Is Cyber Essentials Enough to Secure Your Organisation?

Organisations that are looking to bolster their information security practices are often advised to certify to Cyber Essentials – and for good reason. The UK government scheme outlines five controls that cover the core data protection components.

Its controls are:

  1. Firewalls, which create a buffer zone between the organisation’s IT network and other external networks. This helps the organisation analyse incoming traffic and block anything malicious.
  2. Software updates, which ensure that patches are applied promptly. This helps them address vulnerabilities that cyber criminals could exploit.
  3. Anti-malware software, which identifies malicious programs on your systems.
  4. Access controls, which ensure that only authorised users can access sensitive information and applications.
  5. Secure configuration, which helps administrators select appropriate settings for devices and software.

When implemented correctly, these controls can prevent about 80% of cyber attacks. Plus, they are relatively easy to apply, with the scheme being designed for anyone to use regardless of their information security knowledge.

The certification process works by completing a self-assessment questionnaire listing requirements related to each of the scheme’s five controls.

However, for all the advantages of Cyber Essentials, it is – as its title suggests – only an introduction to cyber security. Its controls cover the essentials, but in an ever-increasing cyber threat landscape that is no longer enough.

The Cyber Security Breaches Survey 2022 found that 39% of UK businesses identified a cyber attack last year, while another report learned that organisations spend almost £3 million on average responding to security incidents.

With an array of threats to defend against, including an alarming rise in ransomware and phishing attacks, organisations must take extra precautions if they are to adequately protect themselves.

Safeguarding your organisation

If you are to have confidence in your security controls, you must implement defence in depth. This requires a holistic approach to cyber security that addresses people, processes and technology.

Key aspects of this aren’t addressed in Cyber Essentials, such as staff awareness training, vulnerability scanning and incident response.

Employees are at the heart of any cyber security system, because they are the ones responsible for handling sensitive information. If they don’t understand their data protection requirements, it could result in disaster.

Meanwhile, vulnerability scanning ensures that organisations can spot weaknesses in their systems before a cyber criminal can exploit them. It’s a more advanced form of protection than is offered with secure configuration and system updates, enabling organisations to proactively secure their systems.

Conversely, incident response measures give organisations the tools they need to respond after a security incident has occurred. Most of the damage caused by a data breach occurs after the initial intrusion, so a prompt and organised response can be the difference between a minor disruption and a catastrophe.

Implementing staff awareness training, vulnerability scanning and incident response in one go can be a headache, particularly if you want them to fit together within your existing cyber security defences.

That’s where IT Governance’s new service, Cyber Safeguard, can help. We provide the support and training you need to defend against a range of threats.

Our expert guidance builds upon Cyber Essentials and the National Cyber Security Centre’s small business guide, and ensures that your organisation stays one step ahead of criminal hackers.

The service also comes with cyber insurance coverage of up to £500,000. The policy helps you cover the financial costs of a security incident, providing support for incident response measures such as forensic investigation and legal assistance.

Find out how Cyber Safeguard can help your organisation from just £300 a month.