U.K. Rolls Out Cybersecurity Scheme; Mandatory for Government Procurement

By Ali Qassim  

June 6 --Businesses in the U.K. will be able to show consumers that they have taken measures to help defend themselves against common cyberthreats following the June 5 official launch of the U.K. government's cybersecurity scheme, according to the U.K. Department for Business, Innovation& Skills.

The Cyber Essentials scheme will differ from the U.S. government's cybersecurity framework, which was rolled out in February , because the U.K. framework will be mandatory, not voluntary. Beginning Oct. 1, 2014, “all suppliers bidding for certain personal and sensitive information handling contracts” will have to be certified under the scheme, the department said in a June 5 statement.

The rollout of the Cyber Essentials scheme, which includes an “Assurance Framework” aimed for businesses seeking to demonstrate compliance through an independent certification, was anticipated by the government in April alongside a call for evidence on parts of the framework.

Financial Need to Combat Cybercrime

The feedback from a call for evidence in 2013 concluded that none of the existing organizational standards for cybersecurity met today's set of threats, the department said.

The recent attacks by malicious software schemes “Gameover Zeus” and “Cryptolocker” (see related report), as well as the recent hacking attack on online marketplace eBay, “show how far cyber criminals will go to steal people's financial details, and we absolutely cannot afford to be complacent,” University and Science Minister David Willetts said in the department's statement.

Supporting the need for the Cyber Essentials scheme, Mike Cherry, national policy chairman of the U.K.’s Federation of Small Businesses, said in the statement that the federation's research found that cybercrime costs small businesses around 800 million pounds ($1.34 billion) every year.

Welcoming the scheme, U.K. Information Commissioner Christopher Graham said in a June 5 statement that “protecting personal data depends on good cyber security, and the threats and challenges are getting ever more sophisticated.”

Stressing that “all too often organizations fail at the basics,” Graham said the scheme focuses on “the core set of actions that businesses should be taking to protect themselves, their customers, and their brand.”

Multinationals Apply for Awards

The first businesses to apply for a Cyber Essentials scheme award include defense organization BAE Systems Plc, U.K. banking giant Barclays Plc and software and computer products provider Hewlett-Packard Co., the Department for Business, Innovation & Skills said.

The scheme will provide two levels of assurance--“Cyber Essentials” and “Cyber Essentials Plus”--depending on the size of the organization and to provide lower-cost alternatives to small businesses, universities, charities and the public sector.

The department has released guidance to help organizations to self-assess themselves ahead of gaining formal certification.

The government suppliers most likely to be affected by the mandatory requirement to become certified are information technology-managed or outsourced services, commercial services, financial services, legal services, human resource services and business services, according to the department.

 

To contact the reporter on this story: Ali Qassim in London at correspondents@bna.com

To contact the editor responsible for this story: Katie W. Johnson at kjohnson@bna.com


Information on the Cyber Essentials scheme, including guidance for organizations, is available at https://www.cyberstreetwise.com/cyberessentials/.

The “Cyber Essentials Scheme Assurance Framework” is available at https://www.cyberstreetwise.com/cyberessentials/files/assurance-framework.pdf.

The guidance document, “Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks,” is available at https://www.cyberstreetwise.com/cyberessentials/files/requirements.pdf.