As outsourced DPOs for a number of schools, we have spent a great deal of time advising clients to gain Cyber Essential accreditation. We are well aware that it is not the highest level of IT security accreditation but it does demonstrate an appropriate level of commitment to protect against cyber threats for many organisations in line with GDPR requirements.
As of January 2022 the National Cyber Security centre introduced an updated set of requirements for the Cyber Essentials scheme. This update is the biggest overhaul of the scheme’s technical controls since it was launched in 2014 and is in response to the evolving cyber security challenges that organisations now face. This has also meant an increase in the cost rising from £300 to £450 for some schools.
We have been asked many times if we feel it is worth undertaking or renewing.
Our clear belief is that it is of huge benefit. Not only as it proves that the school is taking IT security seriously (a fact recognised by the ICO) but also because it includes free cyber insurance cover of up to £25,000.
The following incident occurred on the last day of term before the Christmas holidays. Without going into too much detail, one of our School Academy Trust clients discovered that they had suffered a brute force cyber attack back in mid November. The Outlook email account of a member of the Senior Leadership Team was hacked that resulted in a change to the “rules” and several thousand emails redirected Not surprisingly there was a degree of panic not only in what data may have been lost but also finding out at 4pm on a Friday before a 3 week close down. The breach was reported to the ICO due to the potentially sensitive information stolen.
The Trust first completed the IASME accredited Cyber Essentials process in May 2019 and continued thereafter. They duly followed their guidance in reporting the incident to their insurer immediately. The response was fantastic.
Within 2 hours the insurer had arranged for a conference call for 3pm on the Saturday which had not only ourselves, the Trust’s Data Protection lead, the school IT provider but also a leading City law firm and a cyber security expert from KPMG.
The cyber specialist was allowed access to the schools network and within 4 hours had discovered how the incident occurred, rectified the problem and provided a report on the incident. At the same time the Law firm had assessed the potential repercussions and made their recommendations.
Within 18 hours of the incident being discovered reports had been written and collated and the information sent to the ICO. This week we received a letter from them the ICO stating that they were satisfied that the Trust’s data had been “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)”
The case is now closed.
For anyone who doubts the value of Cyber Essentials this will hopefully clear any doubts. Firstly, the professionalism of the services provided by all those connected with the insurance claim was first class and put the client’s mind at ease. Secondly the ICO’s acknowledgement by following Cyber Essentials the Trust had taken appropriate measures in its protection of data is good to know.
As we stated at the start of the article it is not the silver bullet. However, in this example, the £450 spent on Cyber Essentials scheme has proven to be great value and we will continue to urge all organisations to consider it.
Contact us to learn more about Cyber Essentials.
