In March, the news broke that IASME Consortium was to be the exclusive partner of the UK’s Cyber Essentials scheme, run by the National Cyber Security Centre (NCSC). But what does this mean? And how can Cyber Essentials help improve cyber security standards in the UK? We sat down with Dr Emma Philpott, MBE, CEO of IASME, to find out more.
In 2014 Cyber Essentials was launched by the UK Government to reduce the levels of cyber risk in its supply chain, setting a basic set of controls that businesses involved in central government contracts were required to abide by. As cyber threats continued to evolve, greater emphasis has been placed on cyber security by business owners – even outside of the government realm – and Cyber Essentials has grown with it.
Fast forward to 2019, and there were five accreditation schemes in place. While this was a clear demonstration of how the emphasis on cyber security has evolved in such a short space of time, it was viewed as a little confusing to the stakeholders and marketplace. Following a government review, it was decided that one body would be chosen as the exclusive partner to streamline the process and ensure a consistent approach to the Cyber Essentials standard. Having been heavily involved in the scheme’s initial set up, IASME Consortium was chosen as the official partner.
The impact of a global pandemic and remote working has resulted in greater engagement in cyber security practices – something that Emma Philpott, CEO of IASME Consortium, has long been pioneering for. “For many years, cyber security was only a ‘thing’ in defence and security, but Cyber Essentials changed this for many smaller companies working with the government, and it’s grown to much more,” Emma explains.
“Just like other businesses, criminal activity has moved online. This has been accelerated by the pandemic, but the threat was there before it as well. Organisations in every sector, small and large, need to make sure they are aware of the cyber threats and ensure they are doing at least the minimum to protect themselves and the rest of the supply chain.”
Cyber Essentials, Emma believes, provides the key first step towards improving standards. Designed as a certification scheme to reassure customers that a business is working to secure its IT against cyber-vulnerabilities, the process also acts as a useful training scheme for a company to assess its own practices. For those who have never fully considered cyber security passed the regular changing of passwords, it can be an eye-opening experience.
Emma continues: “We really do see people now putting a lot of effort into achieving Cyber Essentials. Companies don’t always pass, but the fact that they have at least started to think about their cyber security practices and are working to improve them should be considered as a positive step. Particularly with so many employees remote working, it is crucial that endpoint devices, such as company laptops, have at least the basic levels of controls.
“It also highlights the vulnerability in the supply chain, too. People don’t always think about this, but some of the largest data breaches have been a consequence of a smaller supplier being targeted and used to infiltrate the larger vendor.”
But, what does the move towards IASME as an exclusive partner actually mean?
The first thing to note is that there are a few differences in IASME certification than previous accreditation bodies. It is therefore advised to download the question set and make sure all the software your business uses is supported.
“The move towards using us as the sole provider should help reduce confusion and inconsistency for organisations. Cyber security is already quite a ‘scary’ and unknown prospect for smaller businesses, so we want to make the standards as clear as possible,” says Emma.
Exclusivity also brings improved communication with the National Cyber Security Centre to improve standards, too.
“We also now have an excellent working relationship with NCSC. The Cyber Essentials controls are under constant review, while we’re also working towards a pre-Cyber Essentials advice app to support businesses who simply aren’t ready for certification yet. This will provide much more targeted advice based on the answers given to a list of questions, and this kind of activity and support is now only really possible thanks to the exclusive partnership.
“And for larger companies, who often struggle with the patching requirements due to the sheer scale of their operation, we’re working with the NCSC on developing support for that as well.”