Home of Fractional CIO services
Cyber Essentials is a government backed scheme that is supposed to help companies guard against cyber threats and is a badge for your customers that your company takes IT security seriously. It is also often demanded as a standard by insurance companies when providing cyber insurance.
But is it all that it is cracked up to be and can it be relied on as a level of security competence?
Over the last year, I have come across a number of companies who have achieved Cyber Essentials or even Cyber Essentials Plus who, on inspection, had outdated and unpatched systems or failed to have the most basic security (such as multi-factor authentication – MFA) properly deployed.
Firstly, the basic Cyber Essentials is a self assessment, normally carried out by the head of IT or the head of IT Security. It is a list of questions which they answer themselves without any checking that they are being wholly truthful. Cyber Essentials Plus means that the answers have been independently verified.
So how comes when I have been asked to review companies with either of these badges I find that they are not up to the standard? Put simply, many heads of IT choose to place systems or infrastructure which does not meet the standards “Outside the boundary” of the scope of the audit so that they are not assessed or say to themselves “well, yes, we kind of do that” or even worse, they have switched on some safeguard without checking that it has been fully or properly deployed.
Firstly, check your Cyber insurance. If it says something along the lines that your systems “should be modern, fully patched and up to date” then it is possible that your Cyber insurance company may not pay out if this is not true.
Secondly, CEOs need to ask the right questions of the Heads of IT to ensure that the whole environment has been properly included and reviewed.
The government website says “Certification gives you peace of mind that your defences will protect against the vast majority of common cyber attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place”. Having Cyber Essentials or Cyber Essentials Plus is not a guarantee that your IT environment is safe from attack. No one can promise you that. But CEOs do need to make sure that the basic security is in place and it is being managed properly to minimise the chances of being attacked.