A recent announcement by IASME (the consortium licensed by the UK’s National Cyber Security Centre – NCSC – to deliver and operate the self-assessment Cyber Security scheme Cyber Essentials, and its externally validated brother Cyber Essentials Plus) of changes to the CE/CE+ scheme shows clear UK Government concern to ensure that the scheme’s coverage continues to meet the evolution of the cyber threats faced by businesses.
The changes widen and deepen the scope and coverage of the standard; close off loopholes; and remind us all that the basics, however unexciting, are critically important to get right. A welcome update – and a stark reminder of the fact that most breaches happen because we do not do the basics right enough.
Detail
The cyber essentials toolkit has just been through a bit of an overhaul. In addition to IASME issuing a marine variant of the Cyber Essentials scheme, they have just announced some tightening of the basics to make the standard fit for the future. The dedicated reader can find the update statement on the IASME website (Home – Iasme).
For those short of time, the following observations are of note:
That’s the good news?
The Cyber Essentials scheme is a very good starting point for organisations to assess their cyber posture. While it’s relatively basic, that’s the point: it covers the important bases and goes a long way to reducing some of the most obvious risks and vulnerabilities that are usually exploited by the hacking fraternity.
In fact, it is not that basic – indeed it is quite subtle. A lot of thought has gone into it – and while many organisations try to kid themselves in their self-assessments that they are fully compliant, it is well enough designed to make it very clear – as clear to a self-assessor as it is to an external assessor – where they are coming up short.
The fact that it has got more complete is in fact a welcome development, since it shows that cyber threats evolve over time and that to take this stuff seriously, organisations have to move with that evolution. Doing cyber essentials properly is not an easy option, and the fact that there are stiffer requirements shows Boards, companies and organisations that the threat is not static and will continue to mutate and evolve.
Doing cyber essentials or cyber essentials plus will not make you immune from cyber attack. But it will make the hacker’s life more difficult. And Amen to that.
Author: Bill Egerton, Astaara’s chief cyber officer