With enforcement of the EU General Data Protection Regulation (GDPR) in the offing, organizations are busy preparing for a new era in privacy regulation. But UK companies that are Cyber Essentials certified are at an advantage, according to Jamie Akhtar, co-founder and CEO of UK-based cybersecurity startup CyberSmart.
“Cyber Essentials provides the baseline for standards like GDPR, HIPAA, NIST, PCI-DSS and ISO 27001, because you can demonstrate that you have taken care of the biggest risk areas. It actually forms that technical baseline to build on top of your policies, risk assessments and your business continuity,” Akhtar said during the CompTIA webinar titled You have 99 problems, but cybersecurity isn’t one of them.
Cyber Essentials is a UK government-backed certification where organizations in the UK implement a set of basic technical controls to protect themselves against cyberattacks, he explained. Implemented in 2014, the UK government worked with the Information Assurance for Small and Medium Enterprises consortium and Information Security Forum to develop Cyber Essentials. The UK government claimed that it would reduce 80% of all attacks if businesses put simple cybersecurity controls in place, he said.
The aim of being Cyber Essentials certified is to help organizations safeguard sensitive data by implementing reasonable security measures, much like GDPR specifications that aim to strengthen data protection, Akhtar added. The lessons Cyber Essentials preaches can also help other companies around the globe as they strive to meet the GDPR’s data protection, and other compliance regulations like it, he said.
Akhtar called the implementation of GDPR a long overdue, important change to how legislators address data protection.
“Over the last couple of decades it’s kind of been like the Wild West of data,” he said. “Companies have gathered data, stored data, but they haven’t really taken good care of it. With more and more of our lives becoming digital … the more important data protection and privacy is.”
The Cyber Essentials security standard spans across five security control areas, he added:
- Boundary firewalls and internet gateways: By making them an integral part of network security, it can help prevent attackers from reaching computers with vulnerable software installed.
- Secure configuration: This helps minimize the potential exploitation of vulnerabilities. Steps include fundamental cyber hygiene such as avoiding the use of default passwords.
- User access control: Organizations must ensure everyone has the appropriate access to data for the role that they are performing.
- Malware protection: Organizations must make sure that virus and malware protection is installed and is up to date.
- Patch management: Timely application of patches should be a priority for preventing breaches.
“The big benefit [of being Cyber Essentials certified] is building customer confidence in you as a service delivery provider, showing them that you have those credentials and that you take security seriously,” Akhtar said.