Welcome to our new apprentices
November 8, 2023
Paul Holborow, Head of IT Services at RMT Accountants and Business Advisors, takes a look at the Governments’ Cyber Essentials scheme aimed at SME’s.
Launched in June 2014, the Government’s Cyber Essentials Scheme aims to protect SME’s from common internet based threats. It does this by suggesting implementing basic controls in 5 core areas. Alongside this, an assurance framework allows the SME to gain certification so it can demonstrate to customers, investors, insurers and others that they have taken these essential precautions.
The process begins with the completion of a self assessment questionnaire which covers the following 5 core areas:
• Firewalls and internet gateways
• Secure configuration
• Access control
• Malware protection
• Patch management
The SME can then approach a registered independent assessor to demonstrate its compliance and achieve accreditation – a badge to certify it does have the basic cyber security controls in place. This process can cost around £300 or so. There is also a Cyber Essentials Plus scheme which follows this up with penetration testing of your defences, an exercise that could cost £1000-£3000.
Why would an SME go this far? Well, if you have a contract with government, it’s mandatory for new contracts awarded after 1 October 2014. It also provides a competitive advantage too at relatively low cost – if you are compliant and your competitor isn’t, then you have an advantage over them. Whether you’re bidding for government work or not, having good defences does also protect your business from fraud, which can only be a good thing.
Some SME’s though may see this as a distraction from their everyday work and yet more ‘red tape’, even though it’s been designed to be simple to carry out. Some SME’s may need to use consultants to help conduct the survey, with the added cost this will entail. And whilst covering these basic elements is a start, they don’t necessarily help protect against other threats to business data, which are covered in more detail in the CESG 10 steps to Cyber Security guide. This covers additional protection measures such as developing a risk management regime, mobile working, user education and training all of which address the very real risk of data loss from within the organisation.
Overall, I think the scheme is an excellent start to getting SME’s to think about cybersecurity and to putting in place certain minimum measures to protect the business. More needs to be done though for businesses to really make security part of the business culture.
For more information, please contact firstname.lastname@example.org or call 0191 2569550.