“Last year, the average cost of breaches to large businesses that had them was 36,500. For small firms the average cost of breaches was £3,100. 65% of large organisations reported they had suffered an information security breach in the past year, and 25% of these experienced a breach at least once a month. Nearly seven out of ten attacks involved viruses, spyware or malware that might have been prevented using the Government’s Cyber Essentials scheme.” (Quoted from 2016 Government Cyber Health Check and Cyber Security Breaches Survey)
The recent cyber attacks have affected firms across the UK and globally. At Nittygritty, while we provide much of the security measures within your IT, having Cyber Essentials Plus (CE+) Certification reassures stakeholders within your value or supply chain that additional National Cyber Security Centre's mandated precautions have been taken Being listed on the NCSC 's directory of organisations awarded CE+ increases your audience and client potential. Many firms and the UK government will only work with CE certified firms. We're currently certifying clients who want certification ahead of the General Data Protection Regulation (GDPR) deadline in May. All the process and procedures that are recommended for GDPR receive an additional technology "checks and balances" with Cyber Essentials Plus. Its designed to button-up all the external internet facing infrastructure and user workstations, and an internal authenticated scan tests for robustness of security, patches, malware, etc. for each device type and build. So once your data is in compliance with GDPR, CE+ secures it. Its about a 4-6 week process, depending on the size of firm and well worth the effort.
By August Nazareth, Client Engagement
Cyber Essentials Plus certification by Nittygritty combines a thorough, objective audit, scoping and report on your IT security boundaries and controls regardless of whether you’re an existing client or have only engaged us to achieve CE+. To comply with the NCSC’s requirements, we work with a CREST-accredited partner to provide an onsite visit, internal vulnerability* and external scanning**. Upon successful passing of these tests, a CE+ certificate is issued. Depending on your firm, customers and future business acquisition efforts, there are two paths to take.
Cyber Essentials will permit you to work with the UK government and Cyber Essentials Plus will give you the opportunity to work with the MOD. You can find procurement details here. CE+ is also for companies who wish to illustrate for GDPR purposes that prescribed technical measures of security have been met.
Both cover all five security controls (secure configuration, boundary firewalls, access controls, patch management and malware protection) but CE+ includes an internal vulnerability scan and onsite visit. Nittygritty carries out an audit and scope of all IT systems resulting in a report that includes remedial action, upgrades, or new purchases (if any) to bring your infrastructure into compliance for Cyber Essentials Plus.
* The tests are an authenticated internal scan, and a test of the security and anti-malware configuration of each device type/ build. The internal scan checks patch levels/system configuration, and the anti-malware/security test ensures the firm’s systems are resistant to web-downloadable binaries and malicious email attachments.
Tests are conducted on payloads, inbound email, inbound emails containing URLs linking to binaries and browser exploitation payloads. An authenticated vulnerability and patch verification scan is also conducted.
** Testing identifies vulnerabilities within a firm’s Internet-facing infrastructure/user workstations that are subject to cyber attackers with a low level of skill. An external full Transmission Control Protocol (TCP) port scan, top User Datagram Protocol (UDP) service scan and a vulnerability scan are conducted for the scoped IP range. A web application scan identifies common vulnerabilities.