Cyber Essentials represents good security practice for firms of all sizes in the UK.
Very small and micro businesses with a very small number of staff can get the certification on a self-service basis at very low cost. However, these businesses often lack the technical resource, skills, or time to complete the process.
The questionnaire may look simple, but the time input to complete it accurately is significant, and a comprehensive Cyber Essentials Assessment needs practical technical knowledge and skills.
SMEs and larger businesses suffer from resourcing issues in other ways - IT teams are often very busy delivering important business projects or supporting the day to day infrastructure, or may not have dedicated security capabilities in house
Also, Cyber Security is no longer just a technical risk - in larger businesses a wider team needs to be assembled to tackle the issues.
What is an ACE Practitioner?
The Accredited Cyber Essentials (ACE) Practitioner is an IT professional:
with at least 3 years of Information Security experience
who has undertaken hands-on and theoretical training
who is qualified by passing the relevant examinations to valid their knowledge of the Cyber Essentials Scheme.
A good Accreddited Cyber Essentials practitioner may have significantly more experience of designing, implementing and supporting IT solutions in your specific profession or industry.
The practitioner should give you step by step assistance with the whole process from start to finish.
A good ACE Practitioner will work across your business and provide a new perspective on the issues, which helps significantly with the speed and effectiveness of your compliance process:
1. Enabling the team
Good IT Security is a team effort - a good practitioner can help your team build a close and productive working relationship:
IT Team or Outsourcer? Either way, those technical people need a seat at the table, as they often lack direction or clarity about the actual practical steps that are needed to reach compliance.
Partners / directors - Security must be sponsored from the top down with a culture of compliance.
Compliance / risk officers - must work with the technical people to help understand the risks and consequences, so practical and workable solutions can be found
and the practitioner themselves. A good ACE practitioner will be an experienced consultant, with cross-functional skills. Strong technical skills will allow them to bring real insight to your most complex challenges; A good background in business and interpersonal skills will help motivate a team who don't normally work together.
Start with a Cyber Essentials or Cyber Essentials plus assessment - it's an objective look at your systems which highlights where they might need attention. Your practitioner should do a gap analysis showing where your systems meet or don’t meet the standard – it highlights where to focus your efforts, and where effort isn't needed.
A good practitioner will also understand your industry applications - they'll really understand where your critical data is, which is where the risk of attack is greatest.
Processes, procedures and best practice advice - a good practitioner will give you advice on these and may have a library of template procedures which can be tailored to your business.
Systems monitoring for security - a great line of defence against security breaches in the future. Cyber Essentials is a snapshot in time - monitoring helps extend your compliance into the future:
suspicious system activity should alert your IT or compliance team automatically.
A recent attempted breach of the UK Parliamentary email system was detected and defended as a result of automated monitoring detecting suspicious activity.
Managing IT for security rather than convenience needs a mindset shift throughout the organisation, and a good practitioner can help here too:
must be sponsored from the top down, and does need investment.
IT security can be done automatically so it’s as unobtrusive to your users as possible.
If you would like to talk about how a Cyber Essentials ACE Practitioner can help your firm achieve compliance, or simply improve security practice in your firm, please talk to us.