New research* from the South West’s leading cyber security compliance specialist, Exeter-based Securious, has revealed that fewer than 5% of the region’s largest businesses have achieved Cyber Essentials, the minimum level of cyber security compliance set out by the Government.
Created to help businesses demonstrate that they have technical and organisational controls in place to defend against the most common and unsophisticated forms of cyber-attack, Cyber Essentials also helps businesses meet their GDPR requirements.
It enables businesses to demonstrate that they have frameworks in place to protect the integrity and confidentiality of data through use of appropriate security and protocols for processing data.
Securious, which became the first company in the South West to qualify as a certification body for the Government’s Cyber Essentials programme, believes that companies without Cyber Essentials or higher levels of accreditation, run the risk of becoming uncompetitive as well as possible victims of cyber crime.
Pete Woodward, founder of Securious, commented: “Our research shows that out of the region’s top 150 companies, fewer than 5% have adopted the Government’s Cyber Essentials accreditation process.
“Cyber security certification is required by an increasing number of Government departments, local authorities, large companies and organisations. Businesses failing to adopt compliance, be that through the adoption of Cyber Essentials or ISO 27001:2013, are therefore putting themselves at a significant commercial disadvantage. They also run the risk of attacks from viruses such as WannaCry and the ransomware virus, Petya, which had disastrous implications for companies across Europe, the Middle East and the US, only last year.
“With new regulations coming into effect on the 25th May 2018 – whereby breaches have to be reported in under 72 hours, and fines of up to 20 million euros (or 4% of the total annual turnover of the preceding year) can be levied if a data subject’s rights are breached – cyber security has never been more relevant. We hope that this will be the catalyst that encourages businesses in the region to step up to the mark and prove that they are ready for GDPR, by adopting a recognised and respected cyber security accreditation process.”
Despite the low level of compliance by many of the South West’s largest businesses, Securious has seen the number of businesses achieving Cyber Essentials with them rise by 200% between 2016 to 2017.
Pete Woodward commented: “We’re seeing growing numbers of businesses taking cyber security seriously. GDPR has undoubtedly focussed minds, but this shouldn’t be a simple box ticking exercise. Businesses need to be aware of how damaging a data breach can be, not only for their customers, but also for the integrity and long-term commercial viability of any business that fails to put proper cyber security and data protection in place.
“It’s a matter that affects businesses of all sizes. It’s a continuous process that requires constant vigilance and regular reassessment.
“Under the GDPR regulations – which have been put in place to protect Personal Identifiable Information (PII), granting individuals’ rights over how their data is collected, stored and processed – businesses not only have to comply with GDPR, but they must be able to demonstrate continuous compliance; Cyber Essentials helps to deliver exactly that.”
Cyber Essentials provides an entry level of accreditation that enables business to be sure that they have a base level of security in place to defend against up to 80% of common internet attacks. It helps businesses meet GDPR Principle 6; integrity and confidentiality, ensuring appropriate security, and article 32; security of processing.
Businesses that achieve this level of accreditation not only improve their cyber security resilience, but are able to openly show clients, prospects and partners that they have suitable measures in place that are also recognised and rewarded by the insurance industry through preferential premiums.
Smaller businesses are recommended to comply with QG GDPR Fundamentals, a foundation level GDPR Management System, which has 17 requirements including a data protection policy, objectives, consent, collection, processing, and safeguarding of personal data, subject requests for access, data portability, restrict processing, erasure and use of profiling, training and awareness, complaints and management review and audits.