We discussed in a recent article that there are many reasons to undertake the UK Government’s Cyber Essentials certification:
• Build trust
• Increase credibility in eyes of new or potential clients
• Demonstrate commitment to good cyber security principles
• Gain access to tenders where PQQs require certification
• Fulfil obligations under GDPR , and
• Not least, to protect your business’ assets and reputation.
Many businesses agree: in the four years since the scheme launched, more than 9,000 British businesses have gained a Cyber Essentials certification.
However, we have noticed some resistance within a few organisations when it comes to pursuing the certification. When we’ve dug down into why this is the case, we’ve heard comments to the effect of “it’s too basic for us” or “we’re already doing all the essentials”.
In many cases we agree – we know the organisation has implemented good security processes.
However, as a Cyber Essentials Certification Body we also know this isn’t the whole story: just because you have implemented good security processes, this doesn’t mean your organisation can’t benefit from following the certification process.
For one thing, as we’ve noted, achieving the certification is a good way to demonstrate your organisation’s commitment to good cyber security principles and processes. This isn’t only important from a PR point of view; being able to demonstrate this may help to protect the organisation from some of the risk associated with GDPR or cyber vulnerabilities.
Second, and perhaps more importantly, we’ve worked with organisations that have discovered some surprising gaps in their existing processes while pursuing the certification.
Every IT Manager knows that cyber security is a movable feast; with new applications and devices being added to the environment, new employees joining and often leaving, exposing new vulnerabilities, and new threats emerging as old threats evolve on an almost daily basis.
Worse, while good cyber security processes may well be documented, articulated and communicated around the business, how many IT Managers can honestly say they know these processes are being implemented all day, every day, by all staff?
All these factors add up to a changing landscape of changing threats and changing vulnerabilities.
It is also important to understand that everyone is starting from a different place. While some organisations might have excellent malware protection in place, they may not have considered the need to create a comprehensive asset register. And while some organisations might have created an asset register, it may be many months since it was last comprehensively updated.
As a Cyber Essentials Certification Body, we understand that organisations have very different starting points – and, therefore, need very different assistance.
For some organisations, it might be as simple as a little guidance when completing the questionnaire and then acting as the assessing and certifying body. For others, more work may be required.
Cyber Essentials brings all the different strands of cyber security together to ensure a comprehensive view of all the different moving IT security parts.
As well as providing a comprehensive framework that covers all the essentials, going through the certification process is a good way to focus attention across the business on the issue of cyber security.
We’ve found that the prospect of gaining a certification which has implications for the business in terms of reputation and risk management does help to focus minds that might otherwise turn off at the words “cyber security”.
So, wherever you are starting from, the process of certification has much to offer.
To find out more, get your FREE Introduction to Cyber Essentials guide here.
Or, for specific advice or help with your Cyber Essentials certification, contact Grant McGregor’s consultants today on 0808 164 4142.