From Slopes to Servers: Navigating cyber risks in the winter season with Cyber Essentials

It’s the ski (or snowboard) season; how can that be relevant to cyber security you ask?

Well, as a keen skier of many years, until 2009 I wore a woollen beanie on my head as ‘helmets were for kids’. And then famous actress Natasha Richardson was killed after hitting her head in a low-speed skiing fall. It was a shock to the snow sports world and we all sat up. Subsequent pub discussion of the risks we were taking concluded that serious head injury was less about your skiing ability and more about the out-of-control idiot who crashes into you. We quickly concluded that helmets were a good idea. These days almost everyone, apart from a few, wears a helmet on the slopes and most do so because we are more worried about the risk of collision than about falling over.

And yet so what? Well, this week the World Economic Forum released a report that contained an interesting cyber-stat:

41% of the organisations that suffered a material incident in the past 12 months say it was caused by a third party.

In other words – having your cyber defence is one thing but no organisation stands alone; all successful enterprises rely to some extent on a supply chain or business partners. Therefore the real cyber risk you experience is only partly about your IT and quite a lot about other organisations’ diligence, control and approach to cybersecurity.

This is where schemes like Cyber Essentials come in. The idea is that the application of some basic (but still good) controls and protection mechanisms gives you, and fellow business and organisation leaders, confidence that a potential supplier or business partner has demonstrated a diligent approach to managing their cyber-risks. While no one is immune from cyber threats, at least they have taken reasonable steps to reduce their risk, mitigate attacks, and therefore present less risk to you as a customer or partner. So you should be able to rely on them more than those without.

Flip this around and ask the question – how many potential customers will want to work with your organisation if it doesn’t have any way of demonstrating a good cybersecurity approach?

In short, the introduction of CE, CE+ and similar standards, while voluntary, is quite deliberately designed to encourage businesses of all shapes and sizes, charities and not-for-profits alike, to increase their cyber-security. Over time this pressure will drive up the overall level of cyber-resilience across the economy and contribute to making “UK the safest place to live and do business online”.

Gaining a Cyber Essentials tick or a Cyber Essentials Plus (CE+) award is not particularly onerous or expensive. The costs and lost opportunities of not doing so are likely to become increasingly apparent though.

cyberessentials_certification mark_colour

Sometimes it takes a shocking incident to change a narrative or sense of need for protection. Natasha Richardson’s death in 2009 changed the mentality of skiers the world over. Sometimes, however, it is better to not wait for an incident to occur, especially if protection is ready and waiting already.

If you are skiing (or riding) this winter, have fun and watch out for those who don’t demonstrate the necessary control; the same goes for yourself and your business in cyberspace. Contact us today for more support.