As a UK Government-backed initiative that launched in June 2014, the term ‘Cyber Essentials’ is filtering through to many companies within the nuclear sector. But what is it all about and why should we be concerned? Some useful insights are shared below, to help to ensure we can all adhere to the new legislations.
What is Cyber Essentials?
In a nutshell, Cyber Essentials has been instigated by the UK Government as a required control measure to ensure organisations are protecting their IT systems and associated technological and data infrastructures from internet based threats. With the nuclear industry being a common target of such threats, it is particularly important to ensure we are not left vulnerable.
Who does Cyber Essentials affect?
Although many organisations across the UK have started to implement Cyber Essentials practices, if you work within or for the nuclear industry, your company will need to become Cyber Essentials accredited in order to work on certain contracts. For all companies bidding for UK government contracts, compliance with the Cyber Essentials scheme is a distinct advantage to the tendering process, as your work will involve the handling of sensitive and personal information.
How does Cyber Essentials work?
There are two levels of accreditation: Cyber Essentials and Cyber Essential plus. At the basic level, the Cyber Essentials programme provides a comprehensive foundation focused on five core areas of IT cleaning measures including:
1. Boundary firewalls and internet gateways – ensuring these devices have been set up effectively.
2. Secure configuration – systems should be configured securely.
3. Access control – only known people should have access to the systems.
4. Malware protection – installation of the latest virus and malware protection.
5. Patch management – using only the current supported version of applications.
With Cyber Essentials Plus you are assessed by an external Cyber Essential approved provider on security for enhanced assurance. Once accredited by the authorised company, you will be able to display a Cyber Essentials logo on your communication platforms, which will demonstrate to your customers, suppliers, investors and others that you have adhered to UK government cyber security standards.
How do I implement Cyber Essentials and how long does it take?
The time required to safeguard your company is subject to varying factors:
· how many employees you have;
· the systems you already have in place;
· your internal resources;
· whether you opt for Cyber Essentials or Cyber Essential Plus.
If you have a competent in-house IT department with available resource, there is no reason why you cannot complete the assessment internally. However; it is important to bear in mind, the process is time-consuming and requires clear evidence to support each of your answers.
Alternatively, it may be beneficial to appoint an independent accredited company to work with your IT team to help you prepare for the assessment, guide you through the responses and documentation to become Cyber Essentials accredited.
Whether you implement the Cyber Essentials protocols internally or through a third-party supplier, you will need to find an approved company to evaluate whether standards are met before they approve your certification.
Cyber Essentials is not bulletproof. Organisations, especially in the nuclear industry, will need to continue monitoring and implementing additional protection measures against more advanced and targeted attacks. It is therefore important to build on Cyber Essentials once you are accredited, and maintain regular updates to these basic security controls.
For further information, search www.gov.uk for ‘Cyber Essentials’ or you can get advice from Michael Douglass, Cyber Essentials Approved Practitioner & Director at Yellowbus Solutions, on 01925 838386.