Wouldn’t it be nice if there was a ‘Kitemark’ style voluntary scheme for Cyber Security. Oh wait, there is!
Pick up any product and somewhere on its underbelly you will find a range of what appears to be modern hieroglyphics. These are not strategically placed emoji giving off some hidden meaning, nor are they the hiding place for a particularly awkward Pokemon, they are, of course, certification badges.
These badges are there to give the consumer confidence that a level of testing has been done to ensure that this particular product will not harm the user in any way, assuming that it is used within the guidelines laid down by the manufacturer. The most recognisable of these inscriptions is the ‘Kitemark;, introduced in 1903 as the British Standards Mark for use on tramway rails. As the BSI quote on their website “Having a BSI Kitemark associated with a product or service confirms that it conforms to a particular standard”
The Kitemark itself is a purely voluntary scheme, there are no legal or regulatory requirements to have it. So why bother? Because it’s an independently assessed statement that the organisation who has obtained it for its products cares about providing the best level of quality to their customers. As the BSI state 93% of adults believe that BSI Kitemark products are safer, 88% of consumers trust the BSI Kitemark and believe that it shows a reputable company and 75% of adults say that the BSI Kitemark helps make choosing between products easier. It is in other words a badge of honour for a company that wants to set itself apart from its competition and attract customers with its public commitment to quality.
Wouldn’t it be lovely if there was a Kitemark style voluntary scheme for companies who wanted to show a similar level of commitment to their cyber security measures. Oh wait, there is! It’s called Cyber Essentials.
The Cyber Essentials Scheme was launched in June 2014 and assists companies in implementing fundamental technical controls needed to defend against threats. These controls have been selected by industry experts and cover the following : Boundary firewalls and internet gateways, Secure configuration, Access control, Malware protection and Patch management.
The Government has since October 2014 required it’s suppliers, who handle certain kinds of sensitive and personal information to have the Cyber Essentials Certification. Following their lead, The UK Ministry Of Defence now states that “For all new requirements advertised from 1st January 2016 which entail the transfer of MOD identifiable information from customer to supplier or the generation of information by a supplier specifically in support of the MOD contract, MOD will require suppliers to have a Cyber Essentials certificate by the contract start date at the latest, and for it to be renewed annually. This requirement must be flowed down the supply chain.”
So what’s stopping you? Yes, you the company, or organisation, that doesn’t have Cyber Essentials but claims to be all about quality and care for your customers. Why are you not doing everything in your power to get your Cyber Essentials Certification and proudly display your commitment to make the UK a safer place to conduct business online?
Maybe the reason is that any new standard takes a period of time to become common place, to settle into the public consciousness and obtain its reputation of credibility and worth. Cyber Essentials is no different. Are companies and organisations aware of the scheme? Do they ‘buy in’ to its proposition? Are the public aware? And aware enough to look for a Cyber Essentials logo on the websites of companies that the deal with? In all cases, probably not. It’s going to take a while to reach a level of maturity and acceptance to get Cyber Essentials to the level of the BSI Kitemark.
The problem is, we don’t have time! Cyber-crime by any measure is increasing at a frightening rate. Millions of people are affected by it and billions of Pounds, Dollars, Euros and Yen are being syphoned off the great economies of the world and being fed into criminal activity.
Cyber Essentials can go a long way to not necessarily stamping out cyber-crime, but slowing its growth and preventing all but the most targeted attacks. To date over 1000 companies have been certified, which sounds like a lot, but with over 3.7 million registered companies in the UK, according to the latest figures from Companies House and millions more sole traders and partnerships, it’s clear that there is still a very long way to go to get Cyber Essentials as widely accepted into everyday life as other voluntary schemes.
You don’t have to take my word for it, in fact I’d rather you didn’t. Why not head over to the website of the BSI, those folks who provide the business standards that help companies make ‘excellence a habit’ and ask for their advice on cyber security measures. They recommend Cyber Essentials.