This does not mean that you will not be hacked – but it does mean that you are less likely to be the victim of one of the common attacks. This badge will become increasingly important as the government and other organisations start requiring suppliers and partners to gain certification as a prerequisite to conducting business. Certification also entitles you to cyber liability insurance cover, subject to conditions.
Cyber security standards
There are numerous cyber security standards in existence. The best known is ISO 27001 which, although a good governance standard and internationally recognised, has been difficult for many SMEs to achieve because it is designed for larger companies and can be time consuming and expensive. For most SMEs, the following will suffice:
The UK government has recently launched its own standard based on its findings that the majority of successful cyber attacks would have been unsuccessful if five simple technical controls had been implemented by the victims. The Cyber Essentials scheme – again available as either a self-assessed or audited version (Cyber Essentials PLUS) – indicates that these controls are in place. Certification is becoming prerequisite to tendering for public sector contracts. Get Safe Online is a Cyber Essentials certified organisation.
More information on Cyber Essentials can be found here.
The IASME (Information Assurance for Small and Medium Enterprises) standard has been developed using UK government funding with the objective of finding a more viable alternative for smaller organisations. It has been piloted with numerous small companies and now is available either as a self-assessment or a fully audited assessment via IASME. The standard focuses on governance. It requires the existence of such elements as a security policy, staff awareness, business continuity plans and backup processes. These aspects ensure that you are managing you security and understand your risk.
More information on the IASME standard can be found here.
Your organisation can complete both Cyber Essentials and IASME self-assessment at the same time in a combined set of questions for the same price as just Cyber Essentials. This indicates that you have both the detailed technical controls and also the wider governance in place. All of the self-assessment questions are available to download free of charge in advance to enable familiarisation and testing.
Free questions download
You can download the questions for both the Cyber Essentials and IASME self-assessment free of charge. Please note that the IASME self-assessment includes the Cyber Essentials questions within it. Click here to download.
Automatic cyber liability insurance via IASME
When an organisation with a turnover under £20,000,000 achieves self-assessed certification via IASME to either the basic level of Cyber Essentials or the IASME Standard, they are automatically awarded Cyber Liability Insurance, terms apply. They will not need to pay any extra money or complete any additional forms.
The cover, underwritten by AIG and brokered through Sutcliffe & Co, can be briefly described as follows:
£25,000 limit of indemnity covering:
- Event Management
Costs to engage legal, IT forensics, data restoration, reputational protection, notification costs and credit and ID monitoring services following an actual or suspected breach of personal or corporate information, an IT security or system failure
- Data Protection Obligations
Insurers will pay:
- Defence costs in respect of a regulatory investigation, and;
- Any lawfully insurable data protection fines that the company is legally liable to pay in respect of such regulatory investigation with regards to a breach of data protection legislation
Damages and defence costs arising from:
- An actual or alleged breach of data
- An actual or alleged security failure
- The failure to notify a data subject and/or any regulator of a breach of personal information in accordance with the requirements of data protection legislation
- An actual or alleged breach of duty by the information holder in respect of the processing information (for which the company is responsible) on behalf of the company
A major breach may well require more than the £25,000 cover. Higher limits of indemnity and extensions to the cover are available on request.