Cyber Essentials — Should It Be Mandated in SMBs

by Tony Richardson CISSP

Cyber Essentials — Should It Be Mandated in SMBs

It’s eight years since the Cyber Essentials scheme was launched. Many SMBs have signed up for it, ensuring they have robust cyber security and reassuring customers that their data is safe. But others haven’t yet registered.

So should it be left for individual SMBs to decide whether to implement Cyber Essentials — or should it be mandated?

What Is Cyber Essentials?

Cyber Essentials is a scheme, launched in 2014 jointly by the government and the National Cyber Security Centre (NCSC), to encourage good practice for businesses in their cyber security.

The process is that a business wanting to be certified completes a questionnaire to determine whether it meets the standards set out in the scheme. This is then reviewed by NCSC and, if they are satisfied, the business is awarded a certificate.

Why Is Cyber Security Important?

A report in 2020 found that 88% of UK companies had suffered a data breach in the previous twelve months. These can vary in seriousness, but in reality there’s no such thing as a minor data breach.

It’s rare for cyber-attacks to come from highly sophisticated sources that penetrate robust defences. The vast majority are the result of either inadequate systems or human error. Think opportunist car thieves finding your door open, rather than a professional gang targeting your new Lamborghini — and you wouldn’t leave your car unlocked, would you?

However, a SMB suffering a data breach can be far more devastating than a car theft. The data that’s stolen from you will certainly include information about third parties, such as customers, suppliers and employees, and losing this data through carelessness can have serious consequences.

For one thing, if it’s an attack that denies you access to the data, it may prevent you from continuing to trade for a period. In addition to disrupting your business, it could also have a knock-on effect, disrupting your supply chain. Even if you have business interruption insurance, there’s no guarantee your insurer will pay out if you’re deemed to have been careless.

In addition, the business is likely to be hit by a substantial fine, while you, as an owner or director, might be prosecuted if you’re found to have been negligent. With all of this, it’s not surprising many businesses that suffer a serious data breach never recover.

Why Cyber Essentials?

The good news is that all this is preventable. The standards set out by Cyber Essentials, in terms of cyber hygiene, awareness training for employees and good governance, will prevent most, if not all, data breaches.

But couldn’t you just follow the standards, without actually going through the process of gaining the certificate? That would certainly help you to prevent breaches — but who would know? Having the Cyber Essentials certificate on your website and marketing materials will give potential clients the reassurance of knowing their data is safe with you, making it far more likely that they’ll do business with you.

So, should Cyber Essentials be mandated for SMBs? I believe there’s a good argument for this. After all, by not meeting the standards, you’re risking not only your business, but your whole supply chain — not to mention anyone whose information you’re holding.

However, what’s certain is that failing to implement the Cyber Essentials standards risks fines, prosecution and the collapse of your business. Get in touch with us to find out more about how to avoid this.