Scheme to help organisations minimise cyber security risks and enhance consumer confidence.
What's the issue?
The Department for Business, Industry and Skills (BIS) recently published the results of its Information Security Breaches Survey 2014, conducted by PWC. The findings were that the level of security breaches has decreased slightly but the overall cost of security breaches for all types of organisations has increased, nearly doubling in relation to the worst types of breach which, on average, cost large organisations from £600k to £1.15m and small businesses from £65k to £115k. 10% of organisations who responded were so badly affected that they had to change the nature of their business. The use of malware appears to be on the increase and the focus of the attacks has shifted to big organisations. The survey found that 70% of incidents go unreported so points out that what appears in the media is "just the tip of the iceberg".
In 2012, the government launched its '10 Steps to Cyber Security' and guidance for small businesses on cyber security but consultations showed that industry felt none of the existing organisational standards met government requirements and that a new one should be developed.
What's the development?
The BIS has now published a new Cyber Essentials scheme which builds on the 10 Steps to Cyber Security and covers "basic cyber hygiene". The scheme focuses on key controls for internet-originated attacks and then provides an Assurance Framework designed to enable third parties to recognise organisations which implement basic cyber security controls by culminating in a two-tier certification scheme, one of which is based mostly on self-certification and the 'plus' version of which is independently assessed and certified. The certification scheme is intended to inspire confidence in contractual and consumer relationships as well as help auditors and insurers assess risk.
What does this mean for you?
The BIS is clear that this is not a way to remove the risk of cyber security breaches but rather an initial step to minimise them. It encourages organisations to use additional and specific controls beyond those provided where the nature of the organisation requires them and also advocates obtaining certification even where organisations already comply with a standard in cyber or information security such as ISO 27001. The scope of the Assurance Scheme covers BYOD and, under certain circumstances (mostly relating to control of operating systems) to services outsourced to the Cloud. Bespoke and custom components of web applications are outside the scope of the scheme. The BIS hopes that the scheme will catch on so that certification becomes the norm. Until this happens, having a Cyber Essentials 'badge' may well create a competitive advantage over those slower to catch on.
The scheme is intended to apply to all organisations in all sectors and no matter what their size. The focus is on the following five key controls:
- boundary firewalls and internet gateways;
- secure configuration;
- access control;
- malware protection; and
- patch management.
The Assurance Framework provides organisations with a staged approach towards managing cyber threats, covering the five basic controls needed "to defeat unsophisticated threats from the internet". The process of following the Framework will lead to one of two levels of certification:
- Cyber Essentials – the organisation self-assesses that the systems identified meet the requirements of Cyber Essentials. The assessment is independently verified; and
- Cyber Essentials Plus – the organisation has been independently tested to verify that the systems identified meet the requirement of Cyber Essentials.
It is underlined that certification at either level is a snapshot of the organisation's ability to protect itself from cyber threats at the time it was granted and that, at a minimum, organisations should re-certify every year.
Certification is granted by one of the Accreditation Bodies. They are able to set the cost of certification which will depend on the size of the organisation and the level of rigour the organisation is required to demonstrate. The intention is that certification should be affordable "to the greatest possible number of organisations".
It is worth noting that the Bank of England has also launched a new vulnerability testing framework (CBEST) to help the financial sector test and improve resilience to cyber-attack. The CBEST framework uses intelligence from government and accredited commercial providers to identify potential attackers to a particular financial institution. It then replicates the techniques these potential attacks use in order to test the extent to which they may be successful in penetrating the defences of the institution. On completion of the test, workshops will be conducted to follow through.