Cybersecurity is a top priority for organisations of all sizes, particularly given the increased reliance on digital services. For SMEs with limited technical knowledge and resources, the path to protection may seem complex. But it cannot be ignored. One organisation helping SMEs on their cybersecurity journeys is IASME, the UK Government’s Cyber Essentials Partner. In this Q&A, Dr Emma Philpott, CEO of IASME Consortium, tells us more about the company and how it is helping SMEs across the UK to get cyber certified.
Can you give us an overview of IASME and its core aims?
IASME was founded on the principle that basic cybersecurity is an essential requirement for the supply chains of all organisations. It all started with the IASME Governance standard, first developed through a UK Government funded project to develop an alternative to ISO27001 for small companies. Since then, IASME has championed the interests of SMEs and has been especially successful at engaging micro and small organisations in cybersecurity education and improvement.
IASME helped write what would become Cyber Essentials, the UK Government basic level certification scheme, and worked to develop and co-deliver the scheme for several years. Following a commercial tender process in April 2020, IASME was chosen by the National Cyber Security Centre (NCSC) to take over full responsibility for Cyber Essentials delivery and became the government’s Cyber Essentials Partner.
Today, IASME works alongside a network of more than 250 certification bodies across the UK and Crown Dependencies to help organisations of all sizes protect themselves against cyberattack and fraud. IASME is committed to helping businesses improve their cybersecurity, risk management and good governance through an effective and accessible range of certifications.
Already this year, IASME has launched two new schemes: the IoT Security Assured scheme for certifying Internet of Things (IoT) products, and the first of its kind, Counter Fraud Fundamentals scheme, developed in partnership with the Open Banking Implementation Entity for certifying organisations in that have the most important counter fraud controls in place.
IASME is also proud to celebrate diversity and inclusivity. Its team is one of the most gender and neuro-diverse within the sector, with flexible working conditions a norm years before working from home became a necessity. The company is headed by, and 60% owned by, women and the board of directors is 50% female. Also, 40% of the management team is female and 68% of the employees are identified as neuro-diverse.
What are some of the main cyber-risks to SMEs?
More businesses than ever operate online with their services accessible digitally. The pandemic is said to have advanced our dependency on the digital world by 10 years due to the closure of shops and remote working. This has meant an increase in the very significant threat of cybercrime which effects almost every modern business. The threat could mean anything from a virus affecting how a computer operates to loss of access to all data in ransomware attack. The worst case for most businesses would be the loss or damage of personal data which could result in an investigation by the ICO.
The majority of cyberattacks are untargeted and use freely available tools which are simple to use but can affect many thousands of businesses or individuals in one go. For example, 90% of cyberattacks start with an email commonly known as phishing emails. These untargeted attacks exploit basic weaknesses that can be found in many organisations such as poorly configured systems, software that hasn’t been updated and old computer systems that are no longer supported by their suppliers.
The Cyber Essentials controls will help an organisation defend against this type of attack. Cyber Essentials consists of five simple controls that will reduce the impact of common cyber-attack approaches by up to 80%. Cyber Essentials is not only simple, it is low cost. For many businesses, the protections they need to put in place are probably already there, they just need to be switched on.
Even if a business has some basics in place, cybercriminals can find their way in by using the weakest link in the chain. Some of the most publicised attacks have been as a result of a breach in the business’ supply chain and businesses should think that they are as strong as their weakest link.
An important fact to remember is that only about 5% of cybercrime is targeted – the rest is indiscriminate and opportunist. IASME Governance is a comprehensive yet affordable risk-based standard for SMEs that covers the five core controls of Cyber Essentials as well as additional best practice information security principles. These include risk assessment, policies and procedures, staff training and GDPR requirements. Other important areas that are fundamental for a modern business include backing up files, incident response and recovery planning.
What are the key objectives for SMEs who choose to work with you?
Organisations wishing to certify their business or product to one of our schemes are usually motivated by two key factors.
First, they want to prioritise cybersecurity and data protection as these are considered important. Certification gives them a clear and affordable way to prove they are doing everything they should.
Second, contracts, funding and grants are increasingly stipulating that a company has Cyber Essentials certification as a pre-requisite. Having a certification also demonstrates to customers, those in your supply chain and other stakeholders that you are taking cybersecurity seriously. Companies that get Cyber Essentials and IASME Governance are listed on our directory of certified organisations.
What do you consider the main benefits for SMEs who obtain certification?
The preparation and process of getting certified to Cyber Essentials or IASME Governance will give an organisation a clear picture of their cybersecurity and an opportunity to improve. Benefits include:
- Certification gives SMEs the peace of mind and the outward reassurance that they have implemented the core controls that help reduce the risk of cyberattacks
- SMEs with a turnover of less than £20 million who certify their whole organisation to Cyber Essentials get included Cyber Security insurance worth £25,000
- More and more contracts are asking businesses to prove they are managing their information security. Getting certified is a straightforward way of demonstrating that a business has its house in order.
What are some of the barriers to this training/certification and how do you work with end users to overcome these?
Many small businesses have usually got all their resources tied up running the business rather than focused on IT and cybersecurity. Most people understand cybersecurity to be part and parcel of technology, and if their business is not associated with IT and they are not a person that understands technology, this could be something that they worry about.
The barrier to understanding things associated with technology for non tech people can be significant and this common block is something that needs to be understood if we want people to start on their essential journey into cybersecurity.
Until recently, much of the cybersecurity information guidance started at too high a level for those with no IT background. Small businesses have asked for a tool that can help them review their current level of protection so they can obtain targeted advice on next steps. IASME has responded to this need by developing a free online tool with basic level guidance to the five core controls and related topics written in ‘plain English’.
We are also adapting our guidance to include the education sector and are working towards making the Cyber Essentials journey tailored and accessible for schools and colleges.
How do you help reduce technical complexity for SMEs?
This is something we are particularly focused on, through the accessible presentation of guidance, blogs and webinars/ seminars as well as the already mentioned Cyber Essentials readiness tool that launches this month.
The readiness tool is accessible in the form of a free of charge set of questions on the IASME website. The process of working through the questions will inform a business owner about their own level of understanding and what aspects they need to focus on. They will be directed towards the appropriate guidance based on their answers to the questions. Upon completion, the business owner will understand their level of preparedness for undertaking Cyber Essentials and will be presented with a tailored action plan and detailed guidance for the additional requirements or steps there are still to achieve.
Although accomplishing Cyber Essentials is the end goal, it may be that there are many steps along the way that need to come first. Small spoonfuls of information about cybersecurity will be available, allowing someone who describes themselves as ‘non-tech’ to learn at their own pace.
How far is consumer demand for trusted, secure services impacting SMEs’ approach/strategy?
Consumers are becoming increasingly aware of the threats from cybercrime and they do not want their username/passwords compromised, their data stolen or their account hacked. Organisations need to be seen and prove that they are taking cybersecurity seriously. This is reflected in the steps being taken by the UK Government to bring in new legislation around the security of consumer IoT devices.
Both our new schemes, the IoT Security Assured and the Counter Fraud Fundamentals are there to help protect customers and to assist them in identifying organisations that can prove they have the fundamentals in place.
What advice would you offer SMEs for delivering impactful security awareness training?
Effective security training has to be meaningful to all staff. Training should be made relevant to the business which will engage staff by making situations real.
As we mentioned, 90% of cyberattacks start with emails so start training there, encourage staff to take their time before responding to a request to ‘click the link’ or ‘open the document’.
Then, as the business develops its security processes, training requirements will become apparent.