New system to ensure suppliers are up to scratch on IT security
A high-profile project has been launched with the aim of strengthening UK enterprises’ IT security.
The Cyber Highway was launched in London on Tuesday by Lord David Blunkett. The resource offers a “user-friendly online portal for large enterprises that want to strengthen the cyber defence of their supply chain.”
Corporations will, essentially, be able to monitor in real-time the progress their suppliers are making en route to Cyber Essentials certification.
Cyber Essentials is a UK government scheme that launched in June 2014 and is designed to help organisations protect themselves against hackers and malware infections. It’s largely about baseline security controls.
So basically, Cyber Highway ensures that your suppliers are following the Cyber Essentials requirements of good security – which is crucial as more and more Whitehall departments insist on suppliers being Cyber Essentials certified.
Lord Blunkett – a former Home Secretary and chairman of Cyber Essentials Direct, the outfit behind The Cyber Highway – said: “The UK Government has made significant progress. Government departments now require suppliers bidding for particular contracts to be Cyber Essentials certified, and next month sees the launch of the National Cyber Security Centre. These are all steps in the right direction but we can and must go further, especially to assist many more companies to become certified.”
Small organisations account for 92 per cent of cyber attacks, often because of limited resources. The issue of vulnerabilities in third-party suppliers leading to compromises of the companies they serve has been around for years, and gained much greater prominence after a mega-breach at US retailer Target was traced back to its refrigeration, heating and air conditioning subcontractor.
Cyber Essentials Direct chief exec John Lyons said: “We have spent the last eighteen months designing a practical and helpful approach to help de-risk and secure otherwise vulnerable supply chains from cyber attack.”
All about the baseline
Javvad Malik, security advocate at security tools firm AlienVault, said that Cyber Essentials was helpful in improving baseline security standards.
“There definitely have been benefits from cyber essentials,” Malik explained. “Many small businesses that were not even aware of security needs or requirements have, by way of Cyber Security Essentials, been able to establish a baseline. The better-equipped and aware of security needs companies are, the better the chance they can spot, prevent, and respond to a cyber attack. However, we may not see a visible reduction in the amount of data breaches immediately. The process needs time to distil through organisations. During this time, it is likely that attackers will change their tactics – but overall the security bar will be raised.
“The most important thing enterprises should be doing is [to] know what their assets are, where they are located, and be aware of when [they are] attacked, compromised, or stolen,” Malik added.
Gubi Singh, COO at pen testing and management threat detection firm Redscan, noted that many businesses, particularly small- and medium-sized ones, are “still complacent” about the risks posed by cyber threats.
“Obtaining accreditation like Cyber Essentials demonstrates to customers, partners and investors that a company takes protection of data seriously, and many businesses are now waking up to the competitive advantages of having effective security controls in place,” Singh said.
Compliance is not a tick box exercise, however. With the threat landscape evolving on a daily basis, defences and processes need to be continually reviewed to keep pace with the latest attacks,” he added.
Firms that gain Cyber Essentials certification through The Cyber Highway will have access to AIG’s CyberEdge range of cyber liability insurance cover at reduced rates.
Cyber Highway said it was in talks with 300 companies representing supply chain businesses in the retail and technology sectors about getting onto its platform. The organisations have also signed up an unnamed High Street bank as a customer. Government suppliers are another potential source of customers.
Malcolm Carrie, industry programme director of the Defence Cyber Protection Partnership, said, “Cyber Essentials is the ground level for the Defence supply chain – the Defence Cyber Protection Partnership has layered further controls on top of it to address higher-risk scenarios. Smoothing the path to obtaining Cyber Essentials certification is welcome.”
Overseas governments are also in talks with Cyber Essentials Direct about implementing the Cyber Essentials programme in their own countries. For example, CyberNB (Cyber New Brunswick), Canada’s first provincial body to develop a comprehensive cyber security strategy, is weighing up the benefits of The Cyber Highway.