Chris Stanley, MASS
Chris Stanley, MASS

In 2011 the Cabinet Office called for the UK, by 2015, to “derive huge economic and social value from a vibrant, resilient and secure cyberspace”. As part of the National Cyber Security Programme, the government engaged with the Information Assurance for Small and Medium Enterprises (IASME) consortium and the Information Security Forum (ISF) to develop a set of technical controls. These controls would form the basis of a kite mark for ensuring business protected itself against cyber-attacks.

The Cyber Essentials scheme was launched on 5 June 2014 to provide basic yet cost-effective cyber security. Since then, its principles have become increasingly relevant to businesses exposed to cyber-risk. Early adopters are gaining market advantage by demonstrating their cyber-security awareness. Even as the scheme's success grows, however, there are still concerns that many organisations underestimate the cyber-threat and the associated value of Cyber Essentials.

Current status

One year on, the Cyber Essentials scheme has been awarded SC Magazine's Editors' Choice Award for “putting a bar in place for the first time, potentially having a greater impact on improving information security in the UK than any other single initiative”.

Cyber Essentials is now gathering momentum and industry is beginning to appreciate the enduring benefits of certification. Early adopters have realised that Cyber Essentials certification is a cost-effective way of ensuring a standard level of assurance is in place, that the company understands the risks and is demonstrating that to the wider market.

The UK Government has mandated the requirement for Cyber Essentials for many central government contracts. Within the Ministry of Defence (MOD), the Defence Cyber Protection Partnership (DCPP) is a joint MOD/ industry initiative tasked with improving the protection of the defence supply chain from the cyber-threat. The DCPP has committed to using Cyber Essentials as a foundation for implementing its Cyber Security Model (CSM) into all new contracts from 2015.

How does Cyber Essential support business operations?

Most firms have a disaster recovery plan, which allows them to continue operating in the event of a major incident. Most disaster recovery plans, however, do not mitigate for a cyber-attack, which is far more likely than a fire or flood. Many companies are now recognising the importance of this kite mark, driving the market for accreditation and consultancy services. Some insurance companies are even offering substantial insurance benefits for early adopters of the kite mark.

Ignoring cyber-security is no longer an option. One in ten organisations that suffered a breach in the last year were so badly damaged by the attack that they had to change the manner in which they conduct their business.

Cyber Essentials is designed for organisations of all sizes, and in all sectors. Emma Philpott, CEO IASME commented, “We have seen a large number of companies who would never usually have bothered about cyber-security and have no cyber-security expertise use the questions as a simple step-by-step route to increasing their security.”

Failure to adequately protect against cyber-threats and prevent data loss can lead to share price impact, financial penalties and reputational loss.

The new European Union General Data Protection Regulation, which is likely to replace the 1998 Data Protection Act, will oblige the protection of personal data with significant penalties for data breaches – up to 5 percent of a company's annual global turnover. Implementing Cyber Essentials demonstrates that organisations are taking measured steps to mitigate the risk to personal data from internet-based threats.

Commercial supply chains, outside of those working with public bodies, have started to realise that it is in their interests to work with companies that have at least a basic level of cyber-security.

Cyber Essentials supports businesses as it encourages a growing maturity to cyber-security. Having been assessed as meeting the requirements of Cyber Essentials, an organisation's approach to information risk management becomes integral to its operations and demonstrates market leadership in cyber-security. Cyber Essentials offers a useful mechanism for organisations to effectively demonstrate to customers, investors, insurers and others that they have taken the essential precautions.

Although cyber-security is a complex area, the achievement of the Cyber Essentials certification requires the satisfaction of some basic requirements. Cyber Essentials provides a clear statement of the basic controls that all organisations should implement to mitigate the risk from common internet based threats, within the context of the Government's 10 Steps to Cyber Security.

Contributed by Chris Stanley, cyber security director, MASS – one of the UK's first Cyber Essentials Plus certification bodies.