As the question ‘why do I need a Cyber Essentials certification?’ continues to arise, Dr Emma Philpott, the Director and CEO of the IASME Consortium Ltd, answers intriguing questions and provides enlightening responses from her point of view in a recent webinar with Risk Crew. Give yourself a moment out of your day & enrich your knowledge. Read on to learn why Cyber Essentials is not just a tick box for certification…
“Emma, I know it’s your/IASME’s job to promote the CE scheme…but if you ran your own small business, would you certify to CE…and why?”
“Yes, I would. I would not be able to promote it if I did not think CE was a good thing. Right from the beginning, IASME always stands up for the smaller micro-companies. We have always been in a room full of people from large government organisations, and we have blown people’s minds when saying, ‘what about the sole trader using a tablet in Starbucks?’ Many company owners think that a Cyber Essentials Certification is only for a government contract. However, if or when you come across a breach, one of the most prominent aspects is having proof that you have cared enough to get a certificate to protect your organisation which is worth a lot of money.”
Have you ever had a company say, ‘well, that was a waste of time’?
“Many business owners think that achieving a Cyber Essentials Certification is just a tick box that the government recommends. It is about understanding the process and importance of the certification. Usually, when carrying out the certification, you may need to make changes to your working environment. Sometimes, the importance of making changes is not understood practically, which results in refusion of the process. Refusion leads to businesses thinking it was a waste of time. Most organisations believe Cyber Essentials is just a tick box, and it is something the government requires to get that official contract. However, they fail to understand how vulnerable they could be if they do not make changes because most companies need to make changes to be certified. I’m always surprised how many people feel that they are forced into getting the certification but then are so glad to have achieved it.”
In your opinion, what is the best metric or KPI (Key performance indicators) an organisation can measure to demonstrate the security improvements of certifying?
“The main KPI is getting that certificate. We do it every year, and we’re not officially allowed to certify ourselves, so we have one of our certification bodies do our Cyber Essentials Plus every year because we see it as a useful exercise. Every year we find something that needs to be fixed before achieving CE+ to stay up to that level. Previously, we had one year where none of the patches had taken, and we were not aware of that vulnerability until it was time to renew our annual certification. That’s what we see as an essential KPI.”
Cyber Essentials Certification – It’s Not Just a Tick Box
There you have it. You don’t just have to take our opinion that Cyber Essentials (CE) provides a strong building block to your overall security programme, but you’ve now heard it from the CEO of IASME.
As a CE certifying body since the scheme’s inception, Risk Crew encourages companies seeking certification to consider the benefits of Cyber Essentials Plus. With Plus, you receive verification of your CE questionnaire responses and a technical assessment of the security integrity of your IT infrastructure.