliant with few additional changes.
CE gives you an excellent baseline for security and we think that the questions that are asked make organisations think carefully about security - which is all too easy to put on the 'too difficult' pile or push back to another time.
We will give you an initial assessment of your I.T. infrastructure and tell you what steps are likely to be needed to be able to pass CE/CE+. Contact us for a