BCS, The Chartered Institute for IT, acts as the Professional Institute for the IT profession with a Royal Charter governing the organisations activity and purpose. There are a wide variety of membership types, events, specialist groups, personal development tools and articles as well as professional exams, qualifications and apprenticeship assessments. BCS is a large organisation, turning over £20 million and employing 250 staff.
Billy McNeil joined BCS in 2018 as Director of IT and Operations. He is responsible for provision of IT services to employees, external systems used by members and exam registrants, and delivery of all the different types of services provided to different customer types.
Billy spared some time to talk to us about the process and benefits of cyber security certification, getting into the IT industry and a fear of phishing.
What are the main security challenges?
As the Professional Institute for the IT profession, we are a bit of a target for cyber attacks; perhaps as an attempt to embarrass us or to demonstrate prowess by breaching our security. Cyber Security is a mainstream, board level concern for us both internally and externally. Our Risk, Audit & Finance Committee (RAFC) which is made up of senior trustees of the organisation has it as a standing item and are constantly probing for application of best practice and evidence of proactive steps on protection.
How did you hear about Cyber Essentials and what led you to getting certified?
We have connections with the UK government and have consulted to the NCSC on whether a scheme of this type would be a positive thing for the UK to have. Cyber Essentials Plus is very useful to evidence good practice and independently assess your current position. We wanted to use the certification to demonstrate to ourselves that we are in a good position to protect ourselves from cyber attack and mitigate the threats we know exist.
How did you find the process?
Certifying to Cyber Essentials Plus was relatively smooth and straightforward for us. We take cyber security very seriously and have tools, processes and policies already in place to protect us. We already held ISO27001, but had a couple of commercial contract discussions enquire if we held Cyber Essentials. Our governance structure recommended that it would be complementary for us to hold Cyber Essentials Plus as an additional certification. It is more directly practical than ISO27001, so the two nicely complement each other; one covering more of the process and policy side of things and one covering more of the practical aspects.
The time frame from not being certified, to certified, took around 6 weeks overall. A handful of people in the IT project team worked an estimated 6 days in total across that time period. They completed the questionnaire, supplied extra information and applied and tested a small number of remedial activities. We worked with the Certification Body, Claranet.
How do you feel now you are certified? What are the benefits?
Certification gives us reassurance that an independent and very practical assessment endorses that we are in a good position to protect ourselves from cyber attack.
Cyber Essentials Plus certification means we have been able to make further commercial arrangements with customer organisations that demand certification as independent evidence that the information we hold on them will be appropriately safe. We have also used it as evidence that the tools, policies and processes we have in place aren’t disproportionate to the threat.
The thoroughness of the assessment process makes it a highly valued annual activity for us. From first gaining Cyber Essentials and being annually assessed, it is highly unlikely that a handful of improvement opportunities won’t be spotted. The annual assessments that we have for Cyber Essentials are now considered a core part of our continuous improvement programme.
What advice would you give to other businesses like yours?
Don’t look at ISO27001 and Cyber Essentials as somehow equivalent. They complement each other very well and don’t directly overlap. ISO27001 focuses more on process controls and policy positions, with some practical assessment. Cyber Essentials is the opposite – the focus is much more on practical assessment, with some process and policy assessment.
Do you have any tips for people wanting to get into IT or cyber security, coming straight from school or even from an unrelated career?
For those with an interest but no relevant experience in IT, Digital Boot Camps are intense training vehicles funded by the government to try and introduce people into the IT profession in a slightly more managed and structured way than just throwing a textbook at them. Anyone can book onto one of the boot camps, be immersed for a very intense period, and by the end, have a good idea as to whether it’s for them. They would be at a reasonably competent starting point for a career in IT.
The boot camps have different specialisms, and BCS membership is provided to the people who complete them. Membership provides a central place to manage your career, work out what your next move is and access many different types of helpful material. It offers a network of like-minded people, mentorships, professional certifications, tools and specialist groups and is a safe space where those entering the industry can carry on their development so they don’t just end up back in their front room thinking -that was nice.
A digital apprenticeship can also be a great starting point for entering the IT profession. There are now such a broad range of apprenticeship standards from the more creative (like Creative Digital Designer) to the deeply technical (like Cyber Security Technologist) that different types of people from different backgrounds and with different interests can find a route into the IT profession. BCS membership benefits as well as professional registration status can be accessed through this route too as BCS is an apprenticeship assessment provider.
BCS has a mission to ensure that technology is a positive experience for everyone. One of our community projects at the UK Cyber Security Forum is a pilot programme to reduce cyber-enabled fraud against the elderly population.
How can we help the elderly have a more positive experience when they engage digitally?
It’s a difficult one. In real life, people do learn how to manage the snake oil salesman that turns up at the door, or understanding that the something for nothing offer in a physical shop may not be all it seems. Fraud has been around for a long time and learning how to spot it is an important life skill. The challenge is bringing the same mindset to activities while using technology. It’s about applying the same checks and balances to all interactions, including digital ones and not being frightened to try new things. In the past, fraud would have been carried out one house, or one person at a time. Technology simply allows more people to carry out fraudulent activity at greater scale. If you can recognise and accept that, then there is nothing to be scared of that hasn’t been around for 100’s of years.
What advice would you give a sole trader or micro company with no IT manager in achieving Cyber Essentials.
I suspect they probably need to ask for some help from the Certification Body that is assessing them. With a little bit of help, they will realise that it’s not as scary as they thought, in fact, it’s very practical. Our CB, Claranet would certainly have the knowledge and skills to help us do the relevant things to achieve the certification. It’s certainly not as intimidating as a one man band attempting to achieve ISO 27001. That is much more about broad ranging policies which are likely to be less relevant than the more practical Cyber Essentials assessment.
Have you seen an increase in commercial contracts asking for Cyber Essentials?
Yes, we have and it’s quite recent. Certainly, in the last six to twelve months.
A few years ago, the same thing happened with ISO 27001. People in the industry that were using IT services, perceived ISO 27001 as a very useful and helpful endorsement of the security stance of an organisation they were dealing with. I think Cyber Essentials is now in the same sort of space. If I was doing a procurement, I would look for both, because they come from different ends of the spectrum and are complementary. If I was going into an organisation and saw they had both, I’d know that they’d tested in each direction, and they can cope well with challenges thrown their way.
What in your opinion are the biggest threats for 2023?
The only thing that really risks keeping me awake at night is a ransomware attack. Because it’s typically human initiated, it is the one thing that’s almost impossible to fully protect yourself against. You can protect yourself against a technical attack like a DDoS attack, or known malware, or typical viruses, or hacking attempts, those kinds of things, but not where somebody’s chosen to click on a link in an email, launch the harmful application and actually trigger that whole cycle. About six months ago, we implemented a technical anti-ransomware solution, which doesn’t stop the ransomware encryption completely, but stops it very soon after encryption starts because it recognises the pattern of files being encrypted. On the tests we’ve carried out, it stops it after about six to 10 files, so that’s helped me sleep a bit better. But ransomware is becoming more common and the vehicles to initiate it are becoming more sophisticated and appearing more legitimate. These days it’s getting harder and harder for an attacker to technically break into a system, but a well-made socially engineered email can bypass all the perimeter security of firewalls and intrusion detection systems, as it focuses on the human being as the weak point. We need to continuously educate people using digital systems to enable them to spot phishing attempts reliably.