Tuesday 11 May 2021

10 Things You Might Not Know About Cyber Essentials

IASME delivers Cyber Essentials on behalf of UK NCSC
By Sam Jones | Cyber Tec Security and Dave Whitelegg

What is 
Cyber Essentials? If you are just hearing about the Cyber Essentials scheme, read on as we unpack 10 things you might not know about Cyber Essentials.

1. UK Gov Launched Cyber Essentials in 2014
The UK Government National Cyber Security Centre (NCSC) published its ‘10 Steps to Cyber Security in 2012', after the UK Government agencies recognised small-medium sized UK businesses require further cybersecurity guidance and support in order to protect the British digital dependant economy. 

This led to the development of five critical 'cyber essentials' technical security controls which provides a minimum level of cybersecurity protection. Assurance of the adoption of these five security controls by an organisation provides a good degree of confidence an organisation is protected against the most common cyber threats, thus the UK Cyber Essentials certification scheme was born.

2. IASME is the Sole Partner of the NCSC in delivering the Cyber Essentials Scheme
As of April 2020, Information Assurance for Small and Medium Enterprises Consortium (IASME) won the contract to become the sole partner of the Cyber Essentials scheme on behalf of the NCSC. Prior to this, there were five different accreditation bodies operating under different methodologies. So to reduce confusion around the scheme and to streamlined the certification process, the NCSC decided to go with a single accreditation body - IASME.

IASME now oversees a large number of Certification Bodies based around the UK, all of which have qualified assessors able to certify businesses looking to achieve the certification.

3. Cyber Essentials is the only UK Government Cybersecurity Standard
Although there are other cyber certifications available, Cyber Essentials is the only scheme designed and backed by the UK Government. Holding the certification is a mandatory requirement for any business bidding on UK Central and Local Government, and Ministry of Defence (MOD) contracts. 

Although a UK standard, business outside of the UK can and are Cyber Essentials certified.

4. There are Two Levels to the Cyber Essentials Scheme
The scheme is designed with small-medium sized businesses in mind, offering a low cost and straightforward way to start their cybersecurity journey, protecting UK businesses from the most common cyber threats. 

To make the scheme more flexible, the are two levels, Cyber Essentials and Cyber Essentials Plus
  • Cyber Essentials requires the five basic security controls to be assessed and recorded on an IASME provided secure web portal, with a qualified assessor verifies the information provided. This simple self-certification costs around £300. 
  • Cyber Essential Plus (CE+) provides a higher level of assurance than the regular Cyber Essentials, so suites business striving to further demonstrate their cybersecurity posture to clients. Some clients may even require CE+ certification for their security assurance via a contractual clause.  The CE+ assessment process requires an external assessor to evidence and verify the five Cyber Essentials controls and requirements. The cost of a CE+ assessment will depend on the size and complexity of your business' IT network.
5. Cyber Essentials has to be Renewed every 12 months
Cyber Essentials certifications must be
 renewed every year, to demonstrate the business is still aligned with the standard requirements. However, despite certification requiring passing a point-in-time security assessment, it is important that the cyber essentials security requirements are continually met. This is comparable to taking in your car for an MOT, your car may be deemed road-safe on the day it passed all the MOT checks, but if the car becomes no longer road worthy a couple of weeks later, then the MOT certificate provides no protection for your car being both safe and legal to use on UK roads. Therefore, with Cyber Essentials, you must constantly verify compliance with the security requirements outside of the annual certification process, else your business will not benefit from the protection the security controls provides.

6. Achieving Cyber Essentials is Often Quick
Too many businesses put cybersecurity on the backburner because they lack the understanding and the time to properly assess their cyber controls and risks.  Achieving Cyber Essentials certification does not take weeks to complete. The Cyber Essentials assessment approach provides guidance to help identify and remediate any security shortcomings found, so you can ultimately obtain a Cyber Essentials state of operation and certification which can be used to prove your business compliance with the scheme to others parties.

Of course, the time to complete a Cyber Essentials certification will depend on the extent of the remediation work required, however, you do not need to be a security expert to fix the typical issues, as expert security guidance is provided through the online assessment process. Some businesses without security issues have managed to complete a Cyber Essentials assessment and then receive their IASME Cyber Essentials certification within 24 hours.

7. Cyber Essentials reduces the risk of ICO Financial Penalties
The UK Information Commissioner’s Office (ICO) regulates privacy rights and data protection compliance with the UK Data Protection Act (DPA\GDPR), for any organisation which processes and/or stores UK citizen personal information.  Failure to safeguard UK personal data from cyber-attacks can result in the ICO issuing of eye-water monetary penalties. The maximum amount is the higher value between £17.5 million and 4% of your annual turnover (based on the previous financial year). Recent penalties have involved Ticketmaster UK, Marriott International, and British Airways, the latter of which was fined £20m.

Adopting the Cyber Essentials controls helps to protect personal data. The ICO works closely with the NCSC and is said to look favourably on organisations that have obtained Cyber Essentials certification and are breached, which may reduce the chance of higher regulatory fines being imposed.

8. Cyber Essentials is for Big and Small UK Organisations
The Cyber Essentials certification has been adopted by many big names, including the likes of Vodafone, Deloitte, Accenture, BP and Barclays Bank. However, the scheme was very much developed with UK SME cybersecurity in mind. Adopting Cyber Essentials is a crucial first step for SMEs in taking their cybersecurity obligations more seriously, with a certification demonstrating security assurance both to customers and suppliers.

Small businesses are highly prone and are the hardest hit by cyber-attacks, although it doesn't seem that way given it's the large bluechip companies that tend to dominate the media headlines when comes to cyberattacks and data breach reporting. While larger companies can afford to incur the often heavy cost of a cyberattack, it tends to be a different story for small businesses, where a serious cyberattack can lead to the business permanently closing.

SMEs are commonly in the supply chain of larger organisations, as such are targetted by cybercriminals seeking to gain access to those organisations, given IT security is often a lot weaker at SMEs than the attacker's target. Once SME systems are compromised by an attacker, it can be a simple process to hop through the supply chain network to the target organisation.

9. Cyber Essentials is still needed if other Security Certifications like ISO27001 are in place
ISO27001 is a popular internationally recognised information security business management certification. Holding ISO27001 certification does not mean Cyber Essentials is an unnecessary additional certification, although the two standards complement each other well.

Cyber Essential provides a prescriptive set of security requirements which in turn provides confidence of a fundamental and a standard set of industry recognised good practice technical controls are in place and effective. This one of the reasons why Cyber Essentials is increasingly used to assure the security of supply chains through due diligence.

10. USA are Big Supporters of the Cyber Essentials scheme
Thanks to the Cyber Essentials scheme’s early success, the United States of America Cybersecurity and Infrastructure Security Agency (CISA) introduced Cyber Essentials and the culture of cyber readiness to small businesses and government agencies to guide them on their cybersecurity journey.

In line with other international security standards like the NIST framework, Cyber Essentials is a fantastic approach for those wanting to better understand their organisation’s cybersecurity defenses and the best practices for improving it.

No comments: