Today sees the UK Government launch a scheme to help businesses become more secure.
Developed by Government and industry to provide a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet based threats, and to offers a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions, the Cyber Essentials scheme offers ten steps to security.
According to the Telegraph, the scheme is being backed by AIG, Marsh, Swiss Re, the British Insurance Brokers’ Association (BIBA) and the International Underwriting Association, and is available to universities, charities and the public sector. BAE Systems, Barclays and Hewlett-Packard are among the first companies applying for the first awards.
The official summary states that there are two level of certification available: Cyber Essentials and Cyber Essentials Plus. A Cyber Essentials certification is awarded on the basis of a verified self-assessment and approved by a senior executive and verified by an independent Certification body.
Cyber Essentials Plus offers a higher level of assurance through external testing of an organisation’s cyber security approach. “We anticipate that Cyber Essentials Plus will cost more than the foundation Cyber Essentials certification,” it said. Organisations wishing to become a Certification Body should contact CREST or Information Assurance for Small and Medium Enterprises (IASME).
CREST has worked alongside CESG, the Information Security arm of GCHQ, to develop the assessment framework for the scheme. As part of this engagement, CREST defined the policy, procedures and requirements for companies that will provide certification services under the Cyber Essentials Scheme.
“Not all organisations have the resources available to invest in the most rigorous levels of information security and compliance. Cyber Essentials addresses this by creating a baseline for UK cyber security,” said Ian Glover, president of CREST.
“By assembling and working with a forum of industry and technical experts, CREST has built an assessment framework optimised for the Cyber Essentials Scheme that will ensure organisations of all sizes and from all sectors can be properly and independently assessed to have the key technical controls in place to manage cyber risks.”
The ten steps are as follows: home and mobile working; user education and awareness; incident management; information risk management regime; monitoring; network security; removable media controls; malware protection; managing user privileges; and secure configuration. A company must display a good foundation for effective information risk management and the degree of implementation of these steps will vary between organisations depending upon the risks to their individual business.
As of 1st October, the UK Government will require all suppliers bidding for certain personal and sensitive contracts which are assessed as higher risk to be Cyber Essentials certified. This will provide further protections for the information the Government ha
ndles and will encourage adoption of the new scheme more widely, according to BIS.
Portcullis was one of the three organisations that carried out testing as part of the scheme’s pilot assessment that was overseen by CREST, and Portcullis collaborated with CESG and other key partners in assisting with the practical requirements for the programme and developing the assurance framework.
Tim Anderson, commercial director of Portcullis Security, told IT Security Guru that this is intended to display a level of compliance, and that the stamp displays a level of confidence. “There is a push for the UK to be seen as a secure place to do business, and the problem is security within the small business sector, but some security is better than none,” he said.
“While the scheme is ideal for small and medium sized enterprises, larger organisations and Government departments will also see value in it, as it allows them to evaluate the security of their supply chain and smaller suppliers.”
Simon Hansford, Chief Technology Officer at Skyscape Cloud Services, one of the first organisations to adopt the scheme, said that this will help it demonstrate its commitment to security to our customers.
“It is evident that cyber crime is posing an increasingly serious threat to our economy and we believe that The Cyber Essentials Scheme will help to drive awareness of the growing risks and help organisations to mitigate the risks to their business and customers’ data,” he said.
“Education is essential, as while larger organisations are more likely to have established frameworks in place for identifying and managing risks related to ICT services and the infrastructure upon which they operate, there are many smaller organisations that will find this process far more challenging. Schemes such as this are therefore crucial in order to equip businesses with the knowledge and actionable steps that will enable them to understand and recognise threat actors and reduce risks within their own organisations, and ultimately become more resilient and secure as a result.”
Mark Brown, director of information security at EY, said: “Whilst this is a positive step, businesses should not view this scheme as a complete solution as it only addresses the basic controls and is therefore representative of the entry level fundamentals which should be adhered to.
“For example, the scheme does not include guidance around softer non-technical issues such as business risk management, corporate governance of cyber security or employee awareness. For best practice we would expect businesses to go above and beyond this scheme and as such a continuing refinement and enhancement of this scheme is required in the long-term from Government.”