IT suppliers must meet cyber security standard

Tuesday 30 September 2014

From the start of next month, all suppliers of IT services to the government must be follow a cyber security standard.

This means that any limited companies, sole traders or other small businesses that supplies IT to the state will have to be compliant with the new Cyber Essentials controls. The standard must be applied if they are bidding for contracts that involve handling sensitive and personal information or provide certain technical products or services. It comes into effect on October 1st.

The scheme was developed by the government and consulted with the IT industry for advice on how it should work. Cyber Essentials is designs to offer a sound foundation for basic cyber cleanliness and, if properly implemented, can help to significantly reduce how vulnerable a company is from a security breach.

There are five controls involved in the scheme that can be used in organisations of all sizes and help to protect them from the most prevalent types of cyber security threat that have been coming in from the internet.

The scheme was launched in June and has been taken up by a number of enterprises of different sizes. These include large companies such as Hewlett Packard (HP), BAE Systems and Vodafone as well as smaller firms such as Skyscape, Tier 3 and Nexor.

Cabinet Office minister Francis Maude said: "It’s vital that we take steps to reduce the levels of cyber security risk in our supply chain. Cyber Essentials provides a cost-effective foundation of basic measures that can defend against the increasing threat of cyber attack. Businesses can demonstrate that they take this issue seriously and that they have met government requirements to respond to the threat. Gaining this kind of accreditation will also demonstrate to non-government customers a business’s clear stance on cyber security.

"Cyber Essentials is a single, government and industry endorsed cyber security certification. It is accessible for businesses of all sizes and sectors to adopt, and I encourage them to do so."

Some companies, such as insurance firm AIG, have been offering incentives to businesses which become certified with Cyber Essentials. Meanwhile, HP has demanded that its supply chain also adopts the scheme.

The government has put forward two levels of assurance to make sure that the scheme is flexible and affordable for all businesses. These are Cyber Essentials and Cyber Essentials Plus.

Companies which are successful in meeting the requirements of whichever scheme they take on will be given a certificate and will be able to display a the relevant badge on their marketing material, whether that is for Cyber Essentials or Cyber Essentials Plus. This would be useful to have for people who are thinking of setting up a business in IT.

A new accreditation body has been appointed that can help to meet demand for businesses which want to get Cyber Essentials. They will be joining CREST and the IASME Consortium, which will be appointing firms that can certify company applications.

Through the mandate of Cyber Essentials, more protection will be provided for information that is handled by the government and should also encourage companies in the technology industry to adopt the scheme widely.

By Victoria McDonnell

Get in touch

Please select your type of enquiry:

Brookson on Twitter