I am joined by Joanna Goddard and she’s the director of programs at BRIM.
And you’re here to tell me a bit about structuring cyber security within the UK government and I’m quite interested in that and I’ve got a few questions.
How do we make the supply chain safer for all?
It’s a key challenge across the UK and critically at this time our supply chain the small to medium-sized businesses is rapidly changing. We know that we’ve got distilleries who are now churning out hand sanitizers, critical in our national health service supply chain.
So I think it’s a topic that everybody understands. It is a real day to day critical need and is very, very difficult because those small to medium-sized businesses in particular don’t necessarily have large IT and security teams or resources. They understand the particularly if they have changed what they are manufacturing at the moment.
So what the delivering, they might be a higher target for cyber criminal to try and paralyze their business and hold them to ransom, so it is very difficult, under immense pressure, under very difficult operating circumstances to be able to find a way to make sure that they are more cyber resilient.
So through the network of cyber resilience centres we have this trusted, structured organisation within it. With trusted partners, who are the certifying body and who can provide you with the governments standard for cyber resilience and it collectively brings those people together to make sure that the quality of assurance and standard of those certifying bodies, which is all runs through IASME nationally.
The government appointed IASME to be one point of contact for that, so the quality assurance and the level of it is there, so we now have that process in the UK and it is just imperative that we reach as many small and medium-sized businesses as possible and help them navigate through that so that is the process if you like, that’s structured and should be quite simple for a small business to navigate understanding that notably their day-to-day pressures of running a business are pretty immense at the moment.
Where do I start then on my cyber resilience journey if I am a small business and I want to work with large businesses and secure their supply chains, like how? Where do I start with this?
Achieving cyber essentials accreditation and there are two different levels, there is one which is a self certification process where you can learn some of the basics yourself and understand, take yourself through that and then there’s one with a certifying body with come in and take you through to another set of processes and tests and take you through to accreditation.
Those are structured they sort of have a beginning a middle and an end. You can’t become complacent about these you need to renew it on a regular basis, but I think there’s a lot of confusion across the cyber security industry for small and medium-sized businesses in particular. Where they understand the risks and they understand the point is smart business people who have grown successful businesses.
Very wooly consultancy can leave them muddled, l huge reports that tell them what’s wrong with the business, but they just don’t have the time to process that navigate it, achieving cyber essentials is a really structured way to put some robust measures in and of the businesses where I have been involved watching actually what happened is actually feedback that strong learnings from the process, they understand it better and whilst still on the day-to-day business they are starting to build a longer-term cyber resilience plan, so it is a really good starting point on a journey that actually helps them achieve some improved resilience.
Where do I find someone to help me get started with the National Cyber Security Centre then Joanna?
So, IASME are working very closely with the Government and the National Cyber Security Centre so we have got that structure in place.
They have partnered with Business Resilience International Management and the network of Cyber Resilience Centres that we’re setting up in partnership with policing throughout the UK, so our job with the centres is to reach as many of those businesses as possible and make it fairly straightforward for a business to find our local supplier for cyber essentials.
Basically find a supplier that’s on a par with the scale and size of their business, so if you’ve got a business with 10 people in it, you want a fairly small supplier that will take you through, but to the high quality standard understands the day to be pressures and how you operate your business. Equally if you’ve got six or seven sites throughout the UK and you want a larger company because you might want some additional services from them, not just certification, then you need to know where to find them. So the
Cyber resilience centres have structured groups within each geographical centre, called trusted partners so it becomes a recognised brand.
These are the people who can help you achieve Cyber Essentials Plus, take you through as a certifying body and they meet on a regular basis get to know each other.
Clearly as rushes of demand kick, if one of these companies is at capacity, because it’s quite intense work for their consultants, it very thorough work. Then they can recommend a fellow trusted partner and that is a good healthy relationship from essentially competing businesses, but they understand critically with Cyber if somebody has a need you can’t wait. So they work very closely together and equally those trusted partners do meet regularly with policing and look at the ethics, integrity, the quality assurance, what is going on in the marketplace and feed that back into IASME and the government so there’s a constant flow of information so that those standards are strictly managed.
Super well, thanks. Thanks. That’s been very interesting. I’m sure you’re going to drop a link somewhere so people can click and grab more information.
“The IASME Governance standard was developed over several years during a government funded project to create a cyber security standard which would be an affordable and achievable alternative to the international standard, ISO27001. The standard allows small companies in a supply chain to demonstrate their level of cyber security for a realistic cost and indicates that they are taking good steps to properly protect their customers information. The IASME Governance assessment includes a Cyber Essentials assessment and GDPR requirements and is available either as a self-assessment or on-site audit.”
More on The IASME Governance standard