At a time when there’s no shortage of reports of organizations suffering data breaches, infosec pros have difficulty knowing who to trust among suppliers and business partners. Consumers also have the same problem.
They may have a solution in a few weeks.
CyberNB, a wing of the New Brunswick government aiming to make the province a cyber security hub, has quietly announced it is adopting for use in this country the U.K. Cyber Essentials program certifying small and mid-sized companies have met certain minimum security standards.
Firms that pass the certification get to put the Cyber Essentials logo on their Websites and marketing material.
In addition to being brand for competitive advantage, the program should also be a spur to SMBs to improve their IT security.
CyberNB hopes to officially launch the program in several provinces in April.
The program won’t have the force it has in the U.K., where companies wanting to bid on sensitive government contracts must be certified. However, the man overseeing the program said Canadian SMBs will still want to pass the test.
“It’s the same reason why restaurants have hygiene standards for their staff,” said David Whelbourn, the Cyber Essentials program director: “To protect their customers from being poisoned. It’s no real difference for a small and medium company. It’s about establishing yourself as doing the right thing to protect their clients and their data.”
And not only will certification protect companies, it also protects its jobs. After all, he pointed out, “if they get attacked and ransomed that could destroy small and Canadian businesses.”
As the accreditation body CyberNB is now looking for consulting and IT firms who will do the certifying. Three are already being qualified.
As in the U.K., the program here will have two levels:
–Cyber Essentials. To meet it an organization will complete an online form with 29 questions covering five security controls: Boundary firewalls and Internet gateways; system configuration; access control and malware protection.
Typical questions include: Have the default usernames/passwords on all boundary firewalls (or similar devices) been changed to a strong password; Have all open ports and services on each firewall (or similar device) been subject to justification and approval by an appropriately qualified and authorised business representative, and has this approval been properly documented; Do you have a backup policy; Are elevated or special access privileges, such as system administrator accounts, restricted to a limited number of authorized individuals.
All answers then have to be verified by an approved certifying body.
Note that in U.K. documents this level is not recommended for organizations that could face advanced persistent threats.
–Cyber Essentials Plus. In addition to completing the online form a certifying body performs additional tests that have to be passed including a vulnerability scan and a test of inbound email filtering controls.
Not included are complex application testing or database audits.
Applicants will pay around $500 to fill out the online application and, depending on the size of the company, about $500 for the certification. There will also be $500 annual re-certification fee.
Whelbourn has big hopes for the program. Initially there will be a small launch so processes can be stress tested. “What I’m worried about is we have a massive increase and suddenly have to cope with a 10 or 20 fold increase” in applications.