Clarity on Minimum levels of Cyber Risk Controls from UK Government
Universities & Science Minister, Right Hon David Willetts MP, stressed action on Cyber Risk during his announcement of the governments latest initiative, Cyber Essentials, to address the rising threat of business disruption or loss from lax management of cyber risk.
The minister commented “The recent GOZeuS and CryptoLocker attacks, as well as the Ebay hack, shows how far cyber-criminals will go to steal people’s financial details, and we absolutely cannot afford to be complacent.”
The Cyber Essentials Scheme (CES), announced in April, will help all businesses and organisations by clearly detailing five basic cyber controls that can be cost effectively implemented in most businesses. The launch event, held at the ICAEW, was attended by a mixed audience from across industry where it was announced that Barclays, BAE Systems and HP are amongst the first to sign up for the scheme.
Government and industry experts believe that the cyber controls identified in the scheme would stop up to 80% of computer security breaches.
Mr Willetts’ added “We already spend more online than any other major country in the world, and this is in no small part because Britain is already a world leader in cyber-security. Developing this new scheme will give consumers further confidence that business and government have defences in place to protect against the most common cyber-threats.”
Cyber Essentials isn’t really aimed at large or high tech companies, though they can embed the scheme in their operations to help manage their cyber risk, particularly across the supply chain. More complex organisations with greater risk exposure should be embedding more structured and capable Cyber defences into their operations. The key target audience is less demanding environments seen across most of the SME sector where support for the scheme was confirmed by a number of smaller businesses including Nexor, Tier 3 and Skyscape who are all adopting the scheme, other organisation types such as the University of Derby, the Confederation of British Industry, the Institute of Risk Management and the Institute of Chartered Accountants in England and Wales.
The Cyber Essentials Scheme includes an award aspect that a company can use to show it takes cybersecurity seriously.
Cyber Essentials PLUS includes the ability to gain one of two new Cyber Essentials badges, that demonstrates to customers they have taken steps to develop their cyber-security.
Companies have a number of options available for certification from self assessment through to independent review by an external certifying body. Firms responsible for these checks must be accredited by CREST, the not-for-profit IT security organisation, that has helped develop the assessment framework.
Ian Glover president of CREST stated “Not all organisations have the resources available to invest in the most rigorous levels of information security and compliance. Cyber Essentials addresses this by creating a baseline for UK cyber security,”.
By focusing on just five critical cybersecurity issues the scheme eliminates four out of five of the commonest vulnerabilities most frequently exploited. This makes Cyber Essentials extremely cost effective and an ideal first step in addressing the cyber risks businesses of all types face. It provides a pathway to help organisations lever investment in other cybersecurity protocols and is compatible with most international Standards such as ISO 27001.
Russell Price, Chairman of the Continuity Forum said “By implementing processes and controls in the scheme organisations will not only have practical measures to close security holes and vulnerabilities, but will also be help the business assess if additional measures are needed. Companies need to really think hard about Cyber Risk and Computer Security and all the connections with their business performance and not just treat cyber as an IT issue.”
CES was the result of a year long consultation with business led by BIS and CESG, the Information Security arm of GCHQ, business, including contributions from Cyber Risk and Insurance Forum (CRIF) and the Continuity Forum.
This led to ISF, IASME and the BSI combining their resources under
BIS guidance to develop this new initiative.
From 1 October 2014, government will start introducing the requirement for suppliers bidding for certain contracts that are assessed as higher risk to be Cyber Essentials certified. The suppliers and contracts affected are likely to be from the following sectors: IT managed or outsourced services, commercial services, financial services, legal services, HR services and business services.Further guidance for suppliers will be issued later this year.