Why Cyber Essentials should be the first key step on your cyber security journey
By James Moore
In March, the news broke that IASME Consortium was to be the exclusive partner of the UK’s Cyber Essentials scheme, run by the National Cyber Security Centre (NCSC). But what does this mean? And how can Cyber Essentials help improve cyber security standards in the UK? We sat down with Dr Emma Philpott, MBE, CEO of IASME, to find out more.
In 2014 Cyber Essentials was launched by the UK Government to reduce the levels of cyber risk in its supply chain, setting a basic set of controls that businesses involved in central government contracts were required to abide by. As cyber threats continued to evolve, greater emphasis has been placed on cyber security by business owners – even outside of the government realm – and Cyber Essentials has grown with it.
Fast forward to 2019, and there were five accreditation schemes in place. While this was a clear demonstration of how the emphasis on cyber security has evolved in such a short space of time, it was viewed as a little confusing to the stakeholders and marketplace. Following a government review, it was decided that one body would be chosen as the exclusive partner to streamline the process and ensure a consistent approach to the Cyber Essentials standard. Having been heavily involved in the scheme’s initial set up, IASME Consortium was chosen as the official partner.
The impact of a global pandemic and remote working has resulted in greater engagement in cyber security practices – something that Emma Philpott, CEO of IASME Consortium, has long been pioneering for. “For many years, cyber security was only a ‘thing’ in defence and security, but Cyber Essentials changed this for many smaller companies working with the government, and it’s grown to much more,” Emma explains.
“Just like other businesses, criminal activity has moved online. This has been accelerated by the pandemic, but the threat was there before it as well. Organisations in every sector, small and large, need to make sure they are aware of the cyber threats and ensure they are doing at least the minimum to protect themselves and the rest of the supply chain.”
Cyber Essentials, Emma believes, provides the key first step towards improving standards. Designed as a certification scheme to reassure customers that a business is working to secure its IT against cyber-vulnerabilities, the process also acts as a useful training scheme for a company to assess its own practices. For those who have never fully considered cyber security passed the regular changing of passwords, it can be an eye-opening experience.
Emma continues: “We really do see people now putting a lot of effort into achieving Cyber Essentials. Companies don’t always pass, but the fact that they have at least started to think about their cyber security practices and are working to improve them should be considered as a positive step. Particularly with so many employees remote working, it is crucial that endpoint devices, such as company laptops, have at least the basic levels of controls.
“It also highlights the vulnerability in the supply chain, too. People don’t always think about this, but some of the largest data breaches have been a consequence of a smaller supplier being targeted and used to infiltrate the larger vendor.”
But, what does the move towards IASME as an exclusive partner actually mean?
The first thing to note is that there are a few differences in IASME certification than previous accreditation bodies. It is therefore advised to download the question set and make sure all the software your business uses is supported. “The move towards using us as the sole provider should help reduce confusion and inconsistency for organisations. Cyber security is already quite a ‘scary’ and unknown prospect for smaller businesses, so we want to make the standards as clear as possible,” says Emma.
Exclusivity also brings improved communication with the National Cyber Security Centre to improve standards, too.
“We also now have an excellent working relationship with NCSC. The Cyber Essentials controls are under constant review, while we’re also working towards a pre-Cyber Essentials advice app to support businesses who simply aren’t ready for certification yet. This will provide much more targeted advice based on the answers given to a list of questions, and this kind of activity and support is now only really possible thanks to the exclusive partnership.
“And for larger companies, who often struggle with the patching requirements due to the sheer scale of their operation, we’re working with the NCSC on developing support for that as well.”
What’s next for Cyber Essentials?
As has been well documented, cyber crime is only increasing as the pandemic continues to affect normal business – and criminal – operations. In addition to the pre-Cyber Essentials app development, IASME has a number of projects ongoing in response to the growing threat. Reviews of Cyber Essentials continue, as the NCSC and IASME recognise the need to bring the standards up to date to include evolving technology – cloud systems, which is becoming ever more integral to business processes, for instance.
IASME Governance goes a step further than Cyber Essentials, encompassing the physical security aspect into play, too. Assessing everything from a company’s back-up systems, access control, risk assessments and security policies, the scheme also covers GDPR requirements – the Consortium believes this is the only form of certification available that covers the EU’s data protection requirements.
Not stopping there, Emma highlights a new certification set to launch at the end of the year. Currently under revision, the IASME IoT Security Assessment again follows similar self-assessment practices to Cyber Essentials, with three simple steps that need to be taken to gain certification:
- Change the factory default password for all IoT devices in your business
- Ensure that devices can be patched regularly
- Ensure there is a process in place to report vulnerabilities
“We felt it was necessary to bring an IoT focused certification scheme into play, as the number of devices has grown exponentially in recent years. They often connect to the businesses’ primary network, so if they’re vulnerable, so is the rest of the network. We’ve worked closely with the IoT Security Foundation on this, as we believe it’s a vital next step to improve the UK’s cyber security standards,” adds Emma.
As cyber security threats continue to develop, so must the organisational emphasis on mitigating against them. With a new lease of life and a more streamlined process in place, Emma and the team at IASME are aiming to ensure organisations look towards Cyber Essentials as a key standard they must meet to protect themselves and the supply chain. You wouldn’t open a shop without some kind of basic physical security system in place – in 2020, a base level of cyber security is now arguably just as important.
Emma concludes: “At the start of the Cyber Essentials process, there were so many companies who just wouldn’t engage with the scheme, simply because they didn’t understand IT and were embarrassed by the low levels of security. This has now changed – business leaders now recognise the need for protection and aren’t afraid to ask. We encourage any question, no matter how basic it may seem – we’re here to help!”