Tag Archives: Cyber Essentials

Cyber Essentials Plus and a Bit More

18 Oct

Cyber Essentials as a standard is now starting to mature, with almost 3,000 certifications now reported.

Cyber Essentials logoCyber Essentials is largely a one-size-fits-all. You are either compliant, or you are not (with a small bit of “comply or explain” wriggle room). This is good for the purpose it was intended, and serves a baseline for all businesses.

This is now mandated for UK Government procurement, but when assessed for use in the Ministry of Defence’s supply chain it was considered the essentials were not enough.

The challenge however is different elements of the supply chain needed greater or lesser security. The solution being trailed is called the Defence Cyber Protection Partnership (DCPP) Cyber Security Model (CSM).

The model describes 4 risk levels, from Very Low up to High (plus a Not Applicable). For each of these a set of mandatory security controls is defined. Even at the Very Low end, Cyber Essentials is required. The higher the risk, the tighter the expected level of control.

Referring to my blog “The importance of having an Asset List”, it’s interesting to note that only at the Medium risk grade is an asset list mandatory – in the blog I argue you find the lower levels hard to do without one.

At the highest end of the CSM, there are controls such as “Proactively verify that the security controls are providing the intended level of security”; i.e., implementing security is not enough – you need to be able to demonstrate your controls are working.

The CSM approach is very much a ladder, you move up rung by rung from Cyber Essentials.

For something more bespoke and comprehensive there is the ISO 27001 based approach, in which you:

  • identify the business’s security objectives;
  • determine the risks;
  • then select a set of controls to mitigate those risks.

Effectively an a-la-carte approach to customise a solution, all wrapped in a security management system.

Within your business, you need to take control and determine the appropriate level of security, but please don’t be paralysed by indecision – at the very least start a Cyber Essentials programme.

How can firms protect themselves from ransomware?

5 Oct

In a previous blog post I wrote about the rise of ransomware over the last year. In this post I will briefly outline what steps organisations should take to avoid becoming the next victim of ransomware. Continue reading

Top cyber crime threats to East Midlands businesses

20 Sep

I recently attended the East Midlands Cyber Crime Breakfast, where a panel of experts outlined what they saw as the principal cyber crime threats that were affecting organisations in the East Midlands. Continue reading

Cyber Essentials at UK MOD: the beginning of a critical mass?

10 Feb

The UK’s Cyber Essentials Scheme took a major step forward at the beginning of this year when the UK Ministry of Defence (MOD) mandated that its suppliers need to have obtained a Cyber Essentials certificate before they are able to undertake certain contracts.

This news has been coming for quite a while but judging by some reaction to this mandating of Cyber Essentials, it appears to have caught some by surprise. Continue reading

Cyber Essentials At Home

19 Nov

Our homes are becoming smarter. Lights you can switch on remotely, heating that learns about when you will be at home, refrigerators that add items to shopping list as you use them and electric cars that charge when fuel prices are low.

This exciting new world does not come without risks: risks to privacy; risks to security and risks to physical safety. Continue reading

Cyber Essentials for Home

28 Apr

19 Nov 2015: POST SUPERSEDED BY Cyber Essentials at Home.

Continue reading

Cyber Essentials: going mainstream?

24 Feb

As I’m sure many of the readers of this blog will be aware Cyber Essentials is a UK Government scheme encouraging organisations to adopt good practice in information security. It includes an assurance framework, and a simple set of security controls, to protect IT.

It was launched in a big fanfare in June of last year; it became mandated for certain UK Government IT contracts in October 2014; but it has seen relatively low take-up. Or at least thus far. Continue reading

The 12 Themes of 2014

17 Dec

Rather than bring you the 12 Days of Christmas, we’ve done the 12 themes of 2014 instead! A look back at what has been making the headlines in the world of Information Security (and beyond) this year. Take a moment to relive the year……  Continue reading

Validating the Payload

10 Nov

In the blog Secure Delivery of a Payload we discussed how secure information exchange consists of two distinct elements: the information you need to convey – the payload, and the technical method used to carry the payload – the protocol. Attackers wishing to break into your network can exploit either of these: the protocol or the payload.
Continue reading

Why have I got an Intruder Alarm?

28 Oct

At home, I have invested in good quality locks on my doors and windows, conforming to the standard required by my insurance company. In addition to that I have also invested in an intruder alarm.

Continue reading