Vodafone says Cyber Essentials certification proves its security credentials, but some say government scheme isn’t a serious benchmark
Vodafone has been awarded the government’s new Cyber Essentials Plus cybersecurity certification, thus becoming the first telecom and multinational organisation to receive the award.
The Cyber Essentials scheme was designed to help consumers establish whether an organisation has implemented basic security measures, such as firewalls and anti-virus software, and it understands the importance of frequent patching.
From 1 October, certification will become mandatory for all suppliers bidding for government contracts that involve the handling of personal and sensitive information, but the scheme does not test for advanced security features like encryption or two-factor authentication.
Vodafone Cyber Essentials accreditation
Certification is available to businesses, non-profits and government organisations, and there are two tiers of accreditation. Cyber Essentials requires organisations to submit a questionnaire which is then verified by an external certifying body, while Cyber Essentials Plus involves full tests of an organisation’s systems.
“Cyber Essentials and Cyber Essentials Plus enable businesses to demonstrate that they are taking action to control the risks – critical if they are to protect themselves, their customers and their brand,” says Ed Vaizey, minister for culture and the digital economy.
Vodafone’s IT systems passed the “stringent” criteria for the second tier of certification, paving the way for its services to be used in the public sector.
“We want our customers to be assured that when they do business with us we are doing everything possible to protect their data, our critical systems and business operations,” says Howard Pinto, head of technology security at Vodafone. “To be the first telecoms company and the first multinational to have met the new Cyber Essentials Plus standard, highlights our ongoing commitment to ensuring the security and protection of our IT and customer systems and online assets.”
Not a serious benchmark?
However the Cyber Essentials scheme has been criticised by some members of the security community who have warned against relying on the standard as a serious benchmark for network and data protection.
“This badge of approval from government could mislead businesses into believing that they are completely covered in all aspects of cyber security – when in fact, the Cyber Essentials Scheme concentrates on just five “basic but essential” security steps,” says Ashish Patel, regional director of network security at McAfee.
“There are a number of stealth-like advanced evasion techniques employed by hackers, which can go undetected on an enterprise’s network for weeks or even months at a time. Businesses that believe they are secure, yet aren’t aware of this sophisticated threat, could be leaving themselves vulnerable.
“It’s important the government is clear in their message that businesses who are accredited by the scheme will still have to update their security defences regularly to stay on top of the changing threat landscape. If not, the only essential thing businesses will need is damage control.”