Daily, more businesses are taking their operations online, storing sensitive data, selling products, and connecting with customers and employees across the world.
There are no limits to what organisations are doing online. As many advantages as this brings, it always brings along many new threats that could put their organisation and customers at risk if the data is not secured.
In new e-commerce businesses alone, there was a 43% increase in new e-commerce businesses compared to the previous year. That is a lot more personal details, credit card information and addresses being captured online. If you consider key sectors such as law, pharma and finance sectors that must store confidential data online, there is an unimaginable amount of data that must be secured.
You must ensure that all this personal data is secured and protected against Cyber Attacks. In 2022, 39% of UK businesses identified a cyberattack in their organisation. Of the 39% of UK businesses who identified an attack, the most common threat vector was phishing attempts (83%). Of the 39%, around one in five (21%) identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack.
Impact of Cyber Attacks
The Cyber Security Breaches Survey indicates that organisations reporting a material outcome, such as loss of money or data, gives an average estimated cost of all cyberattacks in the last 12 months of £4,200. Considering only medium and large businesses, the figure rises to £19,400. The DCMS states that these values may be underreported due to a lack of framework for the financial impacts of cyberattacks.
Trust is an essential element of a customer relationship. Cyberattacks can damage your business’ reputation and erode the trust your customers have in you. This, in turn, could potentially lead to:
- loss of customers
- loss of sales
- reduction in profits
The effect of reputational damage can even impact on your suppliers, or affect relationships you may have with partners, investors and other third parties invested in your business.
Legal consequences of a cyber breach
Data protection and privacy laws require you to manage the security of all personal data you hold – whether on your staff or your customers. If this data is accidentally or deliberately compromised, and you have failed to deploy appropriate security measures, you may face fines and regulatory sanctions. Many companies have been hit with massive fines for not complying with data and privacy laws.
On October 24, 2022, the UK Information Commissioner’s Office (“ICO”) issued a £4.4 million fine to Interserve Group Limited for failing to keep employee personal data secure, which violates Article 5(1)(f) and Article 32 of the EU General Data Protection Regulation (“GDPR”), during the period of March 2019 to December 2020. Companies need to comply with the regulations to avoid fines that cause massive economic loss in their business.
What is Cyber Essentials and Cyber Essentials Plus?
Cyberattacks are the digital equivalent of a thief trying to open your front door to see if it is unlocked. If your company has any stored data online, you should do your best to prevent these attacks.
How a business deals with these threats is an indication of how seriously they take them. For some, getting in some form of external user training is deemed sufficient. However, for a growing number, it is not enough, and they are looking towards a cyber-security certification to ensure they have done all they can to secure their business’ data.
Cyber Essentials is a UK government-backed cybersecurity certification scheme that helps organisations demonstrate their commitment to protecting the company data against common cyber threats. The scheme provides a framework for organisations to implement basic security controls in five key areas.
- Boundary firewalls and internet gateways: This involves securing the organisation’s internet connection by using firewalls to control incoming and outgoing traffic, and to monitor malicious activity.
- Secure configuration: This ensures that systems are configured securely and in line with best practice, and that software and systems are updated and patched regularly to address known vulnerabilities.
- Access control and user privilege management: Control who has access to systems and data and ensures that users only have the privileges they need to perform their job.
- Patch management: This involves applying updates and patches to software and systems on a timely basis, to address known vulnerabilities and protect against cyber threats.
- Malware protection: Uses anti-virus software and other tools to detect, prevent and remove malware, and to protect against malicious activity.
Cyber Essentials Plus
Cyber Essentials Plus is an extension of the Cyber Essentials certification. It involves a more in-depth technical assessment, including a vulnerability scan and on-site testing, to validate the security controls implemented by the organisation. Cyber Essentials Plus provides a higher level of assurance than the basic Cyber Essentials certification and is suitable for organizations that require a more comprehensive evaluation of their cybersecurity posture.
