Can you give me 400 words on why Cyber Essentials is good for small businesses?
This is the question I asked ChatGPT. I was expecting a decent summary as an answer; there’s a lot of information on the web about the standard after all. But I was also expecting some mistakes. As an LLM, its algorithm is text based, rather than ‘smart’, and so it produces copy based on what’s available and is able to summarise (or expand on) what’s been fed into it. It’s not without its limitations, though, and as well known for not being able to do even simple maths like counting the number of characters in a sentence as it is for downright fabrication (see OpenAI isn’t doing enough to make ChatGPT’s limitations clear – The Verge).
True to expectations, the answer was not exactly 400 words (507 total, 392 excluding the introduction and conclusion, and including 1 spelling mistake!) but close enough for our purposes.
Let’s take a look.
Introduction
Cyber Essentials is a valuable certification program that offers numerous benefits for small businesses. In today’s digital age, where cyber threats are on the rise, implementing robust cybersecurity measures is essential to protect sensitive data, maintain customer trust, and ensure business continuity. Here are 400 words on why Cyber Essentials is good for small businesses:
Fair enough, no great revelation here, but certainly true to say that the protection of sensitive data is essential to any business and that does build trust. Indeed, lack of protection of that data would build exactly the opposite. Would you want to do business with a company that suffered a data breach that exposed your name, address and bank details if they could have taken reasonable steps to prevent it?
Enhanced Security
Cyber Essentials provides a framework that helps small businesses establish a strong foundation of security controls. It focuses on essential cybersecurity practices like network security, access control, malware protection, and patch management. By implementing these controls, businesses can significantly reduce their vulnerability to common cyber threats, such as malware infections, phishing attacks, and data breaches.
Spot on here. The CE program is targeted at the very basics of security which includes patch management (i.e. software and firmware updates for PCs and network equipment), access controls to ensure that data is accessed only by those who need it, and not having admin rights for day-to-day operations. I’d add having multi-factor authentication as standard to this as well which is increasingly a focus of the program which is one of the best of the simple technical controls you can implement to prevent 99.9% of attacks on your accounts.
Mitigating Financial Risks
Cybersecurity incidents can have severe financial implications for small businesses. The costs associated with data breaches, legal actions, customer compensation, and reputational damage can be crippling. Cyber Essentials helps businesses identify and address vulnerabilities, minimizing the risk of costly cyber incidents and potentially saving substantial financial resources.
Phishing and CEO Fraud counts for a great deal of low-level cybercrime targeted at individual users. Targeted attacks against companies are rarer in the SME world, though not unheard of, but less targeted ransomware is fairly common. If you don’t have adequate controls in place, you may be held to ransom for a hefty amount if your data is encrypted without a backup you can restore it from. Even if you can recover it, the data may be leaked by the perpetrators unless you pay up.
Building Customer Trust
Small businesses often rely on trust and reputation to attract and retain customers. Demonstrating a commitment to cybersecurity through Cyber Essentials certification can instil confidence in customers, showing that the business takes data protection seriously. This can lead to increased trust, customer loyalty, and a competitive advantage in the marketplace.
Many people are still unaware of the standard but having that badge on your website or email signature is a mark that you have taken care of the basics. Companies with the certification find it easier to get cyber insurance, and if you deal with any public sector or local authorities, increasingly it’s one of the requirements for doing business with them.
Regulatory Compliance
With the increasing number of data protection regulations, such as the General Data Protection Regulation (GDPR), small businesses must comply with specific cybersecurity requirements. Cyber Essentials provides a practical and cost-effective way to meet these regulatory obligations. It demonstrates a proactive approach to cybersecurity, reducing the risk of non-compliance penalties and legal repercussions.
Cyber Essentials doesn’t deal specifically with the GDPR nor mark against it, however by implementing the controls you are certainly in a better position to be able to protect your sensitive data. CE looks at all your systems for storing company data and all online systems must have MFA in place where available. If you use any systems that don’t have MFA, just working through the standard makes you acutely aware of where security is lacking and may help you to consider alternatives.
Supply Chain Assurance
Small businesses are often part of larger supply chains, and their cybersecurity practices can impact the overall security posture of the network. Cyber Essentials certification helps small businesses demonstrate their commitment to cybersecurity, which can be a critical factor for partners and customers when selecting vendors or business partners. It enhances the business’s reputation and opens doors to collaboration opportunities.
I find this paragraph particularly woolly but it’s certainly true. Just as with customer trust, supplier trust is vital in B2B sales and relationships. By demonstrating your basic business security credentials, you foster good relations with key supply chain partners and demonstrate your commitment to good governance.
Improved Business Resilience
Cyber Essentials encourages small businesses to implement robust backup and recovery processes, incident response plans, and disaster recovery strategies. By proactively addressing potential cyber threats, businesses can strengthen their resilience and minimize downtime in case of an incident. This ensures continuity of operations and reduces the potential negative impacts on revenue and customer satisfaction.
Having a good backup of your data is (I hope!) certainly not something that needs a detailed reasoned explanation. However, backups are not created equal and should be seen, not just as a method of getting back something you deleted accidentally, but as part of a robust disaster recovery solution. Ransomware attacks can be mitigated by having a robust backup solution to restore from, for example. Also, consider your cloud services. Just because it’s in ‘the cloud’ doesn’t mean your data is safe from deletion, corruption, or service downtime.
Employee Awareness and Training
Cyber Essentials promotes employee awareness and training, emphasizing the importance of cybersecurity practices among staff members. By educating employees about phishing, password security, and safe online practices, small businesses can build a strong security culture. Well-informed employees are more likely to detect and report potential threats, reducing the risk of successful cyber attacks.
Possibly the most important aspect of them all. You can implement all manner of technical controls but without this, they amount to not very much. Staff training on how to spot a phishing scam or CEO fraud will help you immensely and you should make this part of your basic induction for all staff. For example, make sure that everyone knows the CEO/MD will never text you asking you to buy gift vouchers for a client from your own funds.
Conclusion
Cyber Essentials is highly beneficial for small businesses. It provides a framework to establish robust cybersecurity controls, mitigates financial risks, builds customer trust, ensures regulatory compliance, enhances supply chain assurance, improves business resilience, and promotes employee awareness. By investing in Cyber Essentials certification, small businesses can protect their assets, reputation, and future growth in an increasingly digitized world.
The CE Standard is a good benchmark for measuring your security footprint, and while you can go much further, it does represent a fantastic baseline on which you can build a solid security foundation for your business and your staff. Fundamentally, it’s about awareness as well as purely technical controls, and any business that is certified will certainly be better off with than without.
Want to know more about Cyber Essentials?
If you’re interested in knowing more about how Cyber Essentials can help you and your business, please do get in touch. Macnamara ICT are certified assessors of Cyber Essentials and ISO27001 and our standard service uses CE as the baseline.
