The Sun is setting on cyber security laggards

Cyber Essentials 2 – Why your City organisation cannot afford to go without a compliance badge


Cyber Essentials 1 was the first UK industry event of its kind. Michael Shuff of IT Governance Ltd reflects on what the delegates learned from a day to remember.

(Note: Register for Cyber Essentials 2 – The UK Government Scheme to improve cyber security (17th of July 2014) today. Places are limited and booking up fast!).

Today, my inbox contained comments from some of the 120 or so delegates who attended our Cyber Essentials event at Royal Mint Court in London on 24 June.

“…appreciate your effort to arrange such a brilliant seminar.” (Amitabha Sikder, Information Security Manager, ELEXON).”

While I am sure that we can (and will) improve on our performance, as Sir Winston Churchill said, “To improve is to change, so to be perfect is to have changed often.” We all experienced a moment of change in our thinking, which I consider worth highlighting in this blog: cyber security compliance is no longer the concern solely of large companies and government, it has become the management concern of every organisation that takes its reputation seriously.

Obviously, there will be some companies that will not participate in the Scheme at all, and plenty I am sure that will adopt a ‘wait and see’ attitude to the subject of certification, although they were not in the room with names such as Barclays, Aberdeen Asset Management, Capita, Lamprell plc, EXLEON, Pearson, Bank of America, Cooke & Mason plc, AVEVA Solutions, JCB – the list goes on, and on.

Why the Cyber Essentials Scheme – and why now?

As Tom Davison of Symantec Corporation pointed out in his talk during the event, cyber security now sits squarely towards the top of the agenda for boards around the world, with cyber risk moving from 12th to 3rd place in the Lloyd’s Risk Index. Business leaders have woken up to the importance of cyber security following a series of high profile incidents since 2011.  There has been a marked increase in targeted attacks (a 91% rise from 2012 to 2013), with hackers accounting for 34% of data breach incidents recorded by Symantec in 2013. And, significantly, your business is more dependent on connected IT than ever before!

[Source: ‘Cyber Resilience in a Shifting Online World’, presentation at the IT Governance Ltd event ‘Cyber Essentials 1’, by Tom Davison, Head of Information Security Practice, UK&I ; taken from The Lloyd’s Risk Index 2013]

A few days before we assembled at ‘The Mint’ for our first Cyber Essentials event it was announced that American International Group, Marsh, Swiss Re, BIBA and the International Underwriting Association are supporting the UK Government scheme aimed at encouraging businesses to protect themselves against cyber threats. Jamie Bouloux, Cyber Liability Underwriting Manager of AIG, said in a press release: “AIG is pleased to support the Cyber Essentials Scheme, which provides an effective way for organisations to manage essential cybersecurity risks. As part of our commitment to the programme, we will incorporate Cyber Essentials into our risk assessment process for new cyber insurance policies, offering preferential rates to those prospective AIG clients who have obtained a Cyber Essentials Certificate as part of our commitment to superior cyber hygiene and overall cyber risk management.” City-based institutions are lining up to support the new Scheme and Barclays, who were represented at the event by a senior manager, are believed to be working to achieve Cyber Essentials certification ahead of their competitors in the FI sector.

From 1 October 2014, the UK Government will require all suppliers bidding for certain personal and sensitive information handling contracts to be Cyber Essentials certified, so the involvement of City of London companies is welcome. It is also inevitable, since FTSE 250 companies are high on the list of suppliers to the Government and public sector. In fact, there was a representative from The City of London present at the event, as further evidence of the Scheme taking off.

ISACA research on Cyber Essentials is a wake-up call for UK risk management

Sarb Sembhi, representing ISACA, spoke on this very subject, saying that many organisations had the five controls in place but his research showed that they were badly organised. Compliance with Cyber Essentials is seen as being part of any business’s ability to respond to the rapidly changing risk landscape highlighted by Symantec. The PwC survey conducted on behalf of BIS showed that most business leaders thought (wrongly) that their organisations were already covered.

Sarb ended by asking, “Should cyber insurance cover be made mandatory?”

The new EU Data Protection Regulation could be the factor that decides the matter for most CEOs. The draft regulation includes a requirement to notify those affected by a breach within 24 hours, and massive fines that will make the ICO’s £500,000 penalty look like small change.

