What US firms can learn from the UK’s Cyber Essentials Scheme

cyber-securityA recent survey by insurer Endurance found that 81% of US small business owners believe cybersecurity is a concern for their business, with 31% of small businesses having experienced a cyber attack or attempted cyber attack.

Despite the high levels of insecurity felt by these firms, only 42% of survey respondents have invested resources in cybersecurity in the last year.

Lack of trust in the government’s ability to tackle cybersecurity

The report also reveals the general opinion of small business about the ability of the Federal Government to tackle cyber security. 70% of small-business owners do not believe the Federal Government is doing enough to combat cyber attacks.

The fact that 83% would support federal tax incentives or grants to small businesses that invest in cybersecurity measures indicates that small business owners recognize the need for action.

US small businesses vs UK small businesses

The time may be ripe for US officials and business owners to take a closer look at what is happening on the other side of the Atlantic –more precisely, in the UK.

British small businesses have similar challenges to their American counterparts. The BIS and PwC’s Information Security Data Breaches Survey 2014 revealed that 60% of UK small businesses had a security breach in 2013.

A report on Common Cyber Attacks issued by the UK Government Communications Headquarters (GCHQ) revealed that around 80% of cyber attacks could be prevented if businesses put simple security controls in place.

Acting on these common risks and threats, the UK Government launched the Cyber Essentials scheme back in June 2014 to help British organizations put these controls in place. Although the scheme is equally suitable for large organizations, it is particularly useful to SMEs and has been designed to be affordable and not overly complicated.

What can US firms learn from Cyber Essentials?

While the US Government hasn’t agreed on a common cybersecurity framework that is also suitable for small businesses, the latter can implement the five key controls mandated by Cyber Essentials to achieve basic cybersecurity. These are:

  • Secure configuration
  • Boundary firewalls and Internet gateways
  • Access control and administrative privilege management
  • Patch management
  • Malware protection

Use ISO 27001 to become secure

Small US companies may not be able to formally register Cyber Essentials because it’s a British scheme, but they can benefit from another cybersecurity framework that is recognized internationally. This is the information security management standard, ISO 27001.

ISO 27001 provides a holistic approach to information security that encompasses people, processes, and technology and enables organizations to protect their information security assets by implementing a set of security controls. Organizations complying with the Standard can obtain registration if they pass an independent audit.

Applicable to both small and large organizations, registration to the ISO 27001 standard has seen a steady increase in the US over the past seven years. According to the latest ISO survey, ISO 27001 registrations rose 36% in 2013.

The business benefits of ISO 27001 registration include improved information security, improved competitiveness and company reputation, and improved staff awareness of information security.

Are you a small business looking to achieve cybersecurity?

IT Governance’s flagship ISO 27001 FastTrack™ consultancy service helps you achieve ISO 27001 registration in just three months and is delivered online for organizations anywhere in the world for a one-off fee.

If you would like to speak to IT Governance’s team to discuss your requirements, call us on +1-877-317-3454 or send an email.