Fixing a hole – the rise and rise of Cyber Essentials
The UK government's cyber security scheme is becoming the de-facto standard, explains 3Kites' Paul Longhurst
Increasing numbers of law firms are looking for help with the UK government’s Cyber Essentials scheme but don’t really understand what this is, what is involved in achieving certification and why they should be driving the process rather than waiting to be pushed by clients or market sentiment.
The scheme, which is overseen by the National Cyber Security Centre (NCSC) and accredited by the Information Assurance for Small and Medium Enterprises Consortium (IASME), started in June 2014 and became mandatory from October of that year for those working on UK government contracts.
There are two levels of certification, Cyber Essentials (or Stage 1) and Cyber Essentials Plus (or Stage 2, often referred to as CE+).
Cyber Essentials is a self-assessed process which requires organisations to:
- Use a firewall device in order to provide a secure connection to the internet
- Choose the most secure settings for IT devices and software
- Control access (via passwords and the like) to data and services
- Protect against viruses and malware seeking to attack organisations
- Keep IT devices and software versions up to date.
A self-assessment questionnaire must be completed and signed off by members of an organisation’s leadership team, board or similar. This needs to be submitted to an IASME-approved certification body which will check that the assessment provides a suitably secure IT environment before issuing a certificate which is valid for 12 months. The formal part of the process costs around £300.
Cyber Essentials Plus includes both the self-assessed process of Stage 1 plus an independently verified technical audit to ensure that all relevant Cyber Essentials controls are in place.
An assessor will review services (like internet access) and devices (such as switches, PCs, laptops and servers along with the systems these are running) at random to check for their compliance. This will result in a compliance rating flagging alerts (indicating no/low risk, medium, high and critical) and, if significant issues are discovered, may require testing to be broadened out to a larger sample once the identified issues are rectified.
The formal part of the process costs in the region of £1500 although we have seen much higher costs for remediation work when external suppliers need to be engaged, especially where is no internal IT team or services are hosted.
As this is an annual certification process, keeping systems up to date is all the more important as it can help to minimise work at the point of the next assessment. However, some might wonder if it is worth the effort and expense.
The point here is that this is becoming a de-facto standard for many businesses which now demand it of their own suppliers (including legal advisors) making it an increasingly large barrier for those not holding a certificate.
Being proactive here carries benefits too. Your firm’s systems will be better protected by virtue of being maintained at the suppliers’ recommended levels rather than lagging behind where vulnerabilities may make them more susceptible to attack. Your firm will also be able to tell prospective clients that it is already certified with Cyber Essentials Plus, making the point that it takes cyber security seriously and is already following best practice… hole fixed!
Paul Longhurst is a director of 3Kites. This is the 11th article in the series Navigating Legaltech
About 3Kites and Kemp IT Law
3Kites is an independent consultancy, which is to say that we have no ties or arrangements with any suppliers so that we can provide our clients with unfettered advice. We have been operating since 2006 and our consultants include former law firm partners (one a managing partner), a GC, two law firm IT Directors and an owner of a practice management company. This blend of skills and experience puts us in a unique position when providing advice on IT strategy, fractional IT management, knowledge management, product selections, process review (including the legal process) and more besides. 3Kites often works closely with Kemp IT Law (KITL), a boutique law firm offering its clients advice on IT services and related areas such as GDPR. Where relevant (eg when discussing cloud computing in a future article) this column may include content from the team at KITL to provide readers with a broader perspective including any regulatory considerations.