As we were the first business in the Highlands and Islands that had achieved the UK government backed Cyber Essentials scheme badge for cyber security, we are the first needing to complete the annual renewal process. We are very pleased to announce that we have achieved Cyber Essentials again with this demonstrating the level of security that we have in place within our IT systems.
The Cyber Essentials scheme was released in June 2014 and it is anticipated that the possession of Cyber Essentials could become mandatory for suppliers in many sectors with companies servicing the public sector already obliged to possess a certificate. There is a growing pressure for supply chains to be validated as part of the process due to the level of data dependencies between companies and the standard is regularly reviewed to meet the changing risk.
The UK Government have published their National Cyber Security Strategy 2016-2021 to outline how the UK can be better prepared to defend against the increasing number of cyber attacks and have announced major investment to protect the UK from cyber attack.
“Just under a fifth of businesses had their staff take part in cyber security training in the past year.” Cyber Security Breaches Survey 2016.
“99.9% of exploited vulnerabilities were compromised more than a year after the vulnerability was published.” Verizon 2015 Data Breach Investigations report.
Achieving Cyber Essentials can be seen as a barrier for businesses with a limited team that manages their IT on a daily basis as their core business activities prevent readying the business for validation. Many smaller businesses depend upon outsourced IT service providers for the delivery of their IT services support as it is not appropriate for them to operate within internal IT staff. The use of outsourced IT can possibly add the additional impact of cost on achieving Cyber Essentials. Subject to the size of the business, the IT systems that are in place and how these are managed, we would suggest that most SMEs could achieve Cyber Essentials for between 8 and 30 hours of their own effort. When there is an external IT supplier, we would suggest that they should be able to deliver this within 8 hours due to their knowledge. We have seen the impact of a Cyber breach that could have been protected by following the processes validated by Cyber Essentials costing a business considerably more than the effort involved in protecting the business.
As a qualified ACE Practitioner we recognise that time and cost are both valuable resources and can work with businesses to get up to speed with Cyber Essentials as quickly as possible. We have worked with a number of businesses across the UK over the last 12 months that are working towards or have achieved Cyber Essentials and as a result have the experience to assist in achieving the standard. In many cases our clients ask us to work with their trusted IT services provider to achieve Cyber Essentials to disconnect the interpretation of the Cyber Essentials standard from the sales process whilst ensuring that the time invested in achieving Cyber Essentials results in an appropriate level of protection for the business through the delivery of a security process.