Short answer, maybe….
Early in the week the Department for Enterprise here on the Isle of Man announced up to 50% funding for businesses who wished to gain Cyber Essentials certification. Cyber Essentials has been around since 2014 in the UK, it was initially introduced to ensure that companies who wanted to win UK Government contracts had a basic level of cyber security. So, is it something you need to do and will it give you peace of mind for your business?
Dealing with the latter question first. Whilst it will likely improve your cyber security and protect you from the most common threats, it is predominantly focused on technical controls. The sorts of things you really should have in place already. Things like;
Ensuring your Internet connection is safe
Making sure your devices, software are safe and connect to the Internet ‘relatively’ safely
Controlling access to ‘electronic’ data properly
Having Anti-Virus and malware protection in place
Ensuring security updates are installed promptly
Whilst I think this is a step in the right direction, there is a general absence of certain things that we at Intelect would see as necessary if you hold sensitive data.
92% of malicious software (stuff that will do nasty things to your devices and data) is delivered via phishing emails. Figures vary on this, but studies suggest that between 35-50% of people will open phishing emails! So, despite technical controls some of the bad things will get through. Your next line of defence is people. Cyber Essentials does not place a requirement on you to train your people.
Virtual Private Networks (VPN’s) secure your device by encrypting your connection/data. There is no requirement under Cyber Essentials to have a VPN in place. We would not be without a VPN on our devices.
If you are handling sensitive data, are you using encrypted services? You should be. But Cyber Essentials places no requirement on you to do that either.
It all really depends on the size of your business, your type of business and the data you hold. To quote a phrase from the Anti-Money Laundering rules and regulations. It’s a Risk Based Approach. Need some assistance in navigating through all this? We’ll first help you with our Cyber Risk Analysis tool which you can find on our website here https://intelectsolutions.im/solutions/cyber-risk-management/
Be assured we would never recommend or try to sell you something that is inappropriate to your business need. We prefer to work with you to ‘protect the unprotected’.