31 January 2019

Cyber Essentials: What SMEs need to know

SMEs bidding for Government contracts need to ensure that their cyber security processes and systems are up to a certain standard or level of protection

When you think about the bidding process for a Government contract, easy and fast are not words which might initially come to mind. Certainly, the Federation of Small Businesses has stressed on several occasions that small business owners are put off bidding for Government contracts because of the process, often considered to be complicated, in addition to having concerns about late payments that may be incurred.

However, there is change coming and by 2022, the Government plans that one third of its spend on goods and services will be with SMEs – either directly or through the supply chain. This represents a significant opportunity for the approx. 343,535  private SMEs in Scotland and reinforces the efforts the Government has taken to actively support and encourage them to bid and win public sector contracts.

Sort your IT security

However, before being able to start working with Government, there may be a need to ensure that your processes and systems are up to a certain standard or level of protection. While traditionally this would have meant having specific HR policies in place or professional indemnity insurance; now, with the threat of cyber-attacks, the guidance is evolving.

It has been reported that 2017 was the worst year for data breaches and cyber-attacks ever. In fact, according to the National Cyber Security Centre, between October 2016 and the end of 2017, 34 significant cyber-attacks were recorded, with WannaCry the most disruptive of these. 762 less serious incidents (typically confined to single organisations) were also recorded . Given this impact, public sector bodies increasingly expect that as part of the bid process that SMEs are able to demonstrate that they take cyber-security seriously and can prove that their systems are secure and pose no risk to highly confidential information.

But how can a SME do this?

Introducing Cyber Essentials

One certification that both the UK and the Scottish Government are actively promoting across their supplier base is Cyber Essentials and Cyber Essentials Plus. These relatively new accreditations demonstrate to your current and potential customers that your company has taken very specific practical steps to protect itself against cyber-attacks. The National Cyber Security Centre (NCSC) estimates that implementing Cyber Essentials Plus will protect an organisation from 80% of known cyber threats.  It’s also expected that in the future, Governmental bodies will increasingly only work with those businesses that hold it.

As part of the certification, businesses are required to do five things:

  1. Secure their internet connection
  2. Secure devices and software
  3. Control access to data and services
  4. Protect systems from viruses and other malware
  5. Keep devices and software up to date

To obtain certification, an accredited third party then confirms that these steps have been taken to a satisfactory level.

Get certified

While there is a cost to certify your organisation (both in terms of the certification and perhaps cost to tidy up your IT security too), the potential return on investment could be far greater to the business through new contracts secured.

To get started, there are several accreditation bodies who are supporting SMEs with the adoption of Cyber Essentials.

Need any other support?

Due to the complexities of the public sector bidding process, it can be beneficial to have someone you can call on; speaking to external organisations with relevant experience is essential. The NCSC can be a good resource to start with, but for more business related queries, speaking with a business adviser can be sensible in outlining the clear steps that need to be taken to ensure a successful accreditation.

While not exhaustive, these initial steps can help SMEs take their first steps to working with the public sector. Given the rise of data breaches and cyber-attacks on organisations large and small, the financial cost will not just lie in ‘mopping up the mess’ post-attack. Company reputation will also take a hit which may hurt chances of working with other organisations. The question SMEs need to be asking is: can we afford not to get Cyber Essentials accredited?