Criminals have designed attacks that are much more difficult to detect and defend against, and the damage caused by a successful attack can be devastating for businesses, according to Rhodes.

“Companies have adopted much stricter vetting procedures when it comes to selecting a supplier, such is the risk of bad publicity and serious financial damage from a successful security breach.

“Therefore, all businesses should be actively seeking Cyber Essentials Plus certification to test their current security controls, and offer assurance to clients who value the security of their sensitive information.

A seal of approval

“There are currently two different certifications available to businesses – the standard Cyber Essentials and the Cyber Essentials Plus.

“Cyber Essentials represents the most basic level of cyber security, and requires organisations to complete a short questionnaire regarding their current security controls, before being sent to a recognised body for review.

“The organisation will typically undergo an external vulnerability assessment from a certifying body, which directly tests that individual controls on the internet facing network perimeter have been implemented correctly.

“This basic level of certification only offers a snapshot of the organisation at that time – it does not provide assurance that systems are effectively configured to defend against more sophisticated or persistent attacks.

“Cyber Essentials Plus, however, requires an organisation to undergo a much more thorough assessment, which is based on internal security assessments of end-user devices.

“Using a range of specialist tools and techniques, the Cyber Essentials Plus assessment directly tests that individual controls have been implemented correctly, and recreates various attack scenarios to determine whether a system is proficient in dealing with potential threats.

“The Cyber Essentials Plus certification requires your organisation to have five technical controls in place, including;

• Boundary firewalls – these devices are designed to prevent unauthorised access to or from private networks, but require good setup to achieve maximum effectiveness;

• Secure configuration – ensuring systems are configured securely to suit the requirements of an organisation;

• Access control – only allowing those with authority to have access to systems;
• Malware protection – ensuring the most up to date virus and malware protection had been installed;
 
• Patch management – ensuring the latest supported version of applications is used and all the necessary patches have been applied.

“Only once a company successfully passes these tests can they be awarded the badge, which can then be displayed on an organisation’s website, showing customers that they value cyber security and can effectively deal with any incoming attacks.

Staying vigilant – remaining protected

“For serious businesses who are committed to achieving strong cyber security, Cyber Essentials Plus is the only option worth considering.

“The Cyber Essentials Plus scheme provides a well-defined standard that is suitable for organisations across all sectors, including charities, schools, universities and local authorities.

“While the basic Cyber Essentials certification is a good and necessary starting point for businesses, the extra checks involved with Cyber Essentials Plus make it the best option, especially with GDPR coming into effect next year.

“These new data protection laws mean it has never been more important to ensure your sensitive information is properly safeguarded, as any potential breach will naturally attract attention from media and clients alike.”

Cyber Essentials Plus and the procurement process

“Since 2014, Cyber Essentials Plus has been a mandatory requirement when applying for government contracts, and it looks as though we are transitioning to a point where businesses must hold a badge to be considered for most public-sector work.

“Cyber Essentials Plus offers procuring organisations greater levels of assurance that required controls and checks are in place.

“If your business is looking to grow and win new business, specifically within the public-sector, then achieving compliance should be at the top of your to-do list.

Achieving compliance – what to do next

“If your company is serious about achieving Cyber Essential Plus status, then the first step is to visit the official www.cyberaware.gov.uk website, and select one of the official accreditation bodies listed.

“In order to successfully hold a Cyber Essentials Plus badge, you must have first completed the basic Cyber Essentials certification process.

“Once an independent assessor has reviewed your answers and performed the basic tests on your security controls, you will be awarded the Cyber Essentials certificate, allowing you to proceed to Cyber Essentials Plus.
Once you have received Cyber Essentials certification, you will then need to start the compliance process by introducing the appropriate controls to your system.

“When looking for support to help you achieve Cyber Essentials Plus, it is important you contact an IT specialist with plenty of experience helping clients achieve compliance – they will then arrange for your security controls to be thoroughly tested, which will determine your effectiveness in defending against potential cyber threats.

“Remember, different suppliers will offer varying levels of service and support, so make sure you select one that meets your company’s requirements.

And finally…

“The perceived security and business advantages of becoming Cyber Essentials Plus compliant is undeniable, but achieving certification should only be the start of your company’s continued efforts to achieving optimum protection. 

“Adopting wider security frameworks and being proactive in your efforts to tighten security should be an ongoing responsibility for your team.

“More sophisticated assessments are available to companies who are looking to push their security further than the Cyber Essentials scheme, including Penetration Testing and Simulated Targeted Attack and Response, which assesses specialist business functions with a market or country influence.

“If you think your organisation could benefit from these additional levels of assessments, contact an IT specialist and start the process of achieving total security for your business and clients.”