Every time an organisation suffers a data breach it says two things in its inevitable public statement:
- It takes the security of its customers’ data seriously (probably a great deal more seriously after the data breach); and
- It is informing customers of the incident “out of an abundance of caution”. (Cynics might protest that if they were really being cautious they would’ve taken better care of the data in the first place.)
If you want to see a real abundance of caution, look no further than the takeaway ordering platform hungryhouse. Following a data breach at the web hosting service 000Webhost, hungryhouse’s “head of security noticed that a number of our customers’ details appeared on the list of emails that had been breached, [so] we took the pre-emptive step of asking them to change their passwords” – said hungryhouse CEO Scott Fletcher.
In a letter to customers, Mr Fletcher explained that there was “no relationship, or interaction between [oooWebhosting] and hungryhouse.”
Third parties are frequently found to be the cause of data breach incidents, especially where customers reuse passwords across different platforms. If hungryhouse has taken such a proactive approach to protecting its customers’ security, then that can only be applauded.
The vast majority of data security incidents can be addressed by introducing basic security measures.
Launched in 2014, Cyber Essentials is a government-backed cyber security certification scheme that provides a set of five controls that organisations can implement to establish a baseline of cyber security, and against which they can achieve certification to prove their credentials. According to the government, implementing these controls will prevent around 80% of cyber attacks.
There are two levels of certification to the Cyber Essentials scheme: Cyber Essentials and Cyber Essentials Plus.
- Cyber Essentials requires a company to complete a self-assessment questionnaire, which must be signed off by a senior company representative and then verified by an external certification body. An external vulnerability scan is also required if the company chooses to be certified by a CREST-accredited certification body such as IT Governance.
- Cyber Essentials Plus requires a more advanced level of assurance. In addition to meeting the requirements of Cyber Essentials, organisations must undergo an internal assessment and internal scan conducted on-site by the certification body.
Certification to the scheme will demonstrate to your customers and business partners that fundamental cyber security measures are in place, and provides evidence to validate your organisation’s security posture.
Cyber Essentials certification has been a requirement for organisations bidding for certain government contracts involving the handling of sensitive and personal information, and the provision of certain technical products and services, since October 2014. More than 1,200 organisations have already achieved certification to the scheme.