Cyber Essentials 2 – what the delegates learned about the scheme and why it really is necessary


Richard Bach speaking at the 2nd Cyber Essentials even hosted by IT Governance in 24th June 2014.

Cyber Essentials 2 attracted organisations from the smallest SMEs to FTSE 100 enterprises – all with a mission to investigate and, if possible, learn how to achieve a CES badge.

Among the delegates, there was general agreement that tackling cyber crime through the adoption of IT security controls was a pretty good thing.

Naturally enough, the question of the 1 October deadline for CE compliance for certain government contracts was a factor in the discussions. The majority present regarded the opportunity to be first in their sector as equally important, however, and was ample justification for attending the event a month after the launch date.

Richard Bach of BIS (pictured) spoke about the progress towards adoption of the Cyber Essentials badge that provides supply chain assurance for all organisations. More details are emerging about the different approach being taken by IASME compared to CREST members in terms of the two forms of the self-assessment questionnaire, and whether internal and external vulnerability scans are required.

Cyber Essentials should be seen as the minimum level of implementation

Immediately after Richard Bach’s talk, Alan Calder, founder and Executive Chairman at IT Governance, said that while he welcomed it, Cyber Essentials was only giving “the minimum level of implementation”. The benefit of implementation, however, was survival, as most companies do not deal with basic threats. Despite this, it is a demonstration to customers and staff that you recognise the importance of cyber security.

He said, “Organisations are not spending enough to close issues and are doing the wrong thing; they are spending on a knee jerk reaction to what they last suffered. If they had a malware infestation but they didn’t see a plant of APT software on network, so they rolled out investment in password control and anti-virus to make sure it didn’t happen again, but vulnerabilities went on existing and business was too locked down.”

CREST-qualified penetration tester details technical aspects of Cyber Essentials

This message was amplified by Geraint Williams, senior consultant with IT Governance, an experienced PCI QSA and CREST-qualified penetration tester. Geraint looked at the Cyber Essentials Scheme from a largely technical point of view, outlining:

  • What is a low skill level attack
  • Why SMEs are at risk
  • Cyber Essential testing requirements
  • Cyber Essential Plus testing requirements

Following his talk, Geraint gave advice to several of the conference delegates who had booked free 20-minute ‘surgeries’ with IT Governance expert consultants.

The price of data is falling – resulting in a corresponding increase in the scale of cyber crime

Sarb Sembhi of ISACA highlighted a few growing problems with criminal data breaches in the SME sector. As he put it: “If you think that your business hasn’t been breached, it is possible that you just don’t know that it has been breached!”

More data accumulating in cyberspace has led to more security breaches, which naturally results in a lowering of the value of each record for cyber criminals.

The solution for the criminals has been to collect complete profiles, not just individual identities, thus creating value in each complete group of profiles for each individual. This means that data breaches will inevitably go up as each criminal group attempts to create its own complete profile identities database.

Villains have moved from streets into cyber crime – and they are not nice people

One of the keynote speakers, David Clarke, a former Chief Superintendent with the City of London Police and leading figure in the UK Fraud Advisory Panel, spoke from his personal experience about the people who commit cyber crime.

They are the same individuals who performed the scams that rob pensioners of their savings. There is no romantic ‘white-collar crime’. The criminals are not the Robin Hoods of cyberspace. David told us that we would not like to meet them.

He highlighted the recent EU Serious and Organised Crime Threat Assessment (SOCTA). In the most detailed study of its kind ever undertaken in the European law enforcement community, Europol has identified an estimated 3,600 organised crime groups currently active in the EU. The report found that international drug trafficking remains the most active organised crime activity, but it also identified the emergence of new criminal phenomena, many linked to the current economic crisis and the Internet. These new developments are changing the nature of organised crime towards a model based around a networked community of heterogeneous, international groups. In other words, criminals are using the Internet to facilitate large-scale and complex activities that include hacking, card fraud, trafficking and illegal sales across the EU nations.

Cyber criminals are “heartless and ruthless” – and not modern Robin Hoods.

In David’s words, the fraudsters are “heartless and ruthless”. They “traffic people and sell identities”, and their intended victims are not hard to breach corporate targets but vulnerable people who can least afford to lose their savings. The ‘suckers list’ that criminals work from is often compiled from stolen data. Money laundering operations also form an integral part of the online fraud scene, as do the websites that invite investment in apparently worthwhile causes. Environmental scams have proved particularly popular with website fraudsters.

David stressed that crime is real. The threats that the Cyber Essentials scheme is there to protect organisations and individuals from are an ever-present danger.

For evidence to support David’s viewpoint, read our List of Data Breaches and Cyber Attacks in June, which includes a cyber attack that has forced a well-known company out of business. Yes, it really does happen to UK companies!

Whether or not you are convinced that you need to put effective cyber security controls in place, join us at our next event to put your questions to our speakers.

*  *  *  *

If you would like to find out more about ISO27001:2013 and how to set up and run an information security management system (ISMS) to help you comply with PCI DSS V3.0 and Cyber Essentials, talk to our consultants: 0845 070 1750.