On 5 June 2014, the Government launched its Cyber Essentials scheme (the “Scheme”) which sets out requirements for basic technical protection from cyber attacks.
The Scheme Requirements outline the basic controls that the Government states that all organisations should implement to mitigate the risk from common internet based threats. The controls outlined in the Scheme fall into the following categories:
- Boundary firewalls and internet gateways;
- Secure configuration;
- Access control;
- Malware protection; and
- Patch management.
In addition to the Scheme Requirements, the Government issued an “Assurance Framework” through which it offers a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken the essential precautions recommended by the Scheme. Under the Assurance Framework, businesses which implement security measures in line with the guidelines can apply for a certificate to indicate their commitment to cyber security and to advertise the fact that they adhere to Government endorsed standards.
Businesses have some control over the level of assurance they wish to gain and the costs of doing so. Businesses can apply for either the Cyber Essentials certificate or the Cyber Essentials Plus certificate. To attain Cyber Essentials certification, organisations must complete a self-assessment questionnaire and have the responses independently verified by an external certifying body. Cyber Essentials Plus encompasses the same control themes as Cyber Essentials but offers a higher level of assurance through the use of an independent testing regime. Certification can cover the whole of an organisation’s enterprise IT or a sub-set.
The Scheme is being delivered as part of the Government’s £860 million National Cyber Security Programme. From 1 October 2014, the Government will require all suppliers bidding for certain personal and sensitive information handling contracts to be Cyber Essentials certified. The Government expects that this approach encourage adoption of the new scheme more widely.
In the wake of several major cyber attacks, confidence in businesses to prevent and manage internet based threats is at an all time low. The Scheme is aimed to help in restoring the confidence that businesses have the necessary controls in place to deal with internet based threats.
Although the Scheme is a step in the right direction, it is not a complete solution. Businesses will need to go above and beyond the implementation of the controls suggested in the Scheme to guard against certain sophisticated cyber security threats. The Scheme addresses certain preventative controls, but it does not cover certain advance security areas such as encryption and reacting to cyber attacks. Moreover, the Scheme focuses on technical controls and fails to deal with certain non-technical controls which businesses should have in place to combat cyber security risks. For example, employee training and internal risk management strategies.
As for reliance on certification, customers should be aware that evidence of certification is no substitute for completing due diligence on a supplier. Certification, whether Cyber Essentials or Cyber Essentials Plus, merely shows a snapshot of an organisation’s ability to mitigate the cyber security risks at the time of assessment.
Businesses wishing to be assessed should contact one of the Cyber Essentials Accreditation Bodies to discuss their requirements and identify an appropriate Certification Body.
At Eversheds, we have seen an increase in the amount of assistance we give clients in relation to developing policies in relation to security breaches (both for personal data and otherwise), what to do from an evidential point of view if a breach arises and how to be ready with PR implications. Given the rowing nature of cybercrime, we definitely recommend companies who haven’t already, do consider what steps they would take if they were hacked.