Cyber-crime poses a serious and increasing threat to the UK economy. A primary objective of the UK Government's National Cyber Security Strategy is to improve the country's cyber security capability, ensuring that businesses are identifying and managing the risks from a growing number of internet-based threats. To this end, the Government's Cyber Essentials Scheme – launched in June 2014 – aims to drive awareness of these risks, and to help smaller enterprises delivering products or services to the UK public sector to defend their systems, networks and customers' data from attacks. The Scheme builds upon the “10 Steps to Cyber Security”, published in 2012, which helps organisations and senior executives understand and implement a corporate risk programme.
Educating and supporting businesses of all sizes, in particular SMEs, when it comes to approaching cyber security is of paramount importance in this digital age. Whilst larger organisations are more likely to be managing established information security frameworks, which identify and manage the risks related to their ICT services, through the effective implementation of appropriate security controls, many smaller organisations will have assessed this activity as being too challenging, perhaps cost prohibitive, or just too complex.
Government initiatives such as the Cyber Essentials Scheme are essential in helping businesses to understand the importance of cyber threats, and providing them with the building blocks upon which they can build their own protective frameworks. Developing employee cyber security skills, perhaps taking advantage of the security benefits of emerging technologies, or simply being prepared to react to minimise the effect of breaches – are just a few of the many activities which will help businesses to become more aware, resilient and secure.
In the case of the UK public sector, which has traditionally been heavily reliant upon legacy IT systems, the Government has made significant progress over recent years in encouraging the adoption of assured cloud services through the G-Cloud Framework. The programme has undoubtedly changed the way that many of the UK's 30,000 public sector organisations approach the procurement and use of their ICT services, however there is still work to be done to address the understandable but often excessively risk-averse culture that is ingrained within this sector.
As the adoption of cloud computing continues to grow, we are beginning to see more and more public services being moved online. Yet with data breaches continuing to make the headlines, it is unsurprising that a customer's primary concern when moving to a virtualised environment is the ongoing security of their data. The onus is on reputable and security-conscious suppliers to ensure that growing cloud confidence is not undermined by the negative repercussions of a serious data breach incident. The Cyber Essentials Scheme's requirements will provide customers with additional assurance that data security remains a top priority for the supplier.
Cyber threats evolve on a daily basis, and the Government and businesses must continue to work together to bolster defences and keep the UK secure. The Cyber Essentials Scheme is a sensible approach to the raising of standards, and in the process will remove approximately 80 percent of the most common cyber-attacks facing the organisations that embrace it. The Scheme has two progressive levels: “Cyber Essentials” is an independently validated self-assessment submission, whilst “Cyber Essentials Plus” additionally requires a comprehensive, independent technical assessment to validate that the selected security controls have been implemented effectively.
In my view, the Cyber Essentials Scheme is a step in the right direction for organisation's looking to establish a basic cyber risk programme. Even for those with the most limited of knowledge, the requirements are easy to understand and can be progressed in logical, manageable units each of which improves the resilience against cyber-attacks. Once assessed, this cost-effective initiative also presents an opportunity for businesses to demonstrate their credibility and ongoing commitment to data security, which is a strong message to their potential customers.
From 1st October 2014, the Government will require all suppliers that are bidding for contracts that include the handling of certain sensitive and personal information to be certified against the Cyber Essentials Scheme. We'd encourage all organisations to assess and implement the Scheme as soon as possible, and help play their part in boosting the country's cyber defences.
Contributed by John Godwin, head of compliance and information assurance at Skyscape Cloud Services – one of the first organisations to become certified for both levels under the new Scheme