Failing to take cyber security seriously could cost SMEs more than they realise. At a time of increased cyber threats, organisations expect suppliers to step up and evidence their cyber security credentials. Guy Lloyd at CySure explains 3 simple steps to certification that could ensure your tender bid is not rejected.
Demonstrating cyber security certification is needed in order to win business and is a necessity for companies seeking to bid for certain Government business. In such situations, any organisation, regardless of size, must have at least Cyber Essentials certification if they wish to tender for UK Government contracts. However, Government is not alone in wanting suppliers to show they take cyber security seriously. Many organisations in the private sector check cyber security credentials as part of their tender processes. Organisations that cannot evidence their credentials and fitness to bid risk falling at the first hurdle.
The path to certification
In the UK, certification can be achieved through Cyber Essentials (CE), a government and industry backed scheme designed by the National Cyber Security Centre (NCSC), the leading technical authority in cyber security in the UK. In collaboration with IAMSE[i] the scheme helps organisations protect themselves against common cyber-attacks. Here are three steps businesses can take to become Cyber Essentials certified.
- Complete the self-assessment questionnaire (SAQ)
The SAQ includes approximately 50 questions related to each of the 5 security controls required for Cyber Essentials certification:
- Secure configuration
- Boundary firewalls
- Access controls
- Patch management
- Malware protection
The completed self-assessment questionnaire serves as a statement of compliance and demonstrates that your organisation has met the scheme’s requirements. A board member will have to sign a declaration that all the answers provided are true.
2. Schedule a technical audit
After completing the SAQ to achieve the next level of certification, Cyber Essentials Plus, an assessor will carry out a technical audit of your systems to verify the Cyber Essentials controls are in place. This includes a representative set of user devices, all internet gateways and any servers with services accessible to unauthenticated internet users. The assessor will test a suitable random sample of these and then make a decision whether further testing is required.
3. Obtain your certification
To achieve Cyber Essentials Plus an organisation must fully answer all questions and successfully pass the technical audit. Once these steps are successfully completed certification is awarded and it is recommended that organisations seek to renew and recertify annually.
Sounds daunting?
The process of becoming and remaining certified can seem daunting but achieving certification doesn’t have to be costly or complex. Using an online information security management system (ISMS) that incorporates GDPR and Cyber Essentials Plus is a simple and cost-effective way to carry out a gap analysis and highlight the areas that your business needs to focus on.
CySure’s cyber security solution is designed to deliver these quick wins. It provides businesses with a staged approach to compliance and certification, guided by a virtual online security officer (VOSO). Effective cyber security is a journey rather than a destination and for most SMEs Cyber Essentials Plus is the ideal certification. It evidences the security credentials required by most organisations for tender bids and is a lower cost certification scheme than ISO 27001. Cyber Essentials meets the requirements to working with the UK public sector and many private sector organisations.
Cyber security in the spotlight
Data breaches make big headlines and all organisations are under scrutiny to ensure they take the protection of personal data and cyber security seriously. Arguably, Government is under the greatest scrutiny of all. The Information Commissioner’s Office (ICO) has shown no hesitation in fining organisations that fail to protect personal data - regardless of whether they are central Government, public sector or private sector. Data breaches caused by poor cyber security in suppliers has become a recurring problem that all companies are seeking to stamp out especially those with supply chains. For example, prime suppliers are increasingly looking at their lower tier suppliers to check cyber certifications. Criminals are using weaknesses down the chain to target prime contractors.
Don’t miss out on valuable tenders – get certified!
Cyber Essentials certification provides businesses with a strong base from which to reduce the risk from these prevalent cyber-threats. So, by becoming certified an SME is not only taking steps to make its business a tougher target but increasing its chances of success when it comes to the tender process for new contracts. Attracting new business and contract renewal become easier with the assurance that your organisation has externally audited cyber security measures in place.