We’ve looked in detail at what Cyber Essentials is, how to apply for it and how it works. We’ve also looked at specific requirements for certain industries, and how to decide if Cyber Essentials is sufficient for your business, or if you should choose the more in-depth Cyber Essentials Plus.
However, we haven’t really talked about what, if any, the negatives are of the Cyber Essentials accreditation process and if getting it is absolutely necessary.
Here, we examine the top reasons for and against certification.
1. To demonstrate professionalism
Making the effort to secure Cyber Essentials certification demonstrates a professional approach to business and the data you hold on clients, suppliers or supply chain partners. It shows you prioritise data security.
It is also a legal requirement for all businesses to secure third party data, whether they’re current clients or not. The General Data Protection Regulation (GDPR), which came into force in May last year, sets out the government’s requirements on this.
Cyber Essentials is nationally used and recognised, so it’s an easy way to show that you’re cyber-security conscious. As more organisations and individuals rely on the internet, this will only become more important.
2. Peace of mind
Following on from the first point, Cyber Essentials accreditation gives anyone who works with you, peace of mind that you’re looking after their data, and it does the same for you.
You know that your data is protected and in the event of a cyber hack attempt, your security systems are robust enough to withstand it. You’re also more likely to be proactive about putting disaster recovery measures in place, so if the worst does happen, you can resolve any issues quickly
When you’re running a business, you have enough to focus on without worrying about whether or not you’re compliant or your information is secure. It means you can feel confident about being part of a supply chain, regardless of the size of your organisation, as you won’t be responsible for making the others in the chain vulnerable to external attacks.
3. MOD contracts
If you want to work anywhere within the defence sector, to be part of a supply chain or to work on a Ministry of Defence (MOD) contract, the chances are that Cyber Essentials will be a prerequisite.
Having certification already in place means that you can tender for opportunities you see in the industry, so you don’t have to worry about trying to secure it before the closing date, a requirement that’s been in place since the beginning of 2016.
The MOD use a tool known as DART (Defence Assurance Risk Tool) to identify cyber security risks and carry out a risk assessment on every contract they put out to tender. You can read more about that here. You’re obliged to complete the supplier assurance questionnaire’ to show that you can meet their requirements.
4. Potential for business growth
Aside from the MOD opportunities, having Cyber Essentials certification can help your business grow in other ways. You’ll stand out from competitors who don’t have accreditation, as customers will know they can trust you.
You will be able to pitch to larger organisations, particularly in the public sector, who will expect their partners to be security-aware. You’ll look more credible if you want to be a link in a supply chain too, as smaller businesses are usually more likely to be exposed to cyber hacks.
As GDPR is a European-wide requirement, applying a UK-government approved standard to data protection will also increase your chances of expansion into the rest of Europe, and potentially globally. Those countries without GDPR (e.g. the USA) still want the reassurance that anyone they work with in Europe is compliant with legislation.
5. Save you money
It may seem odd that having Cyber Essentials could save you money, as you have to pay for assessment and additional security tests if you opt for the Plus version, but in fact, there are long-term savings with accreditation.
The certification can lower your insurance premiums for one thing. As GDPR is now a legal requirement, insurance companies will want you to show you’re compliant, and Cyber Essentials does exactly that.
By proactively assessing and updating your security, you considerably lower your risk of a cyber-attack. If you’re hacked and you’re not prepared, the costs of getting an expert out to fix things will be substantial. It also reduces the time your business is non-operational, which is good for your profits too.
1. The upfront cost
If you’re a small business, you may be worried about affording the cost of Cyber Essentials certification, which starts at £300 + VAT. If you need Cyber Essentials Plus, there are additional costs associated with the third-party testing.
In this situation, it’s best to build the price of accreditation into the business costs and to regard it as essential for growth. If you can’t pay for it straight away, start to budget for it and set a deadline for when you’ll start the application process. The potential costs to your business in the event of an attack will mitigate the expense of assessment and accreditation.
2. Minimal infrastructure
If you’re a sole trader, you may not have much in the way of equipment, and you won’t have to worry about what your employees are doing with their smartphones and laptops.
In that case, you might not think you need to worry about Cyber Essentials. Likewise, if you don’t have to store customer information, you may not see GDPR compliance as a priority.
However, almost all businesses use some kind of online service, whether that’s banking, accounting or storage. And even if you’re careful with client data, you also need to protect your own information. If you’re using public cloud storage, you’re at risk if other users are hacked or otherwise compromised.
Think carefully about whether your business growth plans include taking on staff, or offering a wider range of services to customers. Having Cyber Essentials in place in advance will support that growth, and when you review it annually, you can look at any additional infrastructure you’ve gained in the intervening 12 months.
3. Cost of implementing improvements
On completion of the Cyber Essentials questionnaire, it may become apparent that your systems aren’t as protected as you’d like and you may need to pay for software updates, which could be expensive if you have multiple staff or locations.
If you choose the Cyber Essentials Plus level, this involves a third-party penetration test, which you can think of as ‘ethical hacking’. If they are able to breach your systems, there could be a considerable financial investment required to make everything secure.
These costs will be unavoidable, but do some research first on what these might be and what your options are for paying for them. Your assessor will be able to help you identify the essentials that you need to fix first, and then what you can implement later.
4. Time costs
If there’s a lot of updates or fixes to be implemented, this could cost you in terms of time. Your systems may be inaccessible, which may affect how you and your staff work.
Before you start making any changes to your software or systems, identify what you need for ‘business as usual’ and what workarounds you can use temporarily to make things easier.
Communicate clearly with your clients and other key contacts to make them aware that normal service may be affected for a short time, and give them plenty of notice, so if there’s anything they need urgently, you can deal with it before any updates are done. Emphasise that any disruption will be brief and minimal, and it will ultimately benefit them. Let your staff know too, and help them find solutions to be able to work.
5. Not an industry requirement
Depending on the industry you operate in or support, you may not need to have Cyber Essentials certification. As well as defence, it’s a good accreditation to have to work in or with the aerospace field, and it’s an important consideration for accountants, solicitors and anyone else dealing with sensitive information.
Look at whether others in your industry have it, but also if your clients and partners have Cyber Essentials. Might it be something that they would appreciate, particularly if it’s not the norm for businesses like yours?
Should you decide not to go ahead with securing accreditation, pay attention to any changes in legislation or requirements from your industry body, if you have one. As cyber security becomes a bigger concern, it may become a requirement in the future.
6. It doesn’t go far enough
Cyber Essentials accreditation is a baseline assessment of your security systems and processes, but it doesn't cover everything. This is why we also recommend looking at IASME governance and the additional areas it covers:
- Risk assessment and management
- Training and managing people
- Change management
- Incident response and business continuity