Working in partnership with Scottish Government, the National Cyber Security Centre (NCSC) and other industry partners, SBRC has been promoting Cyber Essentials to organisations in Scotland as the baseline standard for cyber security.
Cyber Essentials is a simple and effective Government-backed scheme, supported by industry experts, that will help protect your organisation against a range of the most common internet borne cyber-attacks. Cyber-attacks come in many shapes and sizes, but the vast majority are very basic in nature and can be prevented.
The scheme has been carefully designed to guide organisations of any size in protecting themselves against cyber threats which include malware, ransomware and phishing, through the use of five technical controls and implementing basic cyber hygiene.
It offers two levels of certification, Cyber Essentials (basic) and Cyber Essentials Plus which provides a greater level of assurance following additional verification of your cyber security by independent professionals.
Is Cyber Essentials For You?
As our reliance on the internet has increased, so too has the threat of cyber and internet enabled crimes.
All businesses and organisations are a potential target of an attack, particularly if they do not take some simple precautionary measures to protect themselves. Any company with an IT network that relies on the internet could be at risk of attack and computerised systems for payroll, marketing (via social media or a website), booking systems, customer databases including payment details or other sensitive information could be compromised. Of course, this does not just affect business. Cyber-attacks are a real risk to the third sector aswell, from the small, locally run playgroup that holds a database of children’s names and addresses to larger charities delivering services to vulnerable adults.
The majority of cyber-attacks exploit basic weaknesses in IT systems and software. Most organisations would struggle to operate effectively if they lost access to their data or were not able to send or receive e-mails. By focussing on basic cyber hygiene, Cyber Essentials control measures show how to address those basic weaknesses and prevent the most common internet borne attacks.
Businesses of all types and sizes already use Cyber Essentials to help protect their IT networks from attack. So no matter what your organisation does, Cyber Essentials can help keep the devices and data you rely on safe.
Cyber Essentials (basic) is an independently verified self-assessment option which helps protect your organisation from the most common cyber-attacks. Upon submission of a completed assessment questionnaire, an independent review will be carried out to verify your responses against the Cyber Essentials baseline standards and if successful, you will be awarded a certificate and badge that you can display on your company website.
For those who want to take cyber security further, Cyber Essentials Plus offers the same simplicity of approach as Cyber Essentials (basic) but also involves physical tests of your network and computers by independent professionals. Successful accreditation against Cyber Essential Plus provides a higher level of assurance that your organisation has a strong cyber security regime with correctly implemented controls thereby maintaining a robust defence against internet-based attacks. On completion you will be awarded an enhanced certificate and badge that you can display.
How Does Cyber Essentials Work?
Cyber Essentials sets out five technical controls which can be implemented immediately to strengthen your cyber defences against internet-based attacks.
- Use a firewall to secure your internet connection
- Choose the most secure settings for your devices and software
- Control who has access to your data and services
- Protect yourself from viruses and other malware
- Keep your devices and software up to date
For more information and NCSC advice on the Cyber Essentials technical controls please visit the NCSC website.
There are three simple steps to certification.
- Select a Certification Body
- Verify that your IT is suitably secure and meets the Cyber Essentials standards – your Certifying Body or IT Professional can help with this
- Complete the assessment questionnaire – your Certification Body will verify your answers. Once you have passed you will be awarded the Cyber Essentials/Cyber Essentials Plus certificate as appropriate.
Working with an external IT company
If your organisation outsources its IT to a third-party company, you will need to instruct your IT provider to implement the Cyber Essentials controls to your network on your behalf. The IT provider will manage your network for you, however the responsibility for your network security is still yours.
To help you manage the responsibility of your cyber security, IASME has created a detailed list of questions for you to download and give to your third-party provider. Ask your IT provider to return the answers and the relevant lists to you so that you can check that your organisation meets the Cyber Essentials requirements. More information can be found on the IASME website.
You should also have a Service Level Agreement (SLA) and contract with any third-party IT supplier.
It is highly recommended that you look for an IT provider that is Cyber Essentials certified. This shows that they take cyber security seriously. The IT Managed Services directory has over 170 Scottish companies who provide IT Managed Services, and will easily identify those that are both cyber resilient themselves through the Cyber Essentials programme, while also showing providers who offer vital security services.