You may have seen recent news about the costs of cyber insurance soaring in response to the rise in cyber-attacks. This may well have highlighted the new reality in which targeted cyber-attacks by skilled and persistent criminals are now affecting all organisations, from the public to the private sector. Premium levels are set by assessing cyber risk, including examining the following:
- Is there a firewall in place and correctly configured?
- Is the network and file permissions set in a secure way?
- Do you have adequate and up to date antivirus and malware protection?
- Are your software and firmware updated frequently?
To help organisations deal with the situation, the Government launched the 10 Steps to Cyber Security guide to encourage organisations to consider their cybersecurity measures and to decide if they were managing their cyber risks adequately.
This guide was codified into the Cyber Essentials scheme. This is a cybersecurity standard, which organisations can be assessed and certified against. It identifies the security controls that an organisation must have in place within their IT systems to have confidence that they are addressing and mitigating the risk from cyber threats.
There are two levels to certification, Cyber Essentials where a self-assessment questionnaire is completed and externally reviewed, and Cyber Essentials Plus where the external certifying body carries out tests of an organisation’s systems.
Who needs to comply with Cyber Essentials?
From 1st January 2016, the Ministry of Defence required all companies bidding for new contracts to be certified to Cyber Essentials. From April 2016 these organisations had to comply with the Cyber Security Model, a further step covering wider aspects of cyber security such as governance and risk management. In July 2016 a Department of Health report recommended that the Cyber Essentials scheme “should be tested in a wider number of GP practices, Trusts and social care settings.” Cyber Essentials plus is now the minimum standard for healthcare providers and partners.
What is the process?
Costing around £300 the Cyber Essentials process consists of a questionnaire completed by the organisation applying to the scheme. This is then reviewed by a certifying body, and a decision about whether to award the certificate arrived at usually in a few days. Annual recertification is required to keep the cyber breach insurance in place.
Cyber Essentials Plus includes an external audit of your systems. This covers user devices, all internet gateways and all servers. The assessor will test a sample of these systems, typically about ten percent before deciding if further testing is required. The assessor will visit both the head office and a sample of other offices to carry out testing, although some tests can be done remotely.
The scheme is mostly aimed at businesses who do not have their own dedicated IT teams working around the clock to monitor threats. Its adoption by government departments as an assurance framework for their partner businesses means that companies of all sizes now need to consider if Cyber Essentials is for them.
Netitude offers an assisted assessment to complete the questionnaire on our client s behalf, this is useful if you don’t currently have the expertise in-house to verify the technical questions of the audit.