You can imagine it now. If the world of IT security were to be played out as a pantomime today, the seeming villain of the piece would definitely be GDPR. Picture it, the face of the CISO when the crowd scream “It’s behind you!” as GDPR suddenly appears. Our hero knows that GDPR is lurking behind him but he is not quite sure a) how much of a threat it will be to him and b) exactly what he has to do to combat it.
Does that resonate with how you feel about GDPR? If so, you might be pleased to know that this article is not about the intricacies of GDPR; however, it will help you jump the first hurdle of your hero’s journey on the road to compliance.
Continuing the theme of pantomimes, perhaps you could describe the role that Cyber Essentials plays as similar to the role of the Good Fairy.
So how much do you know about Cyber Essentials?
It’s not uncommon to read in the news about cyber-attacks and, to be frank, cyber criminals don’t care whether you are a large, multinational conglomerate, an NHS Trust or an SME. According to the statistics from the Federation of Small Businesses, the 5.4 million small business are attacked in excess of seven million times per year. You may assume that you already have the necessary protection and procedures and in place, but all that is needed is for attackers to be one step ahead of you. For example, in the recent attack on Northern Lincolnshire and Goole NHS Foundation Trust in October 2016, the biggest factor in the spread of the Globe2 ransomware was the misconfiguration of the firewall. Staff at the hospital had identified the vulnerability but had not yet carried out the remedial work needed. In this instance the ransomware exploit caused an outage that shut down the trust for four days.
The Government developed the Cyber Essentials certification back in 2014 as a way for all businesses, regardless of size, to be able to efficiently and effectively put the foundations in place to protect themselves. It protects against roughly 80% of common cyber-attacks and allows organisations to demonstrate to their customers and insurers that they a) take cyber security seriously and b) can be trusted with their data. By offering two flavours of the certification, organisations have the ability to choose what level of assurance they desire based on their available budget. The two levels are:
- Cyber Essentials – An organisation will self-assess themselves against five basic security controls and a qualified assessor will verify the information provided and advise on any remediation actions needed
- Cyber Essentials Plus – Provides a higher level of assurance. As well as completing the verified self-assessment, an external and internal scan tests the five security controls in practice and yields a compliance report and certification.
By implementing these controls, or any controls for that matter, an organisation cannot say that they are completely immune from cyber-attacks. However, completing either the Cyber Essentials or the Cyber Essentials Plus certification will not only give you confidence in your “threat posture”, the approach your business is taking to security, but will also provide valuable insight on your data assets and their impact and importance (which is central to GDPR) as well as providing food for thought for your future strategy for combatting emergent cyber security threats.
Back to our villain GDPR. Wielding nasty fines up to €20 million or 4% of global annual turnover for the preceding financial year, our villain should motivate the action that UK organisations need to handle personal data in a timely, systematic and controlled way and protect this data adequately from cyber security threats. That could make GDPR the anti-villain of the piece.
Please feel free to contact Fordway to discuss how we can support you obtaining Cyber Essentials or security consultancy to help test the protection of your sensitive data.