Would you pass a Cyber Essentials audit? Here’s why hackers hope not
Security expert Davey Winder explains why every size of business should take the Cyber Essentials audit — not just the big-name organisations that hit the headlines
The UK Electoral Commission was hacked in August 2021. Something the Electoral Commission, an independent body that oversees elections and political financing, was unaware of until October 2022.
It’s no coincidence that the same year this security breach occurred, 2021, the Electoral Commission failed to pass the Cyber Essentials audit. This certification is part of a voluntary scheme backed by the UK government and the National Cyber Security Centre (NCSA). According to the NCSA, the audit helps organisations “guard against the most common cyber threats” and “demonstrate commitment to cyber security”.
Now, this was no minor breach. The unidentified threat actors that hacked into the Electoral Commission servers could access the sensitive data, including email correspondence, of some 40 million voters.
A whistleblower told the BBC’s security reporter, Joe Tidy, that one reason the commission failed the certification audit was the use of iPhones that were too old to get security updates from Apple. Not to mention 200 laptops that ran an unsupported enterprise version of Windows 10.
While it’s important to note that the Electoral Commission has denied that these were linked to the security incident in question, it remains a blot on the organisation’s copybook.
Not least because, in 2023, it has yet to pass a Cyber Essentials audit. The NCSC itself states that not having the certification is problematic as being vulnerable to basic attacks “can mark you out as a target from more in-depth unwanted attention from cyber-criminals”.
Ring any bells?
Passing a Cyber Essentials audit
This risk doesn’t only apply only to high-profile bodies such as the Electoral Commission. It applies to every organisation and every business, regardless of size or location.
“The certification is more than another compliance check box to be ticked,” said Ryan McConechy, CTO of Barrier Networks. “It is a solid baseline to make sure that, as an organisation, many obvious pitfalls have been avoided, helping remove the easy wins so attackers give up or move on.”
He added: “An organisation of such prominence [as the Electoral Commission] would normally be expected to be Cyber Essentials Plus certified.”
Certifications adds a hands-on technical verification to the self-assessment option of the basic audit.
“No organisation that handles the data of the UK population should ever gamble with security,” McConechy concluded. “The requirements of Cyber Essentials should be met as a standard practice and achieving certification should be a guarantee.”
I don’t disagree, but that security gamble shouldn’t be taken by any organisation. The audio is free, and easy, and might just prevent your business from becoming a target of cyber-criminals.
As we have said before, and will say again, cyberattacks hit all sizes of businesses. If you aren’t worried, you’re doing something wrong.
Additional reading on cybersecurity
Davey Winder
NEXT UP
Slow buyers cause tech firms to rethink sales approaches as tough Q1 hits home
New research suggests tech sales were slow in Q1, with buyers of technology and professional services taking their time before committing to any solutions.
ByteDance says it has no plans to sell TikTok and refuses to bow to US pressure
ByteDance, the Chinese company that owns TikTok, stated that it “doesn’t have any plans to sell TikTok” on Toutiao, a social media platform that it also happens to own.
Solace Kidisil, Group COO of Nsano: “The difference between traditional finance and fintech is the questions we ask”
We interview Solace Kidisil, Group COO of Nsano, a fintech company from Ghana, offering digital payment solutions across Africa