The UK’s Cyber Essentials Scheme took a major step forward at the beginning of this year when the UK Ministry of Defence (MOD) mandated that its suppliers need to have obtained a Cyber Essentials certificate before they are able to undertake certain contracts.
This news has been coming for quite a while but judging by some reaction to this mandating of Cyber Essentials, it appears to have caught some by surprise.
What exactly has been mandated?
MOD states:
“For all new requirements advertised from 1st January 2016 which entail the transfer of MOD identifiable information from customer to supplier or the generation of information by a supplier specifically in support of the MOD contract, MOD will require suppliers to have a Cyber Essentials certificate by the contract start date at the latest, and for it to be renewed annually. This requirement must be flowed down the supply chain.”
The introduction of Cyber Essentials comes as a precursor to the forthcoming Cyber Security Defence Model (CSM). For full details see the Tech UK website.
Why we support the move?
As the name implies, Cyber Essentials is just about the essentials, and for most organisations it should really be a matter of good housekeeping. The Scheme is designed so that organisations can take a Do-It-Yourself approach, but you can alternatively seek external consultancy support if needed.
The five controls in the Scheme should not be too taxing to achieve. For those organisations yet to achieve Cyber Essentials, a good starting point would be to undertake a simple gap analysis of what they do currently; whether this meets the criteria; and if not, identify and implement what they need to change to satisfy the requirements.
One of the ironies of the relatively low-take up of the Cyber Essentials Scheme to this point is, perhaps, a perception that as the bar is set relatively low to achieve the standard, it therefore has less value. However, reports are that in the first year of its existence almost half of those applying for the scheme were unsuccessful.
Two of my favourite aspects of the Scheme are that:
- An organisation needs to renew their certification annually – so practices are regularly reviewed to ensure that the necessary controls are in place;
- The Scheme encourages devolved responsibility to appropriate parties within the organisation – following the old mantra that cyber security is not someone’s responsibility it is everyone’s!
A long-time supporter of Cyber Essentials
Nexor has been a long-time supporter of the Cyber Essentials Scheme, as we see the benefits to both individual organisations and within the industry as a whole.
We facilitated the very first consultation of the draft Scheme at one of our IISP regional forums.
When the Scheme was introduced in June 2014, Nexor was one of the first organisations to successfully achieve Cyber Essentials, so we blogged about our experiences of going through the certification process to share with others what we had learnt.
Then a year ago we helped spread the word by making Cyber Essentials the topic of a very well attended evening at our East Midlands Cyber Security Forum.
What impact will Cyber Essentials have on your organisation?
Back in November 2013 my colleague, Colin Robbins, wrote this on the introduction of another cyber security scheme:
“Will the approach succeed? In my view it has every chance, but the critical success factor is adherence being mandated in government contracts. This mandate is essential to drive adoption toward a critical mass.”
This is where we are now.
If you are a UK supplier, quite simply you must get your organisation certified – end of discussion! The requirement is only going to become more and more pressing for the survival of your business.
Whilst the UK MOD has made it mandatory across all its relevant contracts, it is only a matter of time surely before this approach is adopted by other UK Government departments and agencies. We are already seeing the increasing requirement on a contract by contract basis, not only for ourselves, but for our own supply chain too.
For those outside the UK: suppliers should definitely consider getting the standard if they want to partake in the UK market; end-users should look upon the UK as a leader in tackling cyber security across the board and feel safer doing business with suppliers who hold Cyber Essentials certification.
So don’t delay, start your journey now! Find out more about the Cyber Essentials Scheme.
“Wow, this Cyber Essentials thing at UK MOD sounds like a big deal! Can’t wait to see the impact it has on organizations. 💻💥”
Yeah, right! Like the UK MOD really knows what they’re doing when it comes to cybersecurity. I’ll believe it when I see it. 💻🙄
“Wow, Cyber Essentials at UK MOD sounds like a game-changer! Can’t wait to see the impact it has on organizations!”
Well, I hate to burst your bubble, but I highly doubt Cyber Essentials will live up to all the hype. It’s just another bureaucratic measure that organizations have to jump through. I wouldn’t hold my breath for any real impact.
“Seems like Cyber Essentials at UK MOD is a step in the right direction! Can’t wait to see the impact it’ll have on all organizations. 💪”
Comment:
I have mixed feelings about Cyber Essentials. Will it really make a difference? 🤔
Reply:
Honestly, I think Cyber Essentials is just another bureaucratic hoop to jump through. It might give a false sense of security, but let’s be real, hackers are always one step ahead. We need stronger measures, not just a fancy certification.
“Wow, Cyber Essentials at UK MOD sounds like a game-changer! Can’t wait to see the impact it has on organizations. 💻”
“Game-changer? More like another overhyped government initiative. Let’s see if Cyber Essentials actually delivers on its promises before getting too excited. 🙄”
“Wow, Cyber Essentials at UK MOD? About time they stepped up their game! 💪🔒”
Finally! It’s about time they realized the importance of cybersecurity. Better late than never, I guess. Let’s hope they actually follow through and prioritize it instead of just giving it lip service.
I think Cyber Essentials is just another useless requirement. Waste of time! 🙄
Sorry, but I have to disagree. Cyber Essentials is essential for protecting businesses from cyber threats. It’s not a waste of time, it’s a proactive measure to safeguard sensitive data. Don’t underestimate the importance of cybersecurity.
“Wow, Cyber Essentials at UK MOD sounds like a game-changer! Can’t wait to see its impact on organizations. 💪🔒”
I hate to burst your bubble, but Cyber Essentials at UK MOD is just another bureaucratic hoop to jump through. It’s unlikely to make any real impact on organizations’ cybersecurity. Don’t get your hopes up too high, mate. 🙄🔐