- Paul Longhurst
Fixing A Hole – The rise and rise of Cyber Essentials
Increasing numbers of law firms are looking for help with the UK government’s Cyber Essential scheme but don’t really understand what this is, what is involved in achieving certification and why they should be driving the process rather than waiting to be pushed by clients or market sentiment. The scheme, which is overseen by the National Cyber Security Centre (NCSC) and accredited by the Information Assurance for Small and Medium Enterprises Consortium (IASME), started in June 2014 and became mandatory from October of that year for those working on UK government contracts.
There are two levels of certification, Cyber Essentials (or Stage 1) and Cyber Essentials Plus (or Stage 2, often referred to as CE+).
Cyber Essentials is a self-assessed process which requires organisations to:
• Use a firewall device in order to provide a secure connection to the internet
• Choose the most secure settings for IT devices and software
• Control access (via passwords and the like) to data and services
• Protect against viruses and malware seeking to attack organisations
• Keep IT devices and software versions up to date
A self-assessment questionnaire must be completed and signed off by members of an organisation’s leadership team, Board or similar. This needs to be submitted to an IASME-approved certification body which will check that the assessment provides a suitably secure IT environment before issuing a certificate which is valid for 12 months. The formal part of the process costs c. £300.
Cyber Essentials Plus includes both the self-assessed process of Stage 1 plus an independently verified technical audit to ensure that all relevant Cyber Essentials controls are in place. An assessor will review services (like internet access) and devices (such as switches, PCs, laptops and servers along with the systems these are running) at random to check for their compliance. This will result in a compliance rating flagging alert (indicating no/low risk, medium, high and critical) and, if significant issues are discovered, may require testing to be broadened out to a larger sample once the identified issues are rectified.
The formal part of the process costs c. £1500 although we have seen much higher costs for remediation work when external suppliers need to be engaged, especially where there is no internal IT team or services are hosted.
As this is an annual certification process, keeping systems up to date is all the more important as it can help to minimise work at the point of the next assessment. However, some might wonder if it is worth the effort and expense. The point here is that this is becoming a de-facto standard for many businesses which now demand it of their own suppliers (including legal advisors) making it an increasingly large barrier for those not holding a certificate.
Being proactive here carries benefits too. Your firm’s systems will be better protected by virtue of being maintained at the suppliers’ recommended levels rather than lagging behind where vulnerabilities may make them more susceptible to attack. Your firm will also be able to tell prospective clients that it is already certified with Cyber Essentials Plus, making the point that it takes cyber security seriously and is already following best practice… hole fixed!
If you have any questions about how 3Kites can assist your firm please then please contact Laura.Howells@3Kites.com