Cybercrime continues to gather pace in the UK yet only a handful of UK companies comply with the Cyber Essentials standard. Is it time to put cybersecurity in the same category as health and safety and make Cyber Essentials legally required?
It seems that a day doesn’t go by that there isn’t a national news story of a company being affected by cybercrime. But the ones that reach the news tend to be larger household names and represent the tip of the cybercrime iceberg that includes many, many smaller companies who have been attacked in some way via the Internet.
The Legal Picture
UK legislation focuses on the UK GDPR (General Data Protection Regulation), the post-Brexit version of the EU’s GDPR that became law in May 2018. The Data Protection and Digital Information Bill, that was at the final stages of going through Parliament when the 2024 general election was called, promised to water this down to some extent, supposedly to free UK businesses from EU red tape, but this fell at the final hurdle and didn't become law. The new Labour government is now pushing the Data (Use and Access) Bill and only time will tell whether this succeeds before the next election.
There is no requirement for businesses in the UK to show that they have appropriate cybersecurity controls in place, and a lack of them only comes to light when there is a breach of personal data and the Information Commissioner’s Office (ICO) gets involved.
Cyber Essentials UK
The UK does have a government-sponsored cybersecurity certification scheme called Cyber Essentials that has been running since 2014. Intended to address eighty percent of common attacks, the scheme requires certifying organisations to put in place controls in five areas:
Firewalls
Secure configuration
Security update management
User access control
Malware protection
Certification is required to bid for central government contracts which involve handling sensitive and personal information, but there is no such formal requirement outside of this; it is left to the open market to decide the level of cybersecurity assurance needed to win business.
But awareness of such schemes is remarkably low amongst UK businesses, let alone amongst UK consumers, so it’s hard to see how customer demand is going to drive any kind of improvement in the cybersecurity posture of most companies.
A New Model of Regulation?
Imagine if health and safety were organised in the same way, where the expectation is that customers would buy goods and services from companies with the best record of protecting their staff, and so improve standards. This, quite rightly, doesn’t happen; instead the government mandates certain legal standards of health and safety and they are monitored closely by the Health and Safety Executive, who acts as a regulator.
So why could the same model not be adopted for cybersecurity in the UK, with mandated standards (for example certification to Cyber Essentials) that are policed by a central regulator, such as the National Cyber Security Centre or the ICO?
This would have the benefit of raising standards of cybersecurity in the UK massively, making it a much harder proposition for cybercriminals, saving companies money by avoiding breaches and protecting consumers’ personal data at the same time.
It wouldn’t erase cybercrime completely, but it would certainly make the UK a less attractive target and fit in with the current government’s ambition to capitalise on the opportunities presented by Brexit on the world stage.
Compulsory Cyber Essentials would be good for UK IT managed service providers, encouraging growth in an area identified by the UK Cyber Strategy as a priority.
Yes, it would be an extra cost for businesses, but it could be worth it for reduced risk and increased trust from customers and stakeholders.
Final Thoughts
There comes a point where the only way to make something happen is for central government to step in and legislate for it, and maybe we’ve reached that point with cybersecurity. The alternative is for the UK to carry on as it is, constantly falling victim to anyone with a bad attitude and a keyboard.
