Today marks the first year anniversary for IASME in becoming the NCSC’s Cyber Essentials partner. It’s been a busy year set against the backdrop of COVID 19 and a national lockdown. Despite the terrible effect of the pandemic on many businesses, both the Cyber Essentials scheme and the IASME Consortium have grown considerably. We wanted to celebrate a remarkable year at IASME and what better excuse to meet the two directors, Professor Danny Dresner, and Dr Emma Philpott MBE.
Daniel Dresner is a founder and director at IASME. He worked with the other founders to develop a cyber security certification scheme that was achievable and affordable for small companies. There was nothing else like this at the time and they managed to attract government funding to pilot the scheme. In 2012 they created the company, IASME, to take the results of that project forward.
Danny has been working in Cyber Security since 1994 where he was working at the National Computing Centre, using his skills in technical writing to communicate processes and procedures in the quality management department. At that time, the Government Department of Trade and Industry got together with a UK computer manufacture company, ICL, and wrote the first of its kind, Information Security Breaches Survey. It was Danny at the National Computing Centre who edited the results from that survey, and this helped him realise that it was possible to create a set of rules that could turn tacit expertise into explicit instructions and help keep people and their computers safe online. As a result, Danny moved into the world of security management. Today, Danny is the University of Manchester’s first professor of Cyber Security and highly regarded across the industry.
Dr Emma Philpott is director and CEO of IASME and joined the organisation in 2013. A material scientist by training, Emma spent time working in the Ministry of Defence and QinetiQ followed by 5 years working in Singapore. When Emma moved to Malvern in 2009, she found that there were lots of small cybersecurity companies that faced barriers to growth. Emma set up the Malvern Cyber Security Cluster to support and represent these small companies. One of the start-ups that Emma met through this work was IASME. The founders approached Emma for some business planning advice and she became increasingly involved in the plan to develop a route to cyber security certification for small companies. In addition to this, Emma has been involved in training and supporting neurodiverse individuals in cyber security as well as the wider diversity aspect of the Cyber Security industry. In 2019, Emma was recognised for her services to cyber security with a MBE in the Queen’s Birthday honours list.
Danny, what was the motivation to create IASME?
It was while talking with Richard Henson from Worcester University in 2008 that I became interested in the gap in the market around cyber security for small businesses. There was a need for something accessible to help small organisations understand a framework to increase their chance of staying safe online. About that time, the Technology Strategy Board came along and offered money to do some research on improving security. Our answer was the Information Assurance for SMEs, now known as IASME.
Emma, what motivates you in your work at IASME?
I am motivated by the thought that we are making a difference. It motivates me as a person, and it motivates IASME as a company. Rather than trying to do something that other people are already doing and competing in a crowded market, our philosophy has always been, if someone’s already doing it, then we don’t need to.
This time last year, the news of becoming the sole provider of Cyber Essentials coincided with sending everybody home and rapidly deploying remote working for the company. Tell us about the year? How has lockdown effected business and the uptake of the scheme?
EP: It’s been a busy year. Since winning the tender for sole provider last year, we’ve had to grow very fast in order to be able to deliver the scheme and at the same time work closely with NCSC to update and develop Cyber Essentials. The company has had to grow by about three times over the last year while being in lockdown and remote working. It’s been tough for the IASME team to do this, because many of the new employees have had to learn their job remotely and never actually met most of their colleagues. Despite the difficulties, we’ve managed to recruit wonderful people during lockdown, meet all our targets and also support the smaller organisations in our network of Certification Bodies.
So Cyber Essentials is going from strength to strength, how are you working to make this basic level scheme accessible to new markets?
EP: Over the last year, we’ve developed an amazing new tool to help people get started. The Cyber Essentials readiness tool is free of charge and accessible as a set of questions on the IASME website. The process of working through the questions will inform a business owner about their own level of understanding and what aspects they need to focus on. They will be directed towards the appropriate guidance based on their answers to the questions and upon completion, will be presented with a tailored action plan to help them take the remaining steps to get ready for Cyber Essentials.
We’ve been working with Derbyshire County Council, to write tailored guidance specifically for schools, and we are in the process of piloting Cyber Essentials certification with 500 schools.
We have plans to work with other industry sectors to understand their specific challenges and issues so we can develop guidance tailored specifically to those markets as well.
How is Cyber Essentials having to adapt to accommodate the ever-changing tech and threat landscape?
