Is UK plc Taking Cyber Security Seriously?
In recently years there has been a big push from UK government to promote the importance of Cyber Security in the business community.
In recognition of the challenges facing business, UK government developed the Cyber Essentials program back in 2014. This is an assurance scheme operated today by the National Cyber Security Center (NCSC) based on a set of best practices in information security.
At the heart of this are 5 security controls that organisations can implement to mitigate the risk of security breaches.
Research into the most common causes of security breaches consistently reveals that organisations are exposed because they are failing to put in place basic security controls, so a program that promotes best practices in this regard can only be a good thing.
Today, supporting Cyber Essentials is seen as a basic requirement if you want to do business with government and many commercial organisations. To date more than 30,000 organisations in the UK have signed up to the scheme.
Cyber Essentials is definitely a good step forward in reducing cyber risk in business but let’s not forget that in its basic form compliance is based on self-certification, and in reality you will find big disparities between the cyber security practices of different organisations that display the Cyber Essentials badge.
Cyber Essentials+ goes some way to addressing this as organisations gain certification through an assessment carried out by an independent assessor. I believe that while this provides greater assurance that an organisation is actually following best practices at the point of certification, it does not take account of what happens post this event, to maintain the ongoing compliance of their security controls.
In practical terms ensuring that the 5 security controls are effective on an ongoing basis involves a lot of low level operational activities - gathering the evidence of compliance and remediating non-compliance, applying updates and maintaining the right control coverage as IT infrastructure changes happen, are a few of the key tasks and these must be carried out for each of the mandated controls. Depending on the size of the organisation many of these activities may be delegated to different teams and individuals. This means that governing the overall process of maintaining compliance can become complex.
Getting on top of this is vitally important to drive ongoing improvements in an organisation’s security posture, reducing the risk of security breaches. It also simplifies the process of re-certification, and when customers knock on the door asking for evidence that you are maintaining high standards for compliance you are more likely to be prepared with the right answers.
I have been preaching for a long time that two key elements in a successful security program are about implementing effective controls and also making sure that those controls are maintained and reviewed over time.
In the New Year we will be launching the Community Edition of Caveris ICAS. This is our 1st free product targeted at organisations that plan to or have already opted into the Cyber Essentials program. Through software this will provide organisations with the operational workflow required to track and maintain the 5 security controls mandated by Cyber Essentials.
This will allow more and more organisations to accelerate their security program, enabling them to move up the maturity curve faster and in doing so reduce the risk to their organisation and their customers.