When it comes to cyber security breaches – is it a question of when, not if? Joe Collinwood at CySure looks at how certification can set SMEs on the path to good cyber hygiene
Cyber security has become a fundamental component of business operations. As cyber criminals get more sophisticated and threats continue to evolve, it is vital that companies invest in security policies, procedures and products regardless of size, market or location.
Small and medium-sized enterprises (SMEs) are as much at risk from data breaches as large organisations. According to the Cyber Security Breaches Survey 2018[i], 42% of small businesses identified at least one breach or attack in the last 12 months. This is a significant problem which is set to increase as criminals find new ‘digital’ ways into organisations for valuable personal information.
However, it is not an insurmountable problem. SMEs can protect themselves against common cyber-attacks by undertaking a certification process. Cyber Essentials is a government and industry-backed scheme to help all organisations protect themselves against common cyber-attacks. In collaboration with Information Assurance for Small and Medium Enterprises (IAMSE), they have set out basic technical controls for organisations to use which are annually assessed. Here are four reasons to get certified:
1. Mitigate cyber risks
Whilst no security strategy can stop 100% of attacks, the aim is to mitigate the risk as much as possible. The majority of attacks exploit basic weaknesses in IT systems and software, which can be straightforward to defend against. Being fully Cyber Essentials[ii] compliant mitigates some of the risks faced by businesses, such as malware infections, social engineering attacks and hacking.
The Cyber Essentials scheme aims to provide businesses with a base from which to reduce the risk from these prevalent cyber-attacks. However, it doesn’t address the circumstances of every organisation or the risks posed by every processing operation. Companies who are part of supply chains are now getting wise to this fact. As all companies subject to the GDPR are required to report a data breach to the Information Commissioner’s Office (ICO), a controller or processor is needed to demonstrate that they ensured appropriate security was in place. This applies to both suppliers and contractors to their business. [iii]
In fact, many companies now want audited proof to be able to demonstrate this, which has seen a growing requirement for Cyber Essentials Plus.
2. Identify weak security links in your supply chain
As the saying goes, you are only as strong as your weakest link. This is especially true when dealing with third parties that are outside of your domain of control. The 2017 Data Risk in the Third-Party Ecosystem study[iv] found that 56% of respondent organisations had been affected by a third-party data breach, up from 49% the previous year. This should be a major concern to any organisation. The GDPR makes it clear that organisations are accountable for data breaches caused by any third-party service providers they appoint to handle data.
By using a third party that has achieved certification via a scheme such as Cyber Essentials or IASME governance standard, organisations can show that they have taken steps to conduct due diligence within their supply chains. It does not give anyone a free pass, but it will help to mitigate the risk of prosecution and fines if a company can show that it followed the ICO’s recommendations, which extends to the contracts they have with other parties who may process data on their behalf.[v]
3. Show commitment to cyber security
By displaying the Cyber Essentials badge on its website, an SME can demonstrate to customers, partners and investors its commitment to cyber security. This is particularly beneficial for organisations that are storing personal information on customers and employees, or hosting commercially sensitive data. Through certification, SMEs can proactively provide sufficient guarantees that regulatory requirements will be met and the rights of data subjects protected.
The good thing about CE, IASME and GDPR is that they are quite prescriptive compared to other standards and the audited versions require evidence that they are being actively followed. As with all standards – one size does not fit all, but Cyber Essentials is a good starting point that puts in the base controls for technical points. Adding IASME moves into the governance of an organization – i.e. policy and process that tells people what they can and cannot do.
4. Competitive advantage
Improving cyber security within its supply chain is a priority for UK Government. It has decreed that suppliers must be at least compliant with the Cyber Essentials scheme in order to bid for contracts which involve the handling of sensitive information and the provision of certain technical services. Therefore, Cyber Essentials presents a competitive advantage to certified SMEs when competing for all business or tendering for public sector proposals. The audit process ensures that they will be able to demonstrate their security credentials and diligence towards defending the integrity of their customers’ data.
Supported at every stage
Achieving safety and compliance doesn’t have to be a costly or complex project. By utilising an online information security management system (ISMS) that incorporates Cyber Essentials, SMEs can undertake a certification route guided by a virtual online security officer (VOSO) as part of their wider cyber security measures. This will help the organisation to coordinate all security practices in one place, consistently and cost-effectively. Additionally, SMEs can take advantage of the expertise of online cyber security consultants at a fraction of the cost of a full-time in-house security specialist or a team of consultants.
Certification has many benefits; it ensures standardisation within the supply chain and is a good differentiator for SMEs who provide services as it shows a diligence to information security. The UK National Cyber Security Centre has taken a leadership role in providing the technical expertise for the Cyber Essentials scheme, which ensures that it encompasses the country’s best technical insight and experience. Cyber Essentials certification can help SMEs implement strong, cyber security hygiene practices and benefit from the new digital world.
[i] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2018
[ii] https://www.cyberessentials.ncsc.gov.uk/
[iii] https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/
[iv] https://www.opus.com/ponemon/
[v] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/
CySure is a cyber security company with offices in London and California. It was founded by cyber security experts with extensive experience in operational and risk management. CySure’s flagship solution – Virtual Online Security Officer (VOSO) is an information security management system that incorporates US NIST and UK CE cyber security standards to guide organisations through complex, emerging safety procedures and protocols, improve their online security and reduce the risk of cyber threats.
CySure also supplies organisations with cyber insurance to supplement their security strategy and offset crippling forensic and remediation costs in the event of a cyber breach.
For more information please visit www.cysure.net