With ransomware attacks and data breaches on the rise, customers are understandably anxious to ensure that vendors and service providers are handling their data properly. Getting a cybersecurity certification for your business is a good way to stand out from the pack and show potential customers and business partners that you've done your security homework. But which should you get?
Perhaps the most relevant cybersecurity certification for small businesses in the UK is the government's own Cyber Essentials scheme. Operated by the UK National Cyber Security Centre (NCSC), it's a certification in good practice for cybersecurity.
Cyber Essentials offers two levels of certification. The first, Cyber Essentials, is a self-assessment option that demonstrates you're competent in five areas of technical controls: firewalls, secure configuration, user access control, malware protection, and security update management.
In this option, companies fill out an online questionnaire, and then a board member signs a declaration to confirm that all the information given is true. An assessor then checks over the answers and makes a decision.
This online questionnaire is also a requirement for the second, higher level of certification, known as Cyber Essentials Plus. Within three months of taking the questionnaire, you can apply for a hands-on technical audit from an accredited auditor working with the NCSC.
Cyber Essentials is a good all-round basic cybersecurity hygiene certification, but other certifications take a more general view of cybersecurity controls. ISO 27001 focuses more on information management. It looks at areas ranging from risk assessment and security policy through to asset management, physical security, and human resources security. It also examines issues such as access control and incident management. As a broader information security certification with many more moving parts, it is likely to take significantly more time and work, both to prepare and to get assessed.
Some cybersecurity and information security accreditations are industry requirements rather than voluntary projects. One example is the Payment Card Industry Data Security Standard (PCI-DSS) created by the Payment Card Industry Standards Council, an independent body organized by payment payment card companies.
PCI-DSS carries different levels of accreditation based on which type of merchant you are. That in turn is determined by criteria such as how many credit card transactions you process and how you take payments. This accreditation requires a mixture of regular automated vulnerability scans and possibly an on-site audit depending on your company's characteristics.
Why get certified?
When a set of industry partners demands certification, you don't have a choice. When it's a voluntary system, you'll weigh the time and cost of certification against three main factors:
- Reputation: Sporting a certification can go a long way towards building trust in your company before you even begin building a relatioship with a customer. They can be a valuable marketing asset when building your industry brand.
- Compliance: A certification might be a requirement for some customers, especially those in heavily regulated industries. Doing all this groundwork now can avoid costly headaches later when a customer lists certification as a requirement on its RFP or sales contract.
- Peace of mind: Going through the certification process is also an excellent way to refine and improve your own cybersecurity and information management controls. Even if you are never asked to produce this, it will make you more confident that you're offering a mature, safe service to your customers.