The UK government is improving cyber security in its supply chain. From 1 October 2014, all suppliers must be compliant with the new Cyber Essentials Scheme controls if bidding for government contracts which involve handling of sensitive and personal information and provision of certain technical products and services.
Cyber Essentials was developed by the government, in consultation with industry. It offers a sound foundation of basic cyber hygiene measures which, when properly implemented, can significantly reduce a company’s vulnerability. The scheme’s set of five critical controls is applicable to all types of organisations, of all sizes, giving protection from the most prevalent forms of threat coming from the internet. These Cyber Essentials five critical controls are: -
The Cyber Essentials scheme as 2 levels of assurance- Cyber Essentials Basic and Cyber Essentials Plus. Certificates, are provided to organisations that successfully comply with all the requirements of the scheme, which can be displayed on the company’s website as proof of compliance. According to Mersyber- http://cyberinfo.co.uk, as of August 2016 there were 71 and 7 Scottish companies certified to Cyber Essentials Basic and Plus respectively.
Cyber Essentials Basic certification is awarded on the basis of a verified self-assessment. Companies assess themselves against the Cyber Essentials controls via a questionnaire, which is overseen by senior management. The completed questionnaire is then submitted to a certification body for review and approval before certification is awarded. This option offers a basic level of assurance and can be achieved at low cost.
Cyber Essentials Plus offers a higher level of assurance through validation assessment of the companies’ cyber security approach. The validation assessment process includes external and internal vulnerability scans, malware control test and others. Given the more resource intensive nature of this process, we anticipate that Cyber Essentials Plus will cost more than the foundation Cyber Essentials certification.
To assist companies, achieve certification against Cyber Essentials Scheme, certification bodies like NetHost Legislation are accredited by accreditation bodies like IASME to perform this function. The Cyber Essentials scheme certification process is illustrated below.
Some Thoughts for The Future
Information threat is an ever present problem and companies need to be mindful of this and implement companywide information security governance strategy. To support this strategy best practice standards need to be used as a benchmark and integrated into the governance strategy.
There is no perfect bullet and residual risk will always be present no matter the approach deployed by companies. The aim for all companies is to ensure the residual risk is lower than their acceptable risk, and make sure:-
About the author
Dr Abiola Abimbola, PhD has been in the information security industry for over 15 years and worked in telecom, financial, and educational sector amongst others. Currently part of NetHost Legislation security team in Aberdeen, Scotland.