What early-stage organisations need to know about deploying Cyber Essentials to manage supply chain risk

Cyber Essentials is a UK government-backed scheme designed to assist organisations in deploying a minimum set of cybersecurity controls. Not only does adherence to the scheme help protect against a common set of cyber attacks, but it raises the metaphorical security bar and is also a public demonstration of a commitment to better cyber hygiene practices through a formal assurance scheme recognised across many different industrial sectors.

Cyber Essentials comes in two different forms: Cyber Essentials and Cyber Essentials Plus. Cyber Essentials itself is a self-assessed questionnaire, attested to by a senior member of management, that proves your organisation has considered a credible set of base-level cyber controls and best practices. It allows you to think about threats, adopt simple but effective protections and reduce the risk level for the organisation as a whole.  

The questionnaire covers items like:

• organisational details and contacts
• the scope of assurance coverage
• best practices for internal/external boundary devices
• best practice for servers, clients and mobile computing devices

Cyber Essentials Plus is based on the same set of security practices and controls as Cyber Essentials, but adds an external third-party validation of responses and includes some on-site testing. The testing covers areas like end user and internet-facing systems vulnerability scanning, file-based email and download.  

The scheme operates on a continuous basis; an organisation is accredited for 12 months at a time and will have to renew annually. This operational model drives visibility and accountability as part of a continuous improvement process: statements made, reflect current operations and management understanding of the business risk.

The benefits of formal accreditation

There are many benefits of taking such an approach with formal accreditation. It enables you to understand the current position of your organisation with regards to cybersecurity controls and gives management visibility of the business risk associated with operations as they are today. Being able to independently demonstrate that cybersecurity as part of supply chain risk is an actively managed element of the organisation’s operations can help generate customer confidence. Many government customers – and increasingly other regulated industries – are demanding evidence of Cyber Essentials for procurement processes. And finally, existing customers can draw confidence from partnering with organisations that manage risk to an appropriate level.

Companies – including startups and SMES – should consider adopting the Cyber Essentials scheme as part of a wider consideration of supply chain risk. Trust is crucial in business-to-business and business-to-consumer relationships, and being able to demonstrate that you’re actively managing your cyber risk will help early-stage companies acquire new customers. Cyber Essentials compliance should be part of what early-stage organisations implement to protect their own – as well as customer – information in what is a critical business development phase.

Cyber Essentials itself is relatively low-cost: the questionnaire is free and registration to the scheme once complete is £300 + VAT. Cyber Essentials Plus, which involves on-site testing, will be more expensive.