The government’s new Cyber Essentials Scheme (CES) ensures small and medium-sized businesses (SMEs) are protected from cyber threats in a practical way, says IT services firm Databarracks.
The London-based firm is one of one of the first organisations to achieve cyber essential plus certification under the guidance and certification scheme, launched in June, which ensures UK businesses get the basics of cyber security right.
The CES is part of the UK’s National Cyber Security Strategy and provides an independent assessment of the essential security controls organisations need to have in place to mitigate cyber risks.
“Unlike other security frameworks like ISO27001, cyber essential plus includes perimeter vulnerability scan to verify that existing mitigations actually work,” said Peter Groucutt, managing director of Databarracks.
To demonstrate basic cyber hygiene and achieve certification, Databarracks had to complete a cyber essentials questionnaire.
This was validated by Security Alliance, which carried out two site visits and conducted an external perimeter vulnerability scan.
The perimeter vulnerability scan is mandated by technical information security industry certification body Crest, which is one of a number of organisations carrying out CES assessments.
More on UK cyber security
- Government promotes cyber security profession in schools
- UK cyber security progress welcomed
- Cyber security is economic opportunity for the UK, says government
- UK finally launches national cyber emergency team
- Government lays out 2014 cyber security agenda
- Government expands private sector cyber security partnerships in NCSS drive
- UK to help lead world fight against cyber crime
- Cyber security quest strong in UK, says Isaca
“While ISO27001 is great for mitigating the risks that firms are able to identify, CES helps uncover the risks that small firms, in particular, may not otherwise be aware of,” Groucutt told Computer Weekly.
He speaks from experience as Databarracks holds ISO27001 certification as a provider of managed security services.
“CES helps firms discover and close back doors into their networks, and shows that good security practices do not have to be complicated to be effective,” he said.
Groucutt said CES meets a real need in helping SMEs protect themselves from cyber threats by selecting the most relevant parts of frameworks, such as ISO27001, and presenting it in a neat package.
“This makes cyber defence much more accessible and affordable for smaller companies, and that can only be a good thing,” he said.
Although it is too soon for Databarracks to assess the competitive advantage of CES certification, Groucutt welcomed the government's plans to embed CES in its procurement process.
“This should minimise the rigmarole companies have to go through when dealing with government departments,” he said.
While Databarracks is of the first small and medium enterprises to be CES certified, Barclays has led the way among large UK organisations by achieving certification for its digital banking service.
Barclays is now working with GDS towards the second level of certification, Cyber Essentials Plus.
The first level of certification offers a basic level of assurance; the second offers a higher level of assurance through external testing of the organisation’s cyber security approach.
“The CES is unique because it has been developed as a collaboration between the UK government and the very best cyber security professionals in the UK,” said Ian Glover, president of Crest.
“These professionals utilised their years of experience and invested their own time to extract the security standards that should be applied to all businesses, regardless of size.”
Glover believes it is important that large consumer-facing organisations like Barclays embrace the scheme.