In this information age, it’s no longer unusual to hear people talking about data as the world’s most valuable resource. Driven by access to data and the ability to transform information, we are seeing exciting new possibilities with the potential to change practically every aspect of the way we live.
So the question is, why don’t we have the world’s best security to protect our world’s most valuable resource? It seems recklessly naïve to leave such riches on display with the door half locked.
Part of the difficulty for ordinary (or even IT savvy) individuals and organisations is that it’s hard to keep in mind just how valuable and vulnerable our data really is. Intangible data can seem a less than convincing source of wealth for some. Spare a thought also for those who have to juggle the demands of continued investment in cybersecurity, with stretched funds and further demands of buildings to maintain, people to look after, and unexpected global pandemics to negotiate. The result is that many organisations will deal with their cybersecurity as a reaction to a breach in their defences – not as a prevention.
This is an approach that our health care systems and education institutions, who rely on the enormous volumes of data that are created every day, cannot afford. They rely on data being confidential, safe, and above all, available. This is where UK cybersecurity standards step in, providing a benchmark for the very least we should be doing.
Basic standards and beyond
The main cybersecurity standard bearer is the National Cyber Security Centre (NCSC) Cyber Essentials scheme. An additional standard for healthcare also exists in the form of the NHS Digital Data Security and Protection Toolkit (DSPT).
Compliance with the government’s NCSC Cyber Essentials demonstrates that your organisation has taken basic measures to mitigate cyber threats. Certification brings the benefits of creating confidence in the organisation, strengthening the brand, and opening the door to opportunities which may otherwise have proven elusive. This is particularly true of UK universities bidding to work on research projects with partners who are keen to protect intellectual property. As the name suggests, the NHS Digital Data Security and Protection Toolkit is used by organisations with access to NHS patient data and systems and is a mandatory requirement.
Both of these sets of standards are valuable in their own right and provide good foundations for cybersecurity, but simply aiming for compliance is not enough. The NCSC itself is aware of the shortcomings of their Cyber Essentials scheme in terms of influencing real cybersecurity improvements:
“Genuine attitudinal or behavioural change as a result of becoming certified seems to be restricted to smaller and more newly established organisations. Larger organisations are more likely to see the scheme as a seal of approval of what they already do.” NCSC, 2020
The necessary limitations of these schemes mean we should be aiming for them to be a springboard to much better cybersecurity rather than the endpoint. Organisations that consider cybersecurity ‘done’ once the certificate has been awarded will almost certainly be leaving gaps unplugged. It’s obviously not possible for a one size fits all approach to cover every organisation’s structure, goals, or IT architecture. Life is never that simple – organisations are idiosyncratic in their weaknesses, cyber threats will continue to evolve, and the demands on IT and cybersecurity teams will follow suit.
The good news is that there’s is an opportunity to add value to your organisation while also ticking the compliance box. A holistic review of your organisation’s cybersecurity may reveal that integrating disparate systems, improving visibility of cyber activity, or using centralised management and reporting tools, could improve the time to detect and deal with malicious activity - going beyond simply achieving compliance, to comprehensively secure your most valuable assets.
Ask for help
The truth is that every weakness in your cyber perimeter leaves your data open to theft and your organisation vulnerable, regardless of your certification level.
ITGL’s expertise in improving cybersecurity within the UK education and healthcare sectors allows us to give specialist help to organisations wanting to invest in NCSC and NHS Digital cybersecurity accreditation and vitally, to extend security where it is needed.
Our Cyber Security Guidance 2021 publication for organisations working towards NCSC Cyber Essentials certification is free to download and can get you started in identifying the gaps in your security strategy. If you would like help aligning with DSPT or Cyber Essentials or would like to better understand your existing risk, you can also talk to us at email@example.com.
ITGL Cyber Security Practice
ITGL was founded on a desire to combat cyber criminality. Over the years, it has built a world-class cyber security practice, dedicated to protecting the well-being and reputation of its clients, through addressing the spectrum of human, operational, and technological cyber risk vectors.