Would you pass a Cyber Essentials audit? Here’s why hackers hope not
Security expert Davey Winder explains why every size of business should take the Cyber Essentials audit — not just the big-name organisations that hit the headlines
The UK Electoral Commission was hacked in August 2021. Something the Electoral Commission, an independent body that oversees elections and political financing, was unaware of until October 2022.
It’s no coincidence that the same year this security breach occurred, 2021, the Electoral Commission failed to pass the Cyber Essentials audit. This certification is part of a voluntary scheme backed by the UK government and the National Cyber Security Centre (NCSA). According to the NCSA, the audit helps organisations “guard against the most common cyber threats” and “demonstrate commitment to cyber security”.
Now, this was no minor breach. The unidentified threat actors that hacked into the Electoral Commission servers could access the sensitive data, including email correspondence, of some 40 million voters.
A whistleblower told the BBC’s security reporter, Joe Tidy, that one reason the commission failed the certification audit was the use of iPhones that were too old to get security updates from Apple. Not to mention 200 laptops that ran an unsupported enterprise version of Windows 10.
While it’s important to note that the Electoral Commission has denied that these were linked to the security incident in question, it remains a blot on the organisation’s copybook.
Not least because, in 2023, it has yet to pass a Cyber Essentials audit. The NCSC itself states that not having the certification is problematic as being vulnerable to basic attacks “can mark you out as a target from more in-depth unwanted attention from cyber-criminals”.
Ring any bells?
Passing a Cyber Essentials audit
This risk doesn’t only apply only to high-profile bodies such as the Electoral Commission. It applies to every organisation and every business, regardless of size or location.
“The certification is more than another compliance check box to be ticked,” said Ryan McConechy, CTO of Barrier Networks. “It is a solid baseline to make sure that, as an organisation, many obvious pitfalls have been avoided, helping remove the easy wins so attackers give up or move on.”
He added: “An organisation of such prominence [as the Electoral Commission] would normally be expected to be Cyber Essentials Plus certified.”
Certifications adds a hands-on technical verification to the self-assessment option of the basic audit.
“No organisation that handles the data of the UK population should ever gamble with security,” McConechy concluded. “The requirements of Cyber Essentials should be met as a standard practice and achieving certification should be a guarantee.”
I don’t disagree, but that security gamble shouldn’t be taken by any organisation. The audio is free, and easy, and might just prevent your business from becoming a target of cyber-criminals.
As we have said before, and will say again, cyberattacks hit all sizes of businesses. If you aren’t worried, you’re doing something wrong.
Additional reading on cybersecurity
NEXT UP
Fabio De Bernardi, VP of Business Development at Adverity: “Having the right partner, whether it’s an agency or a reliable data stack, is essential”
We interview Fabio De Bernardi, VP of Business Development at Adverity where he is responsible for partnerships globally.
International Repair Day 2024: “Everyone that wants to keep things in use for longer is welcome to get involved”
We interview Fiona Dear, Co-Director of The Restart Project, about International Repair Day 2024 and why it matters to both consumers and businesses
Abby Lim, Founder and Director of Absolution Private: “AI has helped quicken and improve the processes of translating our thoughts”
We interview Abby Lim, the Founder and Director of Absolution Private Limited, an integrated marketing agency based in Singapore.