DD: We are working with the NCSC to review and update the Cyber Essentials technical Controls and this will be an ongoing process to ensure it stays up to date. However, we also remember that with new emerging technology, it’s easy for people to rush forward and forget about the constants. First and foremost, Cyber Essentials is about trying to remember those basics. Even the biggest team with the best equipment is never going to be able to supply 100% security, so that is off the cards. But, if we think about recent COVID guidelines, it’s a good idea to wash your hands, a good idea to wear a mask, a good idea to keep your distance. Each of those things by themselves might be a little bit of help in not spreading the virus, but together, they will help a lot, although, still not be a guarantee. It would never-the-less be silly not to do those basics. So even with things moving so fast, we’ve got to remember that no matter how fancy our house is going to be, we’re still going to want to have windows, and we’re still going to want to have doors, and we’re going to have to have some lighting and some heating. We are always going to need strong basics.
Can we talk about IASME Governance, an affordable alternative to the ISO 27001 for SMEs.
EP: This last year we have certainly been very much focusing on Cyber Essentials with the move to being the Cyber Essentials partner. As our team grows, we are now ready to focus on expanding our IASME Governance certification scheme. An increasing number of customers from a wide range of industry sectors have started to accept the audited IASME Governance certification instead of ISO 27001 for small companies. That’s a massive step forward because ISO 27001 is very difficult for small companies to achieve, not because they don’t have the governance in place, but because of the cost and the manpower requirement. To maintain the ISO 27001, most companies would need an extra member of staff which would be very challenging for many small companies.
As if you have not had enough to keep you busy in 2020-21, you have developed and launched two completely new schemes, tell us about those.
EP: The IoT Security Assured scheme is something that has come about due to lots of inquiries from people who have said they wanted to certify their products using Cyber Essentials or IASME Governance. Of course, they couldn’t do that, because those schemes are for a company. We started thinking about certifying products, and decided to develop something that relied on the basics for connected products. The UK have been leading the way in development of IoT security codes and standards and we were lucky enough to be awarded a grant to pilot our IoT security certification scheme. We first ran a pilot with 10 IoT products and had great feedback, we then launched the scheme on 8th February and have already had a lot of interest from companies wanting to certify their products and also companies wanting to deliver the assessments.
What is the new legislation for IoT devices in the UK?
EP. The UK is likely to legislate that all consumer devices sold in the UK, have to meet the first three controls of the DCMS Code of Practice for Consumer IOT Security. This specifies that you can change the password on your device, that you can report a vulnerability and that the organisation has a way of patching those vulnerabilities and telling customers how long it will be supported. Although these are the real basics, they are also the most important aspects, and a lot of consumer IoT devices currently don’t have them.
DD: Most of our IASME schemes are really about helping people who may be the equivalent of rabbits in the headlights, perhaps because they are trying to solve a lot of security problems at once. IASME has pioneered the approach of breaking things down, looking at what’s essential and making a start. But we don’t stop there, and although we encourage people to make the first steps, we also encourage them to continue learning about security. The certificates are really the by-product of an educational journey to show their customers that they pay attention to security and do something about it.
Tell me more about the Counter Fraud Fundamentals Scheme.
EP: We developed this certification scheme in collaboration with the Open Banking Implementation Entity (OBIE). Open banking was established to drive innovation and competition across financial services, by helping consumers make better use of their financial data to access a wider range of financial products and services.
We worked with OBIE, PKF GM Littlejohn and a former fraud specialist police officer to develop a simple assessment and certification scheme that focuses on the important basics within counter fraud. Of course, counter fraud overlaps so much with cybersecurity, it feels like a completely natural thing to do, but we have found that there’s no other basic level counter fraud certification available anywhere else.
So, what next? Are there any other schemes in the pipeline? What are IASME’s goals and ambitions for the next 5 years?
EP: We have had a lot of interest from other countries, in IASME Governance and our new certification schemes. As far as we know, our IASME Governance is still the only cyber security certification scheme which has been specifically designed to be affordable and achievable for small organisations.
We also have a trusted network of 265 cybersecurity companies across the whole of the UK and Crown Dependencies . This network is a valuable resource and one of IASME’s aim is to help them grow their businesses and benefit from being part of that expert network.
DD: Another thing to mention is, at the University of Manchester’s Better World showcase, we were a winner for our outstanding contribution to equality, diversity and inclusion and those are important values for IASME. We plan to re-launch our neurodiverse cybersecurity training and take it online and make it national. We also want to take a look at addressing diversity in a wider context by encouraging people from any community that is under represented in the Cyber Security industry. We strive to help bring down barriers to get everybody involved that has a talent or an interest.
Please note, this blog may contain guidance and information that is outdated.
On 24th January 2022, the Cyber Essentials technical requirements were updated in line with current cyber security threats. The self-assessment question set changed from version ‘Beacon’ to version ‘Evendine’. Blogs and articles published before that date, may no longer accurately reflect the Cyber Essentials requirements.