Cyber Essentials Plus – Risk Mitigation and GDPR Compliance

If the infrastructure or systems fail to meet expectations, if they cost more to operate, are unreliable and do not work well, they bring uncertainties and pose significant technology risk. There is also risk associated with the use of third party suppliers, as many firms routinely engage third parties to perform administration or HR services. Outsourcing can bring efficiencies and give a competitive edge, but doing so can increase a firm’s exposure to risk and the ultimate responsibility still lies with the firm. Add to this, the forthcoming GDPR regulations, which affect any firm that has clients doing business in the UK, fragile reputations and the ever present threat of misconduct or fraudulent activity, and firms have a lot of risks to mitigate.

In addition to the risks above, cybersecurity threats are also part of everyday life and pose a huge threat. Cyber threats might be coming from employees making errors, falling prey to phishing attacks, or deliberately acting maliciously. Threats can come externally or via third parties, and are ever present. In addition, under GDPR, firms can be prosecuted if customer data is breached, and they are found to not be adequately protected. But are firms doing enough to mitigate cybersecurity risks?

According to the Ipsos Mori Cyber Security Breaches Survey published in April 2017 only 33% of senior managers surveyed have a formal policy which covers cybersecurity risks and only 11% have a cyber security incident management plan in place.

Only 1 in 3 firms have formal cybersecurity risk policy in place!

If you decide to make a plan, this should include detailed infrastructure mapping, with weaknesses highlighted and mitigated against with appropriate tools. Where outsourced services meet in-house, it is imperative to ensure these are not weak spots. The same survey results report that 19% of respondents are worried about their suppliers’ cybersecurity, but only 13% require suppliers to adhere to specific cybersecurity standards or best practice.

RFA is fully certified as an IASME Certification Body, which means we are trained and licensed to certify both the UK’s Cyber Essentials Plus Scheme and the IASME governance standard. As GDPR expert auditors we offer consultancy services that can help our customers achieve a robust governance system and adequately protected data, which meets GDPR regulations. We provide guidance on developing a risk strategy, and staff training policy, we advise on how to implement the right security hardware and software infrastructure and on implementing a well-trained cyber incident response team.

For smaller firms, cybersecurity risk management can feel like a huge task, but there are a few foolproof steps that you can take:

Certification to Cyber Essentials and Cyber Essentials Plus is a great first step and can mitigate ICO fines if a company suffers a breach. Cyber Essentials certification is evidence that you have carried out basic steps towards protecting your business and your data from internet based cyber-attacks, for peace of mind and for GDPR compliance. RFA can assess and certify firms for Cyber Essentials and the next level, Cyber Essentials Plus.

Run a supply chain audit to ensure that all third parties that work the firm are compliant. Individual accountability could mean that ignorance is not an option if one of your systems is not compliant, or secure.

Lastly, embed risk management into the fabric of the business. Include cybersecurity in employee induction training, refresh employees regularly, and keep it on the agenda at board meetings.