Cyber Essentials at UK MOD: the beginning of a critical mass?

The UK’s Cyber Essentials Scheme took a major step forward at the beginning of this year when the UK Ministry of Defence (MOD) mandated that its suppliers need to have obtained a Cyber Essentials certificate before they are able to undertake certain contracts.

This news has been coming for quite a while but judging by some reaction to this mandating of Cyber Essentials, it appears to have caught some by surprise.

What exactly has been mandated?

MOD states:

UK Ministry of Defence (MOD) logo“For all new requirements advertised from 1st January 2016 which entail the transfer of MOD identifiable information from customer to supplier or the generation of information by a supplier specifically in support of the MOD contract, MOD will require suppliers to have a Cyber Essentials certificate by the contract start date at the latest, and for it to be renewed annually. This requirement must be flowed down the supply chain.”

The introduction of Cyber Essentials comes as a precursor to the forthcoming Cyber Security Defence Model (CSM). For full details see the Tech UK website.

Why we support the move?

As the name implies, Cyber Essentials is just about the essentials, and for most organisations it should really be a matter of good housekeeping. The Scheme is designed so that organisations can take a Do-It-Yourself approach, but you can alternatively seek external consultancy support if needed.

The five controls in the Scheme should not be too taxing to achieve. For those organisations yet to achieve Cyber Essentials, a good starting point would be to undertake a simple gap analysis of what they do currently; whether this meets the criteria; and if not, identify and implement what they need to change to satisfy the requirements.

One of the ironies of the relatively low-take up of the Cyber Essentials Scheme to this point is, perhaps, a perception that as the bar is set relatively low to achieve the standard, it therefore has less value. However, reports are that in the first year of its existence almost half of those applying for the scheme were unsuccessful.

Two of my favourite aspects of the Scheme are that:

  1. An organisation needs to renew their certification annually – so practices are regularly reviewed to ensure that the necessary controls are in place;
  2. The Scheme encourages devolved responsibility to appropriate parties within the organisation – following the old mantra that cyber security is not someone’s responsibility it is everyone’s!

A long-time supporter of Cyber Essentials

Cyber Essentials logoNexor has been a long-time supporter of the Cyber Essentials Scheme, as we see the benefits to both individual organisations and within the industry as a whole.

We facilitated the very first consultation of the draft Scheme at one of our IISP regional forums.

When the Scheme was introduced in June 2014, Nexor was one of the first organisations to successfully achieve Cyber Essentials, so we blogged about our experiences of going through the certification process to share with others what we had learnt.

Then a year ago we helped spread the word by making Cyber Essentials the topic of a very well attended evening at our East Midlands Cyber Security Forum.

What impact will Cyber Essentials have on your organisation?

Back in November 2013 my colleague, Colin Robbins, wrote this on the introduction of another cyber security scheme:

“Will the approach succeed? In my view it has every chance, but the critical success factor is adherence being mandated in government contracts. This mandate is essential to drive adoption toward a critical mass.”

This is where we are now.

If you are a UK supplier, quite simply you must get your organisation certified – end of discussion! The requirement is only going to become more and more pressing for the survival of your business.

Whilst the UK MOD has made it mandatory across all its relevant contracts, it is only a matter of time surely before this approach is adopted by other UK Government departments and agencies. We are already seeing the increasing requirement on a contract by contract basis, not only for ourselves, but for our own supply chain too.

For those outside the UK: suppliers should definitely consider getting the standard if they want to partake in the UK market; end-users should look upon the UK as a leader in tackling cyber security across the board and feel safer doing business with suppliers who hold Cyber Essentials certification.

So don’t delay, start your journey now!  Find out more about the Cyber Essentials Scheme.