Applying the ‘Cyber Essentials’ to help protect our customers
CA Technologies recently secured a “Cyber Essentials” certification in the UK.
By David Billeter, Chief Information Security Officer and Duncan Bradford, CTO EMEA North
The Cyber Essentials Scheme, developed by the UK Government in partnership with industry, was designed to provide a sound foundation of cyber hygiene measures that can significantly improve an organization’s security posture.
Applying CA solutions to achieve certification
The scheme contains a list of discreet security controls organized under five umbrella categories:
As we examined the Cyber Essentials program, we realized that many of the CA proprietary solutions we use to protect our networks and systems are ideally suited to help both CA and our customers align with many of the Cyber Essentials controls. These include CA Privileged Access Management, CA Advanced Authentication, CA Single Sign On, CA Identity Management, CA Identity Governance, and CA Client Automation.
Focusing on our global customer base
As CA Technologies assessed the Cyber Essentials process, we made a strategic decision to seek certification for protection of our global customer base, rather than only for our UK-based customers.
We made this decision for a few reasons.
First, cyber threats do not recognize borders. The same threats which face our UK-based customers, face the rest of our global customer base as well. In addition, many of our customers are multi-national corporations and it makes sense to apply consistent security controls to protect all of their sensitive data.
Providing clarity to customers and suppliers
Second, Cyber Essentials provides a useful framework for us to communicate our security approach with customers, suppliers and regulators in the UK and globally. The security controls within Cyber Essentials can be clearly understood by a range of security practitioners and administrators. This clarity can help build confidence and expectations within our customer and supplier ecosystems.
In addition, various laws around the world, like the EU’s General Data Protection Regulation (GDPR), emphasize the need for investments in security to protect data. By certifying our security practices against Cyber Essentials, customers will have additional confidence about CA’s efforts to protect their data and our compliance with these laws.
Addressing the 80/20 challenge
Third, we believe that our certification and our promotion of the Cyber Essentials program will help shine a light on cyber hygiene best practices and encourage other organizations to follow them.
The types of attacks that Cyber Essentials is designed to protect against are responsible for the vast majority of recent significant data breaches. While many of the Cyber Essentials controls represent practical, strong cyber hygiene approaches, too many organizations are falling short when it comes to applying basic protections. Too many hacks are perpetrated through unpatched applications. Too many breaches are consistently elevated because organizations fail to implement proper identity and access management controls.
If organizations could shore up these common cyber defenses, the cost curve for cyber attacks would bend significantly higher for the attackers, resulting in reduced likelihood of an incident. Further, government departments and cyber threat information sharing partnerships could focus their resources on more advanced attacks, further bending the cost curve against attackers.
We look forward to working with the UK Government and our global customer base to highlight the critical need to implement strong, cybersecurity hygiene practices and to strengthen trust in the digital economy.