The Cyber Security Breaches Survey 2018 showed once again that awareness of the Government’s cyber security resources is lacking. Four years after it was first launched, just nine per cent of businesses are aware of the Cyber Essentials scheme, writes Duncan Bradford, CTO Northern Europe from software firm CA Technologies.
Why is awareness of this scheme so poor? The report found that organisations did not seek it out as they had not expected the Government to provide information on cyber security, while others thought that Government information would not be tailored or not detailed enough for their needs.
CA Technologies just achieved the Cyber Essentials certification and, as we worked through its criteria, the programme surpassed my expectations as an effective cyber security resource. When applied strategically, Cyber Essentials is certainly more than another box to tick or badge to show suppliers. So, how can organisations get the most out of the Cyber Essentials scheme?
Since launch four years ago, the Cyber Essentials scheme has continuously evolved to secure its relevance for organisations today. The National Cyber Security Centre has now taken a leadership role in providing the technical expertise for the programme, which ensures that it encompasses the county’s best technical insight and experience. Having this expertise plugged in guarantees the continued relevance of the scheme. As a result, even organisations that already take cyber security and data protection seriously, can learn from and improve using the Cyber Essentials scheme.
Take it global
Many adopters of the Cyber Essentials scheme have missed a trick in purely achieving compliance in the UK. When assessing the Cyber Essentials process, CA made a strategic decision to seek certification for protection of our global customer base, rather than only for our UK-based customers. Why? Firstly, cyber threats don’t recognise borders. The same threats facing our UK-based customers are faced by the rest of our global customer base too. In addition, many of our customers are multi-national corporations. And when you’re working to a benchmark maintained by some of the best cyber security experts in the country to secure local data, it makes sense to apply these security controls consistently to protect all of their sensitive data.
Security language
Securing your own assets isn’t enough to secure your customers’ data. Cyber Essentials provides a great opportunity for companies to assure the security of the suppliers that either handle their data or have access to their network. In fact, eight per cent of businesses already require their suppliers to adhere to the Cyber Essentials scheme. And using this common framework provides a foundation for a common understanding with suppliers; supporting clear expectations of what the other must deliver.
Cyber Essentials also provides a useful framework for communicating a company’s security approach with their customers and regulators – both in the UK and globally. The security controls within Cyber Essentials can be clearly understood by a range of security practitioners and administrators.
This clarity not only avoids the unnecessary complexity added when using differing terminology and practices to discuss cyber threats and defences, it can help build confidence within customer and supplier ecosystems.
The 80/20 challenge
The types of attacks that Cyber Essentials is designed to protect against are responsible for the vast majority of recent significant data breaches. While many of the Cyber Essentials controls represent practical, strong cyber hygiene approaches, too many organisations are falling short when it comes to applying basic protections. Too many hacks are perpetrated through unpatched applications. Too many breaches are consistently elevated because organisations fail to implement proper identity and access management controls.
If organisations could shore up these common cyber defences, the cost curve for cyber attacks would bend significantly higher for the attackers, resulting in reduced likelihood of an incident. Further, government departments and cyber threat information sharing partnerships could focus their resources on more advanced attacks, further bending the cost curve against attackers. While the UK Cyber Security Breaches Survey found awareness to be poor, the Cyber Essentials scheme is too good not to shout about. Whatever the size of your organisations, achieving the certification can significantly improve an organisation’s security posture. But protecting the few is not enough. I encourage all organisations to consider how the Cyber Essentials certification can help them implement strong, cybersecurity hygiene practices and strengthen trust in the digital economy.
