Cyber Essentials has been on the lips of anyone concerned with cyber security since the government introduced the scheme in 2014.
Organisations in all sectors and of all sizes can benefit from Cyber Essentials, but it is mandatory for government contracts involving the handling of personal information and provision of certain ICT products and services. This has various implications across the public sector, including Jisc’s members in education and research.
Cyber Essentials for education funding and research
The number of education organisations achieving cyber security certifications has increased significantly in the last year. In November 2019, the National Cyber Security Centre (NCSC) reported an increase from 14% to 40% of UK universities achieving Cyber Essentials certification over the preceding 12 months, and our 2020 cyber security posture survey shows that in 2017, only 7% of further education (FE) organisations had Cyber Essentials in place, compared to 49% this year. That’s another huge increase.
So what’s behind this rise?
Progress has been largely driven by government policies and funding requirements. For example, in January 2020, the Education and Skills Funding Agency (ESFA) announced that they had reviewed the requirements for data security in their FE funding agreements and organisations must gain Cyber Essentials certification for the funding year 2020/21, with progression to Cyber Essentials Plus for 2021/22. So, money. A big driver for any institution.
Cyber Essentials Plus is now also included in the Data Security and Protection Toolkit (DSPT) which applies to research groups that require access to NHS Digital’s health data for English patients. Whilst Cyber Essentials Plus isn’t mandated directly, the DSPT states that organisations must have the equivalent to the certification. Where Cyber Essentials Plus has already been achieved by an organisation, some of the assurances needed to obtain this NHS data are automatically covered. Therefore, it is worth considering completing the certification in good time for the March 2021 timeline. Compliance here is another big incentive.
Certification as a ‘good exercise’
Burnley College required Cyber Essentials Plus for its National Careers Service (NCS), which offers resources and advice to young people seeking the right career after college. The certification was a stipulation from the parent company that hold the contract for the NCS and in order to comply quickly, the IT team at Burnley decided to initially limit Cyber Essentials Plus to this separate NCS network, which consists of a number of clients, staff members, and has a separate internet connection and firewall.
Supply chain confidence is another good reason to get Cyber Essentials.
Last year, following the positive experience of the NCS certification and an onsite Cyber Essentials Plus assessment, Matthew Nuttall, the network services and IT support manager, and Nick Williams, the network administrator at the college, decided to go the whole hog and get the rest of the college network certified for Cyber Essentials. They say:
“Benefits of the initial project included understanding more about how using Microsoft Azure for patch management and multi-factor authentication, updating policies and procedures to include more detail on security expectations - such as a ‘clean desk’ policy - would be of value to the wider organisation”.
“The process of becoming Cyber Essentials certified was a good exercise, and firmly put cyber security on senior management’s radar,”
This included highlighting the need for funding and support to onboard a cyber security partner, to help bolster the coverage already offered by existing college staff.
Broader cyber security buy-in and investment are on every cyber security professional’s wish list!
Milton Keynes College also underwent Cyber Essentials Plus certification for their Prison Education Framework (PEF), which is a contractual requirement in delivering education programmes in 19 prisons across England. Jon Wilson, head of information services at the college said:
“As well as allowing us to maintain our prison education programme over the past three years, obtaining Cyber Essentials Plus has also included some unexpected wins.”
Patch and vulnerability management were of particular interest, as the robust policies that came about as part of the Cyber Essentials Plus journey allowed the college to pursue a risk-based approach and secure all hardware and software assets. Jon continues:
“Since obtaining Cyber Essentials Plus for the PEF, we have rolled it out across the entire organisation. We have realised the wider benefits of the certification process in managing information security risks, and it has also been a useful milestone on the path to ISO27001 certification.”
ISO27001: the elephant in the room. Anything that helps pave the way for that kind of undertaking has got to be a good thing.
Steps towards improved cyber security
We know that for our members' cyber security is a key concern and is appearing more widely on company risk registers. Security is growing in terms of budgets, resources, training and senior management attention, especially given recent high-profile breaches in the sector. Members we have spoken to about Cyber Essentials and Cyber Essentials Plus are often using the assessments to develop a baseline for their security controls, either for a particular project scope as mentioned above, or for a whole network or organisation, which we highly recommend where possible.
But don’t be daunted. There is support available to our members. If you’re going to take the plunge and implement these steps to protect your organisation against the most common cyber-attacks, there’s plenty of things we can do to help you through it.
To find out more, sign up for the free-to-attend Jisc security conference, 3-5 November 2020, where Sue Rogers, IT director at St John's College, University of Cambridge, will be talking about the Cyber Essentials accreditation experience. We are also running a Cyber Essentials clinic during day one, run by the experts.