When will you need Cyber Essentials in a tender process?
Cyber Essentials (and its bigger, more complex brother, Cyber Essentials Plus) have been a mandatory requirement for dealing with public sector bodies in certain areas, particularly those that come into contact with data for number of years now. However, it is becoming much more commonplace in any tender from a public body that businesses bidding for work are required to state whether or not they are Cyber Essentials accredited. Although it’s impossible to know the exact scoring systems of every tender, the chances are that it plays a key part.
In the private sector, Cyber Essentials has always been encouraged as a best practice approach to cyber security but hasn’t been seen as a vital competent of winning new business. However, this has changed and following a review of over 50 tenders which we’ve had access too in the last 6 months, all but two specifically asked about Cyber Essentials and all asked questions about both cyber security and data protection.
It’s also worth noting that we have seen an increase of more than 2000% in the number of tenders we are asked to complete as an IT company (and we deal primarily with private businesses). It’s clear from this that tenders are becoming a much more common way of conducting procurement processes in the private sector and Cyber Essentials is an important part of the criteria for any potential suppliers.
What is Cyber Essentials (in a nutshell)?
Cyber Essentials is a government backed accreditation which provides a framework for implementing and maintaining best practice cyber security and data protection practices.
The accreditation itself works in the form of a questionnaire and is overseen by an organisation called IASME who became responsible for the management and accreditation of the scheme in 2019 after it was originally launched in 2014.
In order to achieve the Cyber Essentials accreditation you must complete an online assessment, however the questions are available to view for free so you can prepare and understand your current position.
The most recent version of the survey is available to download from https://iasme.co.uk/cyber-essentials/
Some example questions (at the time of writing) are:
- Do you have any services enabled that can be accessed externally from your internet router or hardware firewall?
- Have you configured your internet routers or hardware firewall devices so that they block all other services from being advertised to the internet?
- Have you changed the default password for all user and administrator accounts on all your laptops, computers, servers, tablets and smartphones to a non-guessable password of 8 characters or more?
- Are all operating systems and firmware on your devices supported by a supplier that produces regular fixes for any security problems?
- Are all high-risk or critical security updates for operating systems and firmware installed within 14 days of release?
- Do you ensure that staff only have the privileges that they need to do their current job? How do you do this?
- Have you enabled two-factor authentication for access to all administrative accounts?
These a just a small selection of the questions you need to answer in order to achieve a Cyber Essentials Certification.
As well as the standard Cyber Essentials Certification that is also Cyber Essentials Plus which is typically recommended for larger businesses, businesses that process large amounts of data or those that deal with particularly sensitive data.
For more information about Cyber Essentials visit our Cyber Essentials FAQs video.
Why am I being asked for Cyber Essentials on a tender?
The reason that Cyber Essentials is becoming commonplace on tender documents is because cyber crime continues to increase every year. As a result, businesses have to improve their own cyber security (and maintain it) in order to prevent the loss of data which can lead to, amongst other things, large fines.
Because suppliers often deal with data on behalf of their customers or have access to sensitive information it’s important for any business appointing a new supplier to ensure that they are safe to deal with.
Ultimately the responsibility of data lies with the business that owns it, so as well as ensuring that they have a cyber security strategy in place to protect their data, they must ensure that any suppliers who could access it are following best practices as well.
Can I just get the Cyber Essentials certificate to tick the box?
Cyber Essentials is more than just filling out a form and waiting a year to complete your re-accreditation.
As you will see from some of the example questions in the article, many parts of Cyber Essentials require ongoing maintenance and updates. Therefore, you will not only need the systems and software in place to protect your business but also the ongoing processes to support them.
The most obvious example of this is updating, or patching, software as new security releases become available. Because cyber security is always changing and evolving, the process of updating software ensures that it is protected against the most recent known threats, not just those that were common when you first completed your certificate.
If you fail to maintain your cyber security solutions then you could still be in breach of GDPR if you suffered a breach, could render any cyber insurance you have invalid, are likely to fail your Cyber Essentials re-accreditation the following year and, most importantly, would have a lot of explaining to do to your customer(s) if you did fall foul of a cyber breach.
How hard is Cyber Essentials to get?
This completely depends on your approach to cyber security in the past. If you have been proactive then Cyber Essentials could simply be a box ticking exercise and there could be no changes to your system needed.
In our experience however, this is rare.
Even businesses who think they have invested in cyber security have often done the bare minimum and nowadays, that is not enough.
Cyber Essentials can be carried out by anyone but in order to complete it accurately you will need a good understanding of IT, cyber security and your own IT network which is why most businesses employ a cyber security expert, such as The HBP Group, to carry it out for them.
Note of caution!
There are plenty of “experts” online advertising Cyber Essentials certifications for around £300. Whilst the cost of the certification itself is £300 the true cost is in the work required to ensure you can answer the questions honestly and accurately.
Don’t ever be tempted to lie or bend the truth in the order to pass the certification. You could end up with an IT network that could be easily compromised and although you might win a tender, the costs of losing your data in the future and explaining this to your customers would be far greater than doing it properly.
In our experience, most small and medium sized businesses need to budget between £5,000 and £20,000 per annum in order to achieve and maintain an IT network that would pass Cyber Essentials.
How long does it take?
Ignoring any potential delays (such as those caused by COVID) most businesses can achieve their Cyber Essentials certificate within about 2 weeks of work commencing.
Can I do it myself?
In theory, yes. As long as you have the knowledge of IT, your IT network and the time required to implement anything required and maintain it, then you shouldn’t have a problem.
If you’d like to see what is involved visit https://iasme.co.uk/cyber-essentials/ and look for the Self-Assessment Questionnaire which will explain the process and show you all of the questions you’ll need to answer.
How do I get started?
If you decide that you need help with your Cyber Essentials accreditation, then we can carry out an audit on your IT system to understand your current position.
From there we will understand any gaps that you need to fill in order to achieve the certificate and create a plan to fix any issues and maintain your system in the future.
If you’d like to find out how we can help simply complete the form at the top of this page or email email@example.com