For many Small and Medium Enterprises (SMEs), limited budget and resources make purchasing a suite of next-gen cyber security tools (as large enterprises typically do) a luxury.
What SMEs can have in their arsenal, however, is a cost-effective baseline of security measures, outlined in a straightforward and proven framework, which they can readily implement to deter opportunistic cyber criminals with fairly basic equipment and not a whole lot of technical skills.
This is where the Cyber Essentials mark comes into play.
Certificate awarded to Responsible Cyber upon successful fulfilment of the criteria of the CSA Cyber Security Essentials Mark assessment.
What is the Cyber Essentials mark?
The Cyber Essentials mark is a cyber security certification introduced by the Cyber Security Agency of Singapore (CSA) in 2022 as part of the SG Cyber Safe Programme which aims to help Singapore organisations better protect themselves in the digital domain and enhance their cyber security posture.
Organisations certified with the Cyber Essentials mark are deemed to have built a minimum level of security into their operations, hence why it is ideal for organisations that are embarking on their cyber security journey.
Though similar in function, CSA’s Cyber Essentials mark is not to be confused with the Cyber Essentials scheme in the UK.
What does Cyber Essentials cover?
As the name suggests, the Cyber Essentials mark outlines the basic cyber security controls that organisations should have in place to help mitigate risks from common internet-based threats like phishing emails, ransomware attacks, and brute force password attempts.
Comprising 78 clauses across five categories (Assets, Secure/Protect, Update, Backup, and Respond), the scope covers areas such as access control, secure configuration, software updates, and incident response.
Source: CSA
The mode of assessment will involve verification of the organisation’s self-assessment by an independent assessor from the appointed certification body.
Why should organisations (SMEs included) become Cyber Essentials certified?
For Responsible Cyber, obtaining the certification was equally about subjecting our own people, processes and technology to the same scrutiny that we encourage other businesses to, as it was about demonstrating that adopting cyber security best practices can be done without necessarily breaking the bank or stretching resources thin.
Beyond that, the certification is important for many reasons.
Because of the role each organisation plays in modern supply chains, one organisation’s security is no longer a matter of the survival of one’s own; Rather, it has become a strategic imperative for preserving the integrity of a larger digital infrastructure.
Not only is no organisation completely immune to cyber threats, but SMEs also face considerably high data breach costs. Research from IBM’s 2023 Cost of a Data Breach Report shows that small organisations (5,000 or fewer employees) spend an average of USD 3.31 million per incident. Dismissing cyber security is not a gamble that SMEs can afford – the stakes are simply too high.
Moreover, contrary to popular opinion, SMEs are in fact prime targets for cyber attacks. According to a recent study done on the Cost of Cybercrime, 43% of cyber attacks involve small business victims, which suggests that SMEs are in fact right there on the frontlines along with their larger counterparts in the battle against cybercrime.
Against this backdrop, CSA’s Cyber Essentials mark emerges as a great leveller in making cyber security more accessible to SMEs that typically do not have the luxury of a dedicated IT security team, nor the ability to invest in robust cyber security measures and tools.
SMEs that are certified are also eligible to apply for the SME Cyber Security Excellence award that CSA is collaborating with Association of Trade & Commerce (ATC) on.
How do organisations go about getting Cyber Essentials certified?
- Review existing security policies and measures against “Cyber Essentials mark – Self-assessment template”
At this early stage, involving your IT stakeholders would be your best bet to efficiently pinpoint which areas require improvement based on the outlined requirements.
During the self-assessment, organisations may unearth security issues and vulnerabilities, and this is to be expected.
Here are some common issues that may be discovered:
- Outdated Software and Hardware
- Weak Passwords
- Insufficient Access Controls
- Inadequate Security Policies
- Insufficient Employee Training
- Implement controls to adequately address existing security vulnerabilities
One measure that any organisation can take today to improve their overall cyber security posture is to mandate two-factor authentication (2FA) on all their employees’ accounts. It’s true, simply enabling 2FA on your Google account can block up to 100% of automated bot attacks and 99% of bulk phishing attacks according to a report by Google.
This is just one of an exhaustive list of recommended security controls for organisations embarking on their Cyber Essential mark certification.
For additional help with the cyber security measures that can be implemented, we recommend checking out CSA’s free online resource which gives free access to cyber security toolkits for guiding questions, templates and more.
- Document updated security controls
Updated policy documents should describe the security controls that have been implemented and how they are being monitored and maintained within the organisation. It should also include information on how security incidents are detected, reported, and responded to.
This is to ensure that the organisation’s policies remain reflective of the current measures that the organisation undertakes to address security risks and threats.
These policies can then be used to communicate to all relevant personnel with know-how to be the first line of defence for the organisation. They can also be used to develop internal cyber security training exercises.
Conclusion
According to reports, 91% of all attacks begin with a phishing email to an unsuspecting victim. Suffice to say, the majority of cyberattacks can be considered relatively straightforward, insomuch that a click or keystroke is sometimes all it takes for an organisation to experience a major security threat.
With that, the misconception that cyber security is complex and requires advanced technical knowledge, is nothing but that – a misconception. However, it is a misconception that can make cyber security seem like a luxury only larger enterprises can afford. And therein lies the problem that Cyber Essentials sets out to redress.
Cyber security is not only not a luxury, but a necessity, for SMEs and large enterprises alike.
Author: Wen Sin LIM
