CyberEssentials is one of the most important information security standards there is. It was launched by the UK government two years ago, but the chances are this is the first time you’ve ever heard of it.
In fact, despite its relevance to every single private and public sector organisation in the UK, you are probably more likely to recall your green cross code, or that “Charly says you shouldn’t talk to strangers”, than know anything about CyberEssentials. If only we still had public safety information films beamed into our three or four captive TV channels, this might have made a good topic for one.
What the UK government lacks in publicity skills, it more than makes up for with a very good security standard. Having scoured the earth for a single standard that UK plc could adopt to guard against common Internet-borne threats, ministers concluded that they’d have to fill the void themselves. So they did.
No CyberEssentials badge, no government business
And then came the bombshell in October 2014: any business bidding for UK central government contracts could only qualify if certified to CyberEssentials. Since then, some local government agencies and other public sector contracting bodies have also started applying the same pre-requisite. The only way around it is to prove that the contract in question – and, by inference, your own organisation – has nothing at all to do with the personal data of individuals or the provision of ICT related products and services.
Which explains why Helastel has the accreditation. As well as adding to the trophy cabinet of cybersecurity credentials, it also assures our continued place in UK government supply chains, particularly in relation to the NHS and related pharmaceutical industry. It also explains why present rates of newly-certified organisations are at their highest levels.
There are two levels of CyberEssentials accreditation: the self-certifiable standard (plain old ‘CyberEssentials’) and the more involved CyberEssentials Plus.
Both revolve around these five key controls:
- Boundary firewalls and Internet gateways
- Secure configuration
- User access control
- Malware protection
- Patch management
Only five things? This actually makes it a stronger standard…
What’s interesting here is that both flavours of CyberEssentials deem each of these controls mandatory in every circumstance, whereas the more internationally recognised ISO:27001 information security standard considers them merely ‘discretionary’ in accordance with the outcomes of a risk assessment. ISO:27001 is the standard with the most caché, and the bigger price tag to achieve. But because CyberEssentials is a simpler proposition, there is a good case for arguing that it is stronger too.
Being so simple, with just five key controls rather than a litany of requirements, makes CyberEssentials unequivocal; a fact not lost on industry experts beyond the realms of the public sector. James Nunn-Price, UK cyber partner at Deloitte, claims the scheme, “…positively impacts the wider UK economy by raising the bar for opportunist attackers. (It identifies) the essential security controls organisations need within their IT systems to increase their cyber resilience.”
Even the insurance industry is embracing CyberEssentials. The tentative emergence of cyber insurance products, that pay out when an organisation is hit by a cyber attack, looks set to snowball toward widespread adoption with the news that leading insurers are basing their risk assessments on whether you have CyberEssentials or not. Just as car insurers will knock a decent percentage off your premium for members of the Institute of Advanced Motorists, businesses with the CyberEssentials badge can expect to save cash on better cover. In fact, should you attain CyberEssentials via the IASME accreditation body, your organisation automatically qualifies for a £25,000 of free cyber liability insurance from AIG.
There may still be more UK organisations without CyberEssentials than with, but those who have earned the standard are glad that they did. The government mandates it, insurers bank on it, and companies like Helastel use it to continue collaborating on exciting new software projects with the UK public sector. Perhaps most importantly, cyber attackers look at the five security controls you have in place and – and if CyberEssentials is being followed – go off and choose someone else to try their luck on.