Safe and Certified

The United Kingdom may have a jolly good idea turned scheme turned potential competitive advantage when it comes to cyber security.

The U.K. government’s Cyber Essentials (CE) scheme – which was introduced in April and went live June 5 – is meant to help businesses defend against cyber threats. Should businesses that become CE-certified opt for a little crowing thereafter, perhaps securing some competitive advantage, so be it.

U.K.’s Department for Business, Innovation & Skills reports there had previously been no single recognized cyber security assurance certification suitable for all businesses to adopt. It seems that those days are over.

So, too, are the days when suppliers bidding for contracts involving handling of personal and sensitive information get the job. Come October 1, the U.K. government will require all such suppliers – likely IT-managed or outsourced services, commercial services, financial services, legal services, HR services and business services – to be certified.

Any company that obtains a CE badge will be able to advertise that it takes cyber security seriously – boosting reputations and providing a competitive selling point, the government statement argues.

With the world (individuals and businesses) relying so thoroughly on the cyber scene these days – and with hackers, fraudsters and others with ill intent forever at the ready to take advantage of weak links – it seems a safe move.

A recent study released by the Center for Strategic and International Studies, and sponsored by McAfee Inc., estimates the cost of cyber crime at US$445 billion. The report found that global losses connected to “personal information” breaches could reach US$160 billion.

Here at home, PwC recently reported that 36% of polled Canadian respondents said their businesses were subject to economic crime, up from 32% in 2011. Cyber crime was listed as one of the top five economic crimes, with 22% of respondents noting their firms had been victims.

Recent attacks and hacks “show how far cyber criminals will go to steal people’s financial details, and we absolutely cannot afford to be complacent,” says U.K. universities and science minister David Willetts.

“We know from recent research that a significant proportion of businesses, of all sizes, are not deploying a number of basic security controls, leaving them exposed to this increasing threat,” Mark Brown, director of information security at EY (Ernst & Young), says, commenting on the new scheme.

But “businesses should not view this scheme as a complete solution, as it only addresses the basic controls,” Brown cautions.

“Businesses need to make sure they are going above and beyond this to ensure they are fully protected,” he adds.

Some insurers certainly see value in the scheme, which is being backed by AIG, Marsh, Swiss Re, the British Insurance Brokers’ Association and the International Underwriting Association. Some insurers, in fact, are offering incentives to businesses to become certified, the statement notes.

“As part of our commitment to the program, we will incorporate Cyber Essentials into our risk assessment process for new cyber insurance policies, offering preferential rates to those prospective AIG clients who have obtained a Cyber Essentials Certificate as part of our commitment to superior cyber hygiene and overall cyber risk management,” Jamie Bouloux, cyber liability underwriting manager for AIG, says in the government statement.

The scheme is food for thought in Canada, especially for a country that does not have mandatory breach notification for organizations to disclose information to affected individuals. Alberta requires notifications of breaches to the provincial privacy commissioner, which can issue fines for businesses, and Manitoba is looking to introduce legislation to make it mandatory for organizations to notify affected individuals.

Baby steps, but these are always the first in charting a new, wider path.