Some of the UK’s biggest and most recognisable brands have been recently affected by crippling cyberattacks. From M&S to Jaguar Land Rover, it’s thought that the impact on the UK economy lies in the billions. But small businesses are far from immune.
Around 42% of UK SMEs have experienced a cyberattack in the last 12 months, according to government data. And of those affected, a staggering 84% fell victim to phishing – a form of attack that relies on social engineering.
That’s where the government’s Cyber Essentials scheme comes in. Small businesses are often the gateway to bigger enterprises through the supply chain, and a cyberattack can be devastating. By providing a standard for simple cybersecurity policies, procedures and best practices, Cyber Essentials-certified businesses can ensure they’re covering off many of the common vulnerabilities that can end up providing an open door to cybercriminals.
How Cyber Essentials works
Cyber Essentials is a certification scheme that helps organisations protect against the most common threats. Becoming certified is not only an opportunity to identify weaknesses and implement best practices but something many customers, investors, insurers and supply chain partners are demanding from the businesses they are involved with. It’s also mandatory for any SME looking to bid for a government contract.
It looks at five technical controls you should have in place to protect against the most common cyberattacks:
- Secure configuration – ensuring systems are set up to reduce vulnerabilities
- User access control – managing who has access to data and systems
- Malware protection – detecting and neutralising malicious software
- Security update management – keeping software updated to patch known weaknesses
- Firewalls – creating barriers between your network and potential threats.
There are two levels of certification:
- Cyber Essentials: a self-assessment backed by independent review
- Cyber Essentials Plus: includes rigorous technical testing for added assurance
Both options demonstrate a commitment to cyber hygiene and can be valuable differentiators in competitive markets. Even better, Cyber Essentials-certified businesses report an 88% better understanding of cyber risks, an 89% increase in trust from customers and partners, and a 69% improvement in competitiveness (according to a Gov.UK survey).
Cyber liability insurance – an added perk of certification
For small businesses with a turnover of under £20 million who become certified, there’s the added benefit of automatically qualifying for cyber liability insurance – which comes with a £25,000 indemnity limit. It’s worth saying that limit may not cover serious breaches or multiple incidents in practice, so we’d caution against this being your only form of cyber risk insurance – or to expand the cover (which is possible, all the way up to £250,000).
This policy covers a wide range of costs including legal fees, IT recovery, reputation management, data breach notifications, and business interruption expenses. It also provides access to a 24-hour incident response helpline, ensuring rapid support in the event of a breach – which could complement your MSP’s response at a crucial time.
While Cyber Essentials certification is designed to reduce risk, the insurance provision adds an extra layer of resilience, especially against human error or targeted attacks.
How Neos-IT supports clients to achieve certification
Meeting the criteria can be complicated and time-consuming – not to mention involve fixing any issues identified along the way.
For Neos-IT clients, the good news is we’re Cyber Essentials Plus and ISO27001 accredited and automatically choose to work in a way that aligns with their standards. So, most clients are likely to be Cyber Essentials compliant or very close to compliant anyway.
The benefits of working with us to get Cyber Essentials certified are:
- Save time and internal resources – as your MSP we can populate most of the criteria with our working knowledge of your network arrangements, password controls, etc.
- Get the most value out of the process – we look to put our clients in the best possible position – not just tick the boxes – so they’re as secure as they need to be, not just Cyber Essentials compliant.
- We’re experts on mitigation controls – if you have an old application that’s no longer supported by the developer and patched (but you still need to be able to use it), you’d automatically fail Cyber Essentials. We can put the application in its own network – a VLAN – hidden away, overcoming what would otherwise be a point of failure and making its use more secure.
- We know the certification inside-out – Cyber Essentials is constantly evolving to keep pace with the latest threats and emerging best practice. You can rely on Neos-IT to keep up with those changes and to redefine the scope of client work to match. Recently, for instance, cloud and remote working came into scope, and we’ve responded.
Doing Cyber Essentials in-house means learning a lot – it can be incredibly time and resource intensive – to get a yearly certification. Why bother? With Neos-IT, you can get on with living and breathing the best practices it contains, rather than dealing with the admin burden of the process of achieving it. Get on with operating in a secure way and leave it to us. Contact us to find out more about Cyber Essentials.