A new facility that we now offer here at ComputerWorld is performing Cyber Essentials Assessments for customers. Please note this post refers to the Cyber Essentials Standard self-assessment, not the Cyber Essentials Plus assessment that will be covered in a later post.
Since customers have a lot of questions about Cyber Essentials, a blog post on the matter should hopefully answer any of those questions that readers may have.
What are Cyber Essentials Assessments and where did they come from?
I’ll deal with the 'where' Cyber Essentials came from first. Over the years IT has become increasingly accessible to small businesses and individuals, and where 20 years ago, to have an IT system, you would need a team of technical guys behind you to run it all, now many small businesses don’t have any in-house IT personnel or indeed IT skills, as such, since they buy them as and when they need them.
Although this offers great savings from the perspective of a small business, not having to employ expensive technical personnel, it also represents a vulnerability with regards to the cyber threats that is around today if businesses can’t afford to have in-house specialists implementing best-practises or indeed go down the route of expensive security and/or ISO accreditation's.
Today's cyber threats no longer focus on disrupting operations but on your data itself and stealing or denying you access to it. Consequently, being secure and adopting a sensible approach to cyber security is now a necessity for most of us.
This brings me to the question of what Cyber Essentials is. The question of how to make systems secure against cyber-attack is not new and over the years there have been many attempts to answer it. Unfortunately, they have all ended up not only being lengthy, but overly technical and often too expensive to implement on a limited budget.
Cyber Essentials aims to change that, the whole point is that it is not hugely expensive and that it is simple enough to enable businesses to audit themselves against a best practice framework through asking a series of questions around the different areas of IT security. In asking these questions the business being assessed can ensure that they are compliant with industry best-practices by making small changes to their environment that will ensure they are more secure - for the most part by using what they already have and not implementing costly security solutions.
There are two tiers of Cyber Essentials Assessments – Standard and Plus.
- The Standard Assessment is a low-cost self-assessment and the answers and evidence you provide are independently reviewed by an assessor like ComputerWorld.
- The CE Plus assessment builds upon the standard and carries a higher cost but with the difference that the answers and evidence you provide is verified via on-site visits and audits by an assessor like ComputerWorld in addition to network penetration testing being carried out to highlight any potential network vulnerabilities, you may have.
In plain terms, the Standard CE Assessment is aimed at making sure your IT system is not vulnerable to the majority of non-targeted cyber-attacks out there – or in other words, it's akin to making sure that your doors and windows are locked at home so there are no obvious or easy points of entry available.
The Plus CE Assessment takes this to the next level and aims at taking steps to ensure your IT system is hardened against more targeted or persistent cyber-attacks and looks closer to identify any other points of entry that may not be readily visible.