Associate feature: Cyber resilience deadline looms for public sector
Scottish public sector, time is running out.
Did you know that next month (October 2018) the deadline arrives for Scottish public sector bodies to have achieved Cyber Essentials or Cyber Essentials Plus certification?
Yes, we are nearly a whole year on from the Scottish government’s announcement of Scotland’s Cyber Resilience Strategy – the grand plan to improve cyber security and promote cyber resilience in Scottish public sector organisations.
If you haven’t yet achieved the scheme’s minimum level of compliance, it’s not too late to start, no matter what stage you’re at.
With cyber security fears more heightened than ever, the Scottish Cyber Resilience scheme was developed in 2017 to lay the groundwork for the Scottish government’s long-term goal of being a world leader in cyber resilience. If Scotland is to achieve this goal, its public sector must set a precedent for all others to follow. But with 60% of small businesses having been breached in the past year and with almost 40% of Scottish SMEs (small and medium-sized enterprises) spending nothing on IT security, it seems that most of the public sector is yet to act.
The WannaCry ransomware attack in May 2017, in which more than 300,000 computers were affected, accelerated the programme. Several requirements have since been issued to those in the public sector regarding how government departments, local authorities and NHS boards can become more secure online.
It’s the aim of Scottish ministers for the entire public sector to become exemplar in this field, starting with Cyber Essentials certification.
The following outlines everything the public sector needs to know.
What is Cyber Essentials?
The UK government’s Cyber Essentials scheme is a world-leading, cost-effective assurance mechanism for organisations of all sizes to help demonstrate to customers and other stakeholders that the most important basic cyber security controls have been implemented.
The Assurance Framework, leading to the awarding of Cyber Essentials and Cyber Essentials Plus certificates, has been designed in consultation with SMEs to be light-touch and achievable at a low cost. The two certification options give organisations a choice over the level of assurance they wish to gain and the cost of doing so. You can download an information pack here.
Why does the public sector need to achieve Cyber Essentials certification?
The Cyber Essentials scheme provides five security controls that, according to the UK government, could prevent “around 80% of cyber attacks” and is the perfect starting place for organisations in the public sector to begin their journey towards becoming secure. The controls provide the basic level of protection required to protect organisations from the vast majority of cyber attacks, allowing you to focus instead on your core business objectives.
Cyber Essentials certification can also reduce insurance premiums. A government report in March 2015 (‘UK cyber security: the role of insurance in managing and mitigating the risk’) found that the majority of insurers believe “that Cyber Essentials would provide a valuable signal of reduced risk when underwriting cyber insurance for SMEs, allowing them to use a reduced question set and informing their decisions to underwrite”, and that “participating insurers operating in the SME insurance sector have agreed to build reference to the Cyber Essentials standard into their cyber insurance applications, and will look to simplify the application where accreditation has been achieved by the applicant”.
How can I achieve Cyber Essentials certification?
When exploring Cyber Essentials options, you should select a CREST-accredited certification body. This will enable you to benefit from the added level of independent verification of your cyber security status and boost your competitiveness. Although non-CREST-accredited certification options exist, none of them offer the same level of independent verification and stakeholder assurance that the CREST-accredited option does.
The leading CREST-accredited supplier of Cyber Essentials is IT Governance, which earlier this year opened a new base in Scotland. IT Governance has awarded hundreds of certifications, with many more organisations achieving certification every day. Cyber Essentials clients include Vodafone, Airbus Defence and Space Ltd, Action for Children, NHS Professionals and Lockheed Martin.
The company, which recently achieved BS10012 certification (the first of its kind), is also a specialist in ISO 27001 implementations, penetration testing, the PCI DSS (Payment Card Industry Data Security Standard) and the EU’s GDPR (General Data Protection Regulation).
This piece was sponsored by IT Governance. For more information about cyber resilience products and services, visit the IT Governance website, email servicecentre@itgovernance.co.uk or call +44 (0)131 564 1214 to get in touch with the consultancy team.
Holyrood Newsletters
Holyrood provides comprehensive coverage of Scottish politics, offering award-winning reporting and analysis: Subscribe