The government's cyber security initiative is useful, but it might not be enough on its own...
Businesses are ‘panic buying’ cyber insurance, in response to rising cyber crime and the upcoming GDPR deadline. So says the BBC, which also highlighted the role of security certification, including the government’s Cyber Essentials scheme.
By gaining certification, businesses and other organisations get a significant bargaining chip, which can potentially lower the cost of insurance premiums and mitigate some liability in the case of a data breach.
What is Cyber Essentials, though? And how does it sit alongside other certifications like the IASME Governance standard?
What Is Cyber Essentials?
Launched in 2014, the Cyber Essentials government initiative is designed to encourage good cyber security practices in UK businesses and organisations. At its most basic level, it functions as an awareness campaign, urging companies to look at their cyber security measures and to think about how they can protect themselves against cyber crime. Part of this involves reading the material on the Cyber Essentials official website and running through the checklist there.
While certainly helpful, this self-assessment path doesn’t provide any evidence of your cyber security, so you couldn’t use it prove to customers or, indeed, insurers that you take security seriously.
That’s where the Cyber Essentials certification come in. There is a price attached to it, but assuming your cyber security measures are good enough to pass the test, you’ll get to be listed in the government’s directory of certified organisations. In some cases, this is necessary to eligible for government contracts.
The basic Cyber Essentials certification consists of a self-assessment questionnaire, but your certification body will verify your answers. If you were to gain certification from TMB, for example, we would look over your answers and then verify the application. (We also provide assistance services, if required, if you’re struggling to answer some of the technical questions.)
Assuming you pass, your certification will come from one of five accreditation bodies, which are responsible for overseeing Cyber Essential. TMB’s customers, for example, would receive their certification from the IASME Consortium.
If you want your application to be independently verified, then you should opt for the Cyber Essentials Plus certification. You’ll answer the same set of questions, but because your answers are independently verified, your certification will have some added gravitas. There is some extra cost associated with this, but if you want to go the extra mile with Cyber Essentials, this is the way to do it.
Beyond Cyber Essentials
While Cyber Essentials certification is something we’d recommend to all organisations, it’s not intended as a comprehensive test of your cyber security. As the name suggests, it only covers the essentials. In other words, it’s the bare minimum you should be doing to protect your business from cyber crime. It other words, it's enough for some businesses, but for others it's just a starting point.
Because cyber crime is increasing and growing ever more sophisticated, a greater level of protection is recommended for most businesses. To test these measures, there are more stringent certifications available.
One of the most prominent is ISO/IEC 27001, part of a set of standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission. This is an international standard, and certification of compliance is something of a badge of honour. It is, however, very expensive. A company with 25 employees could easily find itself paying £10,000-£25,000 a year to maintain ISO/IEC 27001 certification.
For large corporations with deep pockets, this makes perfect financial sense. For small- and medium-sized businesses, however, it would be difficult, if not impossible to justify.
Based on this reality, SMEs might look elsewhere for ways to complement their Cyber Essentials certification. One solution is the IASME Governance standard, set by the IASME Consortium. Created as an affordable alternative to ISO/IEC 27001, the IASME Governance standard is a financially viable way for smaller businesses to demonstrate their cyber security competence.
What’s more, the IASME Governance assessment includes the Cyber Essentials assessment as standard. IASME also offers and optional add-on that assesses your organisation against the requirements of GDPR.
What’s Right For Your Business?
In light of the GDPR rules, getting some kind of certification makes sense for all businesses. Cyber Essentials and Cyber Essentials Plus not only show your customers and partners that you’re a safe pair of hands; they also indicate a basic level of cyber awareness that the ICO likely to take into account in the event of a data breach.
As a basic standard, though, Cyber Essentials alone might not be enough for larger organisations and those that process large amounts of data. For them, the next big questions are whether they need and can afford ISO/IEC 27001 certification. If the answer is no to either of those, then the IASME Governance certification would be ideal.
What businesses should avoid, most importantly, is doing nothing at all. Even if you have cyber insurance, if you don’t have adequate security, the damage your business could suffer could be catastrophic.