Why is the Cyber Essentials Accreditation so important for SMEs?

Looking at media reports, you would easily be forgiven for thinking that cyberattackers are only interested in global brands and organisations with major political significance. In reality, however, cyberattackers frequently target SMEs. They may have less data to steal (and/or less money for ransom) but they can also be much easier targets to attack. That's why the government introduced the Cyber Essentials accreditation.

What is the Cyber Essentials accreditation?

The Cyber Essentials accreditation is a government-backed cybersecurity accreditation created specifically with the needs of SMEs in mind. This includes an acceptance of the fact that many SMEs operate under very tight budgets. The Cyber Essentials accreditation, therefore, balances effectiveness with affordability by focusing on core security controls.

The focus of the Cyber Essentials accreditation is on empowering SMEs to protect themselves against common cyberthreats. In other words, it aims to stop SMEs from being easy targets for unskilled cyberattackers. SMEs that hold small quantities of relatively low-value data are unlikely to be of interest to skilled cyberattackers. These measures should, therefore, be enough to protect most SMEs for the present.

With that said, cyberthreats are continuously evolving and the Cyber Essentials accreditation recognises this fact. It, therefore, encourages a culture of continuous improvement. It also highlights the need for SMEs to help themselves by informing themselves of emerging cyberthreats and updating their cybersecurity to counter them.

What are the benefits of Cyber Essentials accreditation?

The main benefit of the Cyber Essentials accreditation is that it enables SMEs to be more effective at protecting both their own data and the third-party data they hold. The secondary benefit is that SMEs can demonstrate their competence in this. Here are three specific examples of how that can be an important benefit to them.

Compliance with legal and regulatory requirements

GDPR is the obvious example here. Even without GDPR, however, businesses have a legal obligation to protect third-party data. This includes data relating to their own employees. Gaining Cyber Essentials accreditation should reduce the risk of data breaches.

It may also help to mitigate the consequences if they do happen. In short, it will serve as evidence that the business did take all reasonable steps to protect the data. This looks a lot better to regulators (and the public) than being perceived to have been ignoring security.

Access to more business opportunities

No matter who your target customers are, they are increasingly likely to be more aware of the importance of keeping data safe. Private consumers will be concerned about their own data. Businesses and organisations will potentially be concerned both about their own data and about any end-customer data they share with you.

David Hanley, Director of The Red Penguin Group commented, “Having a recognised security accreditation such as the Cyber Essentials accreditation is a straightforward way to demonstrate that you can be trusted with other people’s data. This can open up business opportunities that would otherwise have been closed to you.”

Easier recruitment of staff and freelancers

All businesses need to collect sensitive data from their employees, including payment data. Many businesses will also need to collect data from freelancers. Both staff and freelancers will want to be confident that their data will be kept safe. Again, having the Cyber Essentials accreditation is an easy way to reassure them that you can be trusted.

Less risk of reputational damage

Cyberattacks on SMEs are unlikely to make national headlines (and certainly not international ones). They may, however, be reported in niche outlets such as local media and trade press. They are highly likely to find their way onto social media. Recovering from this negative media can be a lot more challenging than recovering from the cyberattack itself.

Achieving Cyber Essentials accreditation is, effectively, a low-cost insurance policy against reputational damage and its long-term effect.