One in four of all businesses have suffered a cyber breach or attack in the past year, with many firms suffering disruption to operations, reputational damage and significant financial costs. Recent high profile attacks demonstrate the scale of the cyber threat to industry, but many businesses are still failing to take action, which is why the Government is launching a new “Cyber Essentials” campaign to help companies protect themselves.
The Government’s Cyber Security Breaches Survey showed that 51% of medium-sized firms and 65% of large firms reported a cyber attack in the past 12 months, with a quarter of those large firms being breached at least once per month. The new campaign aims to help businesses get good, basic security measures in place to protect against the most prevalent online threats – using the “Cyber Essentials” scheme.
Minister for the Digital Economy, Matt Hancock, spoke to the Institute of Directors’ cyber security conference on 27 March to signal the start of the campaign. “It’s absolutely crucial UK industry is protected against this threat – because our economy is a digital economy … my message today is clear: if you’re not concentrating on cyber, you are courting chaos and catering to criminals.”
The Cyber Essentials scheme was developed in partnership between Government and industry after GCHQ analysis found that the vast majority of cyber attacks – at least 80% – exploited basic vulnerabilities in IT systems which could easily be fixed. Cyber Essentials shows businesses and organisations how to address those basics and protect themselves against the majority of online threats. The five controls in Cyber Essentials cover areas such as patch management (always updating your software in a timely manner), user access control (restricting access to only those who need it) and malware protection (i.e. using anti-virus software).
The Government recommends Cyber Essentials as a minimum level of security for any organisation which relies on the internet. In addition, suppliers to Government which handle personal or sensitive data, or provide certain IT products and services, are now required to hold a Cyber Essentials certificate before they bid for Government contracts. As part of the new campaign, a number of well-known FTSE 100 firms have announced they will follow the Government’s suit and push Cyber Essentials in their supply chains: these include Vodafone, BT, Barclays, Airbus and Astra Zeneca.
Digital Minister Matt Hancock said, “I think this is a powerful signal that the security of our suppliers is as important as our own security – the two things are inextricably linked. It is also a recognition that Cyber Essentials is an effective tool which can be built on to achieve greater security in our organisations.”
The Cyber Essentials campaign is part of the new National Cyber Security Strategy, which was published by the Government in November 2016, backed with £1.9 billion investment over five years, to help protect businesses, citizens and public services online.
As part of the strategy, a new organisation, the National Cyber Security Centre (NCSC), has been set up by GCHQ to help make the UK the safest place to live and do business online. The NCSC has a new role in supporting the “wider economy and society” – parts of industry and society the security services have not traditionally engaged with – including the wide range of small, medium and large businesses which are outside what is considered “critical national infrastructure.” There is growing suite of helpful, practical cyber security guidance offered by the NCSC.
With the new General Data Protection Regulation (GDPR) coming into force in May 2018, it’s important businesses and organisations take action on cyber security, particularly to protect the data they hold appropriately. The GDPR will introduce new requirements for organisations handling personal data, including new data breach reporting requirements and higher fines for non-compliance. The Information Commissioner’s Office website has some useful guidance on data protection, including twelve steps organisations should take to prepare for the GDPR.