By Ian, Technical Director
Cyber Essentials is a government backed scheme to allow companies to self certify the processes that they have in place to protect against cyber attacks. Cyber Essentials lists the common attack vectors, and encourages you to think about how you protect your computers and the data they contain. Certification gives you peace of mind that a company's defences will protect against common threats.
So why didn't Epix do this years ago? Mostly because the certification process doesn't suddenly make you safer. We have been providing internet-accessible solutions since 2001, and had always-on internet since before ADSL - so we were already well used to managing firewalls, port forwarding, server patching, securing remote access, and designing audit and security into our own solutions and protecting against exploits for over 20 years. Being "Cyber Essentials Certified" doesn't require you to do anything new if you are already taking the correct defensive measures, and it doesn't suddenly make you magically secure. None of our customers were asking us to be certified, and we weren't losing sales because we didn't have the logo, and from a technical perspective we really didn't see why it mattered. We were already taking security seriously.
Always Secure -v- Certified Secure
Ok, so why did we bother doing it now if there was no point to it? The short answer is because it was easy to do! We had some time on our hands (support has been a little quieter than normal for the last 3 months!), and thought we'd give it a go. The process took about 2 hours to walk through the certification process, gather evidence, and confirm that we had the correct processes in place.
Our solutions are now just as secure as they always were, but now you can be more confident that our own internal processes that we have developed over the last 20 years align with industry standards.
What Does This Mean For You?
Probably the biggest effect this has on our customers is that we now tick one more box on their tenders. The tendering process often asks questions about your suppliers, and their processes. As IT is often such a central part of what Local Authorities and Housing Associations focus on in their tenders, we regularly assist our customers when they are completing the ITC elements of a tender, and Cyber Essentials has been appearing more and more often recently. This isn't just a box ticking exercise - this is the natural effect of using procurement to improve standards.
Should You be Certified Too?
The process was quick, and easy, and cheap to complete. If you have never really thought about your cyber security beyond anti-virus software, then the certification process is a fabulous place to start looking critically at your own processes. Certification won't make you magically secure, but it will highlight to you what the risks are. If you are already aware of the threats, and have strong internal policies on elements like firewalls, authentication, and patch policy, then probably Cyber Essentials isn't going to give you anything useful - but if those words mean nothing to you then you should apply for self-certification today. Cyber Essentials is a good way for the government to influence us all, and educate us.
If you don't know where to start then get in touch and we can give you details of how we did it - there are lots of providers out there who will support you through the certification process, and it shouldn't cost more than £300.