Cyber essentials and cyber essentials plus certification, just in case you are reading this and asking yourself, ‘what does cyber essentials mean’? is a government-backed scheme to help tackle the increasing problem of cyber attacks on businesses in the UK. It is a response to the growing and seemingly ever-present threat of infiltration and misuse of your business and personal data. Hopefully, everyone is now aware of just how important cyber security is but, in our experience, it isn’t uncommon for people to see it as a problem that will not affect them. With four in ten businesses reporting attacks in 2020, it feels more like when it happens rather than if it happens. The cyber essentials scheme is part of the fight to hinder the work of the cybercriminal and protect your business from the devastating effects of a breach.
What is cyber essentials certification?
There are two versions of the cyber essentials process:
Cyber essentials – This is a self-certification process that checks you against five key areas of security.
Cyber essentials plus – This is a more robust version of the cyber essentials certification. While it covers the same areas the there is a technical verification that is carried out via a physical test of your systems.
Cyber essentials is designed to be a simple and easy to understand the method of testing your security against common threats. When you think about the scale of what is considered ‘common’ when we are talking about the number of businesses that are attacked, the need for cyber essentials is clear.
It is worth remembering that the majority of attacks are pretty clumsy attempts to find a weakness in your security. The criminals probe common problem areas such as known vulnerabilities in operating systems on systems until they find a victim. Most of the large-scale ransomware attacks that make the headlines are perpetrated by much more sophisticated hackers.
What changed in 2021?
As you can imagine, many businesses have seen the usefulness of adopting cyber essentials. However, this is a world that changes quickly, and it’s important to keep up to date. That, in turn, means that what is considered as ‘up to date’ for the purposes of being cyber essential compliant is regularly reviewed.
In the most recent round of evaluation of the effectiveness, there were a few changes. While none of these are monumental or fundamental alterations to the basic requirements, most were about clarification of key areas of compliance. The upshot of this is that if you were certified prior to April 2021, you will need to consider re-addressing your compliance regardless of which level you are currently using. Some topical such as the use of Bring Your Own Devices (BYOD) are specifically addressed, for example. The pandemic induced increased frequency with which employees are using a variety of equipment means you may need to consider your policy now. Some other specific changes include the recommendation that software updates automatically where possible and new definitions relating to Virtual Private Networks (VPNs) and how these are termed in the cyber essentials framework.
In summary then, if you are certified prior to April 2021, you should probably look into whether your current documentation and processes are still meeting the cyber essentials standards.