Navigating the different cyber services from the NCSC

Many organizations opt to outsource services for functions such as accounting and legal matters instead of hiring specialists directly.

However, outsourcing can be expensive, and I frequently hear assertions that “cyber security is too costly.” Ultimately, organizations must consider whether the costs are justified compared to the assurance gained from protecting both their data and that of their clients. Shouldn’t the expense of cyber security services be regarded as a regular business cost, similar to legal or accounting services?

If you decide to outsource, how can you identify a competent cyber security professional? The UK Cyber Security Council establishes the benchmarks for these professionals and maintains a register of qualified practitioners. This initiative is an excellent starting point for acquiring specific skill sets. Nevertheless, for a more comprehensive service, the NCSC’s recognition of high-quality industry service offerings and its free digital service provisions can be of significant assistance.

The NCSC has been acknowledging quality industry services for several years to enhance overall impact, now recognizing over 450 companies that provide services meeting their high standards.

My goal is to simplify navigation of these services for organizations, acknowledging that those lacking internal expertise may struggle to identify their specific needs.

Let’s take a closer look at commodity-level services relevant to most organizations, including free-to-use resources from the NCSC.

Cyber security activities can be grouped into how an organization:

• protects itself from attacks
• prepares for possible attacks
• detects when an attack penetrates defenses
• responds once an attack is identified

Services that Enhance Protection

This involves implementing strategies that boost an organization’s resilience against cyber threats. Research indicates that organizations adhering to Cyber Essentials protocols are 92% less likely to file insurance claims. While it’s essential to do more, focusing on these basic controls consistently is a critical first step.

While these are termed ‘basic controls,’ some may be quite intricate in execution. Organizations can engage the NCSC Cyber Advisor service for support.

The NCSC also offers various free digital tools to build confidence, such as Check Your Cyber Security.

The optimal way to establish confidence is to enlist a Cyber Essentials Certification Body to verify that the controls have been accurately implemented. Two options are available:

• The Cyber Essentials Certification service, which involves an independent audit and a certificate issuance if criteria are satisfied.
• The Cyber Essentials Plus Certification service, which includes a technical assessment.

Services that Aid Preparation

In the unfortunate event of a cyber incident, preparedness is crucial for a swift recovery. To facilitate this, the NCSC provides:

• Exercise in a Box to assist organizations in navigating various incident scenarios.
• The Cyber Incident Exercising service conducted by several NCSC-assured firms to evaluate incident response plans safely and enhance management processes.

Services that Enhance Detection

For many organizations, the cost of ongoing network monitoring can be prohibitive, and they may lack the internal expertise necessary. Subscribing to the NCSC Early Warning service helps mitigate this issue. This free service alerts organizations to potential threats to their network using various trusted information sources, including exclusive feeds not available elsewhere.

Services that Facilitate Response

Organizations with a Cyber Essentials certification may access incident response resources through complementary cyber liability insurance. For those unable to utilize this, they can turn to our Level 2 Cyber Incident Response Service, which helps find an industry partner for incident recovery.