The Standard for people-driven cyber security

FAQs

Q. What type of organisation should work with Cyber Primed?

A. The short answer is that any organisation can work with Cyber Primed. In fact, each and every organisation, including all sizes and sectors, should be concerned about  cyber security and have a strategy in place to deal with the risks. Cyber security breaches affect all kinds of businesses and the costs can be substantial. A quarter (24%) of all businesses detected one or more cyber security breaches in the last 12 months (UK Government’s Cyber Security Breaches Survey 2016).

Q. I already have virus protection on my IT system, so why do I need Cyber Primed?

A. Most businesses have some form of rules or controls in place around cyber security, although these can often fall short of best-practice standards.
It’s important to remember that cyber security is not just about virus protection and firewalls. Significantly, nearly two thirds of cyber attacks occur due to human error, not just for technical reasons. That’s why its essential for any employer to make sure that their people are aware of what to look out for in terms of potential risks and that the organisation has appropriate policies and procedures in place for people to adhere to.

Q. If I outsource my IT requirements to an external company who look after my system, can I still work with Cyber Primed?

A. Yes! Cyber Primed are more than happy to work alongside external providers, and of course, your internal IT department if you have one, to enhance existing defence measures that are in place and plug gaps, which usually occur in particular around plans, policies, procedures and training.

Q. What internal resources will I need to dedicate to Cyber Primed?

A. Initially, it would be best if you could identify a dedicated person or people to act as a contact for Cyber Primed and take responsibility for managing the process. Ideally, this should be someone with the authority to make decisions about strategic and operational issues.

You may also wish to appoint a person or team to monitor progress on an on-going basis, or you may simply allocate responsibilities based on existing job roles.

Whilst working with Cyber Primed, it’s likely that some training will be required for the people within your organisation, therefore you should factor in some time for this, however you will be able to discuss and plan this with your Cyber Primed consultant during the process.

Q. How much does Cyber Primed cost?

A. Cyber Primed works within a 3-year cycle:

Year one – a total cost of £5000 + VAT to cover the initial audit and year one activities, which includes consultancy, audit, 6-monthly review and on-going support.

Year two - £2500 + VAT (annual review plus on-going support as above)

Year three - £2500 + VAT (annual review plus on-going support as above)

Then the following year, the cycle starts again with a full re-audit as per year one and the process continues for as long as your organisation is working with Cyber Primed.

These prices are correct at the time of going to press (20th February 2017) and are reviewed every year, on 30th June.

Q. How long will it take for us to be ready for our first Cyber Primed audit?

A. This is largely down to the current status of cyber security arrangements in your organisation and we recognise that every organisation is different and has different challenges. An organisation that has already commenced or has in place cyber security plans policies and procedures, and has trained and evaluated the knowledge of its staff, might be ready to come forward for audit in a matter of weeks. An organisation that is just embarking upon its consideration and implementation of security measures might require several months to prepare, and might require more intensive support from our consultants. Critically, we can provide support to organisations so that they do not have to work things out all by themselves!

Q. How will my clients and suppliers know I have had a Cyber Primed audit?

A. Once your auditor has confirmed that your organisation has met the Cyber Primed standard, you will be given the Cyber Primed mark to display on your email, website, letterhead, etc. This declares to internal and external audiences that your organisation has successfully completed an up to date Cyber Primed audit and is constantly reviewing it’s cyber security procedures.

Q. Do my people have to be knowledgeable about IT to have a Cyber Primed audit?

A. Absolutely not! Cyber Primed is a people-centric standard and is not all about technical issues.

The person or people who will be using the Cyber Primed portal should simply be familiar with the usual office applications and perhaps have some experience in using a database/CRM or similar.

However, your people will need to have knowledge of your organisation’s plans, policies and procedures and understand the reasons behind the information and measures stated within them. That’s because it’s important that your people are aware of the potential risks involved with cyber security. Your Cyber Primed consultant may identify some training needs for the people within your organisation, which you will be able to discuss/plan with your consultant as you progress towards your Cyber Primed audit.

If technical issues are identified as part of the Cyber Primed process, we can work with your IT representative or team, or It may be that you outsource your IT requirements in which case we will be happy to work them too.

Q. What’s the difference between Cyber Primed and ISO 27001?

A. There are many aspects of the Cyber Primed standard that overlap with ISO27001; after all, good practice is good practice!

However, several elements in the ISO27001 are packaged into 'general policies' and require specialist insight to set up and manage; not all Board members are going to find ISO compliance easy to monitor. Cyber Primed on the other hand, is more granular  so that it is clearly  set out  (rather like a shopping list) so that specialist insight is not necessarily required to put Cyber Primed in place and it's much easier for non-technical senior managers/directors to manage and monitor. There are also specific elements that are mandatory for Cyber Primed that are simply not required for ISO27001.

Q. What’s the difference between Cyber Primed and Cyber Essentials?

A. In the words of the official Cyber Essentials summary document, ’Cyber Essentials offers a sound foundation of basic hygiene measures’, and, ‘…focuses on threats which require low levels of attacker skill, and which are widely available online…’. In aiming to deliver this, Cyber Essentials places focus on suggestions for what it frequently describes as ‘basic technical cyber protection’.

Cyber Primed takes into account all of the requirements of Cyber Essentials, but envelops and significantly augments this by comprehensively following GCHQ’s cyber security requirements. Cyber Primed requires that an interlinked and prescribed set of measures for monitoring, reporting and checking procedures are in place. These measures include specific plans, policies, procedures, logs and training, that are mandatory as well as establishing clear lines of responsibility within the organisation. Critically, stringent verifiable documentary evidence is required and is reviewed by us every six months. This level of monitoring enables cyber primed organisations to measure and monitor their cyber security status and if necessary, provide evidence of this to their insurers, suppliers, government bodies, and others, if required.

Q. What are the most common types of cyber crime?

A. The Office for National Statistics conducts an Annual Crime Survey, in which it quotes figures for cyber crime and fraud regarding:

Bank and credit account fraud” - meaning criminals accessing bank accounts, credit cards or fraudulently using plastic card details

"Advance fee fraud" - crimes where the victim has been tricked into handing over cash after a communication, such as a scam

"Non-investment fraud" - criminals conning a victim into buying something, often online, perhaps through a bogus phone call or email.

"Computer Misuse" – comprising two main areas:

Unauthorised access to personal information, including hacking;

Computer virus, malware or other incidents such as "DDoS" attacks aimed at online services

Q. What is the average cost of cyber attacks for UK organisations?

A. The Government’s Cyber Security Breaches Survey 2016 reports that among the businesses that detected breaches, the estimated average cost of all breaches over the last 12 months was £3,480. This is much higher for large firms, at £36,500. The estimated average cost of the single most disruptive breach from the last 12 months was £2,620 across all businesses and £32,300 for large businesses.

Q. How many organisations are victims of cyber crime each year?

A. The ONS reports that there were an estimated 3.6 million cases of fraud and two million computer misuse offences in a year, according to The 2016 Crime Survey for England and Wales.

Q. Is Cyber Primed only about computers and IT at work?

A. It’s important to remember that cyber security is not just about virus protection and firewalls. Significantly, nearly two thirds of cyber attacks occur due to human error, not just for technical reasons. Your people need to be aware of potential risks, not just while on their PC or laptop at work but when using social media, personal devices, speaking to people, handing sensitive or confidential information, etc.