NICVA becomes 1st charity in NI to achieve Cyber Essentials Plus Certification
Cyber Essentials is a government backed scheme devised to help all small and medium sized companies and organisations reach a good level of cyber security hygiene, in an effort to aid the UK to becoming a more secure country. It is a set of basic technical controls for any organisation to follow and ensure that they are aware of their current infrastructure security level and play an active role in continuing to monitor and improve on them. Cyber crime reported figures are at almost epidemic proportions, with cyber fraud becoming the most commonly experienced offence. ONS figures show in the year leading up to July 2016 there were almost 5.8 million cases of computer misuse and fraud, with only 13.2% of fraud cases actually being reported to the police and costing the UK economy almost £11bn. NI charities are looking like an attractive target for cyber criminals with our sensitive data, limited security levels and aversion to poor publicity, this needs to change.
Launched in June 2014, Cyber Essentials is fast becoming an industry standard for all companies to meet and adhere to, and has become a requirement for any government-linked company to have if they wish to use their services. We are conscious of the fact that this may soon appear as a requirement for other things and potentially funders in the future, given the amount, nature and sensitivity of the data held by many small charities in Northern Ireland. It also includes cyber liability insurance cover of up to £25,000, which most organisations would not normally consider as important. The UK Government is strengthening requirements for organisations to comply and in a recent speech Matt Hancock (Minister for Digital and Culture) announced that many leading UK firms have now got Cyber Essentials as a requirement for their suppliers to possess including BT, Barclays, Vodafone, Airbus, Astra Zenica, as well as announcing updated Cyber Essentials certification requirements, making the scheme easier to use. He states "If you’re not concentrating on cyber, you are courting chaos and catering to criminals. Cyber security is one of the seven pillars of the Government’s digital strategy" "This is a board level issue, not one to delegate to the IT department" Read his full speech here.
The first level of Cyber Essentials is a self-assessment questionnaire which asks you to confirm the presence of many of these technical mitigating factors in your organisation, the scope of your organisation's network and coverage, the access levels and controls and the awareness at board level of many of these. It is a checklist of controls which you should be aware of and have taken measures to secure. It is a relatively straightforward process, which may take a few days of effort to check, document and ensure accuracy before answering with confidence. The 5 main controls which are looked at include: Boundary Firewalls and Internet Gateways, Secure configuration, Access control, Malware Protection and Patch Management.
The cost for this certification level is approx. £300 plus vat. There are 5 Accreditation bodies, and a wide number of certifying bodies across the UK. NICVA was accredited by IASME and worked alongside one of NI’s only certifying bodies Cyphra. Costs for the CE Plus level are greater due to having a professional security consultant on-site for a number of days to test your security measures and review any remediation. Bear in mind that to be eligible to pass you must be fully confident in the security controls you have in place, and this may take a number of weeks to ensure, or put measures in place to fix. When achieved, you will be given a kitemark (similar to the one shown above) to display on your website and/or communications to show your compliance.
Incoming GDPR regulations which come into effect in May 2018 will either still be applicable despite impending Brexit processes, or be replaced with something equally as robust, and the Cyber Essentials scheme is a great first step to securing against loss, theft or unauthorised access to any personal data. The ICO could potentially issue fines of up to 4% of global turnover, and Cyber Essentials can be shown as evidence that basic steps have been carried out to protect your business from loss or attack.
Further levels of certification from IASME are available to show that your organisation has a wider governance system for management of the controls protecting personal data, including policies and procedures, staff training, assessing business risks and how incidents and operational issues are handled. You can get IASME standard included for free along with your basic Cyber Essentials certification if you so wish. The IASME gold standard certification is a higher level, audited like CE Plus and would incur further costs.
NICVA have also become part of the CiSP initiative, a government and industry partnership which includes a secure virtual ‘collaboration environment’ where partners can exchange information on threats and vulnerabilities in real time. We would urge you to join and become part of the cyber crime awareness community.
If you have any further queries, or want to find out more about the process, please give me a call on 028 9087 7777 or email at [email protected]