The IASME Consortium (a Cyber Essentials accreditor) have been victim to a data breach, resulting in the email addresses and other data of registered companies being stolen. That's right, one of the Government’s six chosen certification bodies has been victim to a breach.
If you're not familiar, Cyber Essentials is a government backed cyber security certification which provides a basic framework to help secure businesses, mainly:
- Network firewalls - to prevent unauthorised access.
- Secure configuration - to set up the system so that it is secure, default passwords changed, passwords enabled, etc. etc.
- User access control - to permit access to only the user(s) that need it.
- Malware protection - Keeping the anti-virus up to date.
- Patch management - Keeping the operating system and software up to date (what the NHS didn't do...).
All good? Not quite, this is just the bare minimum.
Cyber Essentials fails to address a number of other risk factors, mainly your employees, but also any web assets you may have. Most Cyber security companies that we talk to, tend to say that Cyber Essentials isn't the best way forward in helping businesses as it's very narrow in scope.
Is Cyber Essentials worth it?
Government contracts require it, if you're bidding for them, you need to be certified. But how effective is it the certification in securing your organisation and preventing cyber attacks or data breaches?
Not very. There's no denying that if you comply with the points listed above, you'll reduce the risk of cyber attack or a breach than if you fail to comply. However it fails to address more important aspects where data breaches most commonly occur, these being your staff and your website.
Cyber Essentials is only really of use if you need to bid for Government contracts, and if you do then you'll need it. If you don't have this requirement, then for the cost of Cyber Essentials you can do a lot more which will increase the cyber security of your organisation.