What do you think? This could be a great opportunity to put your views to BIS, since Richard Bach, who spoke next at Cyber Essentials 1, will also be speaking at Cyber Essentials 2 on 17 July. If you wish, I will ask him on your behalf.

Richard’s talk explained the Cyber Essentials Scheme in more detail and emphasised that the UK Government is not planning to make it mandatory. There is obvious peer pressure emerging as a great reason to sit up and take this seriously: Barclays, for instance, are pushing forward to gain CES certification ahead of their banking competitors as proof of their commitment.

We learned that Cabinet Office guidance was expected in the ‘late summer’ regarding requirements for Cyber Essentials in the Government’s supply chain.

We were also told that seven companies have already been ‘badged’ as part of a pilot programme that demonstrated the viability of the Cyber Essentials Scheme.

Cyber Security Management System a possibility as the new Scheme develops

Richard was at pains to point out that the present two-tier Scheme offered only a snapshot of an organisation’s IT security. He described it as an ‘MOT test’ that is only valid for a given point in time. Membership of the Scheme will require an annual re-test, but there is more to come in the form of a risk assessment process.

If this is implemented, then a third tier (originally called the ‘Gold’ certification) will follow that will effectively require evidence of both an appropriate risk assessment process being followed and a ‘cyber security management system’.

Will compliance be a condition of Government contracts? Yes – from October!

Just in case the other information security C-suite managers think that it’s a good time to quietly relax and forget about implementing the five controls, the UK Government is still planning to insist on Cyber Essentials from 1 October in relation to certain contracts where the data being protected is particularly sensitive. There was talk of a grace period, but mere months may not be enough for some large entities to implement Cyber Essentials, pass the assessment and gain certification.

Which means…

If you are a serious contender for certification in 2014, now is the time to start.

What I have found interesting about the Scheme is the number of organisations that think self-assessment under Cyber Essentials will follow the same path as for PCI DSS, with SMEs signing an SAQ as part of their contract with the provider.

The shock that an external assessment body must examine their answers and, in the case of CREST members, carry out a vulnerability scan even at level 1, is starting to panic some people. The same people who were sure that their cyber security would easily meet the Government’s specification. Mum’s the word, but I suspect that a few boards are in for a shock when the assessor is in the building.

Better that, however, than joining Gregg Steinhafel, the former CEO of Target, who held himself personally accountable and pledged that Target would emerge a better company, shortly before leaving his post. I would show you a picture of Gregg, but we don’t have any that are free of copyright. You can imagine, though.

Cyber Essentials “does not trump ISO27001” (Richard Bach, BIS – during his talk)

In the afternoon, Richard Skipsey, of certification body SGS, spoke about the value of adopting/transitioning to ISO27001:2013.

He showed how an ISO27001 approach to developing and implementing an ISMS (Information Security Management System) based on a thorough risk assessment and documented policies, procedures and controls greatly improves your ability to manage information security. He also looked at how the Cyber Essentials Scheme links to ISO27001:2013 and derives its five controls from the control set contained in Annex A of the Standard.

Tony Drewitt for IT Governance reiterated the point that Cyber Essentials alone was not enough to protect an organisation from targeted attacks via the Internet, and that breaches were not just likely but inevitable – hence the need for cyber resilience. The ability to respond to a breach was as important as protecting your data, and ISO22301 provides a framework that helps to ensure business resilience.

This first Cyber Essentials event was booked out long before the start date and we have arranged a second one to cope with the level of demand – which is rising steadily by the day.

Although this advice may well sound like hype, if you want to be ahead of your competitors and tackle Cyber Essentials early, you will benefit from being at our event, taking our training course and using our Cyber Essentials toolkit.

We offer free 15-minute consultations with our expert consultants at the event. These ‘surgeries’ take place throughout the day and have been highly-praised by attendees who have valued the one-to-one input that they have received.

See details about this one-day event in London Cyber Essentials 2 – The UK Government Scheme to improve cyber security on the IT Governance website.

*  *  *  *

Want our expert help to find out where you stand with Cyber Essentials?

Read our page on Cyber Health Checks – find out if you need to close gaps in your cyber security measures in line with the Cyber Essentials controls.

*  *  *  *

If you would like to find out more about ISO27001:2013 and how to set up and run an information security management system (ISMS) to help you comply with PCI DSS V3.0 and Cyber Essentials, talk to our consultants: 0845 070 1750