Government sets the bar for Cyber Risk with Cyber Essentials
Department of Business, Innovation & Skills Minister, Right Hon David Willetts MP, has announced the certification framework for Cyber Essentials, the governments new initiative aimed at creating a minimum expected capability for cyber security.
The Cyber Essentials Scheme (CES), announced in April, helps businesses by clearly detailing five basic cyber controls that can be cost effectively implemented in most businesses and demonstrate the minimum that should be in place to combat crime and disruption.
David Willets said “The recent GOZeuS and CryptoLocker attacks, as well as the Ebay hack, shows how far cyber-criminals will go to steal people’s financial details, and we absolutely cannot afford to be complacent.”
During the launch presentation at the HQ of the Institute of Chartered Accountants for England and Wales, he stressed more action on Cyber Risk was urgently needed to address the rising threat of crime and disruption from a lack of action on cyber risk.
Government and industry experts believe that the cyber controls identified in the Cyber Essentials Scheme would stop up to 80% of the most common computer security breaches.
It was also announced that Barclays, BAE Systems and HP are amongst the first to sign up with smaller businesses Nexor, Tier 3 and Skyscape flying the flag for smaller businesses. The University of Derby, the Confederation of British Industry, the Institute of Risk Management and the Institute of Chartered Accountants in England and Wales have also committed to scheme.
Mr Willetts’ highlighted the importance of Cyber security, saying “We already spend more online than any other major country in the world, and this is in no small part because Britain is already a world leader in cyber-security. Developing this new scheme will give consumers further confidence that business and government have defences in place to protect against the most common cyber-threats.”
Cyber Essentials isn’t aimed at large or high tech companies, it aims to address all business by setting the minimum standard any organisation should be expected to meet. Larger firms may choose to use Cyber Essentials as a means of improving risk management across their supply chains. Smaller companies can use the scheme to show their stakeholders they are see the issues and have taken steps to protect both themselves and their customers.
The Cyber Essentials Scheme includes an aspect that a company can use to show it takes cybersecurity seriously as it provides the ability to gain one of two new Cyber Essentials badges. These demonstrate effective measures have been put in place to improve their cyber-security.
Organisations can do a self assessment or choose to adopt independent review by an external certifying body. Firms responsible for these checks must be accredited one of the approved bodies. Two of these CREST and Information Assurance for Small and Medium Enterprises (IASME) Consortium participated in the development of Cyber Essentials and they have been joined by QG Management Standards.
Ian Glover president of CREST stated “Not all organisations have the resources available to invest in the most rigorous levels of information security and compliance. Cyber Essentials addresses this by creating a baseline for UK cyber security,”.
By focusing on just five critical cybersecurity issues the scheme eliminates four out of five of the commonest vulnerabilities most frequently exploited. This makes Cyber Essentials extremely cost effective and an ideal first step in addressing the cyber risks businesses of all types face. It provides a pathway to help organisations lever investment in other cybersecurity protocols and is compatible with most international Standards such as ISO 27001.
Russell Price, Chairman of the Continuity Forum said “By implementing processes and controls in the scheme organisations will not only have practical measures to close security holes and vulnerabilities, but will also be help the business assess if additional measures are needed. Companies need to really think hard about Cyber Risk and Computer Security and all the connections with their business performance and not just treat cyber as an IT issue.”
He adds "Cyber Essentials is a very useful tool for Business Continuity and Risk Management professionasl too. If organisations are handling your data or have access to your systems then they really should be able to show they have these basic vulnerabilities covered. Look at how your business is addresing cyber risk and build in the principles identified in CES and you will have closed out around 80% of the risk of disruprion or loss from this vector. It's an easy win."
CES was the result of a year long consultation with business led by BIS and CESG, the Information Security arm of GCHQ, business, including contributions from Cyber Risk and Insurance Forum (CRIF) and the Continuity Forum. This led to ISF, IASME and the BSI combining their resources under BIS guidance to develop this new initiative.
From 1 October 2014, government will start introducing the requirement for suppliers bidding for certain contracts that are assessed as higher risk to be Cyber Essentials certified. The suppliers and contracts affected are likely to be from the following sectors: IT managed or outsourced services, commercial services, financial services, legal services, HR services and business services.Further guidance for suppliers will be issued later this year.
Cyber Essentials is part of the UK National Security Strategy.
You can find out more about Cyber Risk and our work in this area by visiting the Cyber Risk and Insurance Forum