Both Cyber Essentials and Cyber Essentials Plus certifications are awarded by independent certification bodies and are valid for one year, after which organisations must undergo recertification. Having a Cyber Essentials or Cyber Essentials Plus certification demonstrates your organisation’s commitment to cybersecurity and can help to build customer confidence, improve reputation, and meet regulatory requirements.
Boldfield are your IT partner to ensure that you are driving your way to passing your Cyber Essentials and Cyber Essentials Plus certification. To discuss this further, contact a sales specialist today and cut through the security jargon.
Cyberattacks can compromise your business and customers
Recently, a Cyber Attack that brought concern to many big retailers was when Tesco was targeted in 2021. One of the UK’s largest grocery retailers suffered a major cyberattack that affected its online and in-store payment systems. The attack took place on a weekend, which is usually one of the busiest times for the company. The supermarket receives £1.3m online orders every week making this a costly disruption. so this disruption was costly.
The cyber criminals used a form of malware to infect the company’s systems, causing widespread disruption to customers who were then unable to make online purchases. In addition, some customer information was compromised, including names, addresses, and card numbers.
In response to the attack, Tesco quickly took action to secure its systems and limit the damage caused. This included shutting down its online payment systems and temporarily closing some of its stores to prevent further spread of the malware.
The attack had a significant impact on the company’s reputation, leaving many customers frustrated and concerned about their personal data being compromised. Tesco incurred costs due to investigating the incident and administrative chaos, with cancelled orders and returns and customers not being able to make purchases while the system was offline.
The incident highlights the importance of companies having robust cybersecurity measures in place to protect their systems and sensitive information. In the wake of the attack, Tesco implemented several new security measures, including increased encryption and stronger passwords, to prevent similar incidents from occurring in the future.
10 reasons why companies should be Cyber Essentials certified:
- Protection against common cyber threats: Cyber Essentials certification provides companies with protection against common cyber threats such as viruses, malware, and hacking. Companies that have achieved their certification are better equipped to detect and respond to threats, reducing the risk of falling victim to a targeted attack and can protect businesses from around 80% of attacks.
- Compliance with regulations: Many industries, such as financial services and healthcare, are subject to regulations that require companies to demonstrate their commitment to cybersecurity. Certification can help companies meet these regulatory requirements, which is increasingly becoming a minimum requirement for business contracts as it provides an additional layer of trust for stakeholders.
- Increased credibility: Companies that have achieved Cyber Essentials certification demonstrate to their customers, partners, and suppliers that they take cybersecurity seriously, increasing confidence in the company and its products or services.
- Win new business, locally and globally: In a time that data is a commodity, your organisation’s commitment to cyber security will improve its reputation and standing in the marketplace. By boosting your reputation, you can attract new business by assuring customers you take cyber security seriously and have cyber security measures in place. This provides you with the necessary safety measures to expand your business operations into new global markets online, without compromising security.
- Better protection of customer data: Cyber Essentials certification requires companies to implement measures to protect customer data, such as encryption and access controls. This would help you comply with the necessary GDPR (General Data Protection Regulation) that requires that personal data must be processed securely using appropriate technical and organisational measures.
- Improved security culture: Companies that achieve Cyber Essentials certification are required to have a strong cybersecurity culture, including regular training and awareness-raising for employees, decreasing the risk for future attacks. It is a simple security measure that speaks volumes. Once certified, you are listed on the IASME database of certified businesses and can display the accreditation badge on your website, marketing materials and tenders, proving that you take your security. Instilling more trust in customers, employees, stakeholders and even suppliers.
- Better protection of intellectual property: Cyber Essentials certification helps companies to better protect their valuable intellectual property, such as trade secrets or patents, from cyber threats.
- Improved supply chain security: Companies that have suppliers that are Cyber Essentials certified demonstrate that they have taken steps to ensure the security of their supply chain. Businesses are reviewing their supply chains for weaknesses and seeking out third parties that demonstrate a commitment to security by having initiatives and standards in place.
- Win Government Contracts: Some Government contracts require Cyber Essentials certification. If you would like to bid for central government contracts which involve handling sensitive and personal information or the provision of certain technical products and services, you will require Cyber Essentials Certification. By certifying, you open new revenue streams and markets for your business.
- Widen your talent pool and leverage international expertise: Remote work is here to stay and provides your business the opportunity to leverage amazing international talent. With added security measures your business can safely perform day to day online operations with international employees without the concern of cyber threats.
How to get Cyber Essentials Certified
- Preparation: Before beginning the certification process, you should review your current cybersecurity practices and identify any areas for improvement. You should also become familiar with the Cyber Essentials framework and requirements.
- Self-assessment questionnaire: The first step in the certification process is to complete the self-assessment questionnaire provided by the certification body. This questionnaire covers the five security control areas: firewalls, secure configuration, access control, malware protection, and patch management.
- Technical assessment: Once you have completed the self-assessment questionnaire, a technical assessment may be required to validate the answers provided. This may involve a vulnerability scan or on-site assessment by the certification body.
- Remediation: If any vulnerabilities are identified during the technical assessment, you must take steps to address them before they can be certified. This may involve updating software, patching systems, or implementing new security controls.
- Certification: Once the self-assessment questionnaire and technical assessment have been completed and any necessary remediation has taken place, companies can apply for Cyber Essentials certification. Upon approval, they will be issued a certificate and can use the Cyber Essentials logo to demonstrate their commitment to cybersecurity.
The specific steps and requirements for getting Cyber Essentials certified may vary slightly depending on the certification body. It is important to choose a reputable and accredited certification body to ensure that the certification process is thorough and credible.
Does your company need to be Cyber Essentials Certified?
The certification is suitable for organisations of all sizes and industries, particularly those that hold sensitive information or are subject to regulations that require cybersecurity measures. Some businesses are driven to undertake these certifications by shareholders, investors and customers to be compliant and usually there is a deadline stipulated deadline.
The following types of companies may benefit from Cyber Essentials certification:
- Small and medium-sized enterprises (SMEs)
- Companies in regulated industries, such as financial services, healthcare, and government
- Companies that handle sensitive customer or financial data
- Companies that operate in the European Union and are subject to the General Data Protection Regulation (GDPR)
- Companies that have suppliers or partners that require proof of their cybersecurity measures
- Companies that are tendering for public sector contracts in the UK
- Companies that are looking to demonstrate their commitment to cybersecurity to customers, partners, and investors.
Why choose Boldfield for Cyber Essentials certification?
- The team at Boldfield have assisted several companies obtain their certifications in various sectors such as legal, pharmaceutical and finance.
- 100% customer success rate.
- Our combination of experience and knowledge ensures that we’re able to help companies in various industries successfully achieve their certification. We know the rules and have the right software to assess the risk and implement the best security products.
Cyber Essentials is an important certification for companies to have to protect against common cyber threats. With the increasing number of cyber attacks, it is essential that businesses take the necessary steps to protect themselves and their customers. By being Cyber Essentials certified, a company can demonstrate its commitment to cyber security and reduce the risk of a data breach.
Let Boldfield help you through the process of getting Cyber Essentials certified. Take care of your business while we take care of your cyber security.
Frequently Asked Questions
- What are the key cyber essentials requirements
- Firewalls and routers
- Software updates
- Malware protection
- Access control
- Secure configuration
- Does my business need Cyber essentials?
- Your business is required to have Cyber Essentials if it’s working with the government, handling personal data, or providing certain technical services.
- How long is the Cyber Essential certificate valid for?
- Once you are certified, the certificate is valid for 12 months.
- How much does Cyber Essentials cost?
- It depends on the headcount of the organisation, but Cyber Essentials starts at £300 + VAT. Cyber Essentials Plus is more complex in nature, so it costs slightly more. Typically, an SME could pay £1,400 + VAT.