Electoral Commission Failed Cyber Essentials Audit Right Before Hack

Electoral Commission Fail Cyber Essentials Audit Before Hack

Back in August, the Electoral Commission informed the public that they had fallen victim to a cyber attack that allowed “hostile actors” to access electoral registers.

The attack happened in August 2021 but was not discovered until October 2022. When discovered, the incident was reported to the Information Commissioner’s Office (ICO) within 72 hours, but the public was only notified last month.

The names and addresses of 40 million voters registered between 2014 – 2022 were available to the hostile actors.

The Electoral Commission has now confirmed that it failed a basic cyber security test, coinciding with the period when hackers infiltrated the organisation.

A whistleblower revealed to the BBC that in the same month that hackers infiltrated the organisation, the Commission was told by cyber security auditors that it was not compliant with the Cyber Essentials scheme. The Commission was given an automatic fail during a Cyber Essentials audit.

Cyber Essentials is a Government backed scheme that aims to help protect organisations of all sizes from the most common types of cyber attacks.

The government requires all suppliers bidding for contracts involving the handling of certain sensitive and personal information to hold a Cyber Essentials certificate.

A spokeswoman for the Commission admitted to failing the Cyber Essentials audit, but claimed that it wasn’t linked to the cyber attack.

Experts in the industry have said that even though the areas that the Commission failed in may not have been related to the attack, it still “builds a picture of a weak posture and a probable failure to govern and manage”.

Why is Cyber Essentials Certification Important?

Many organisations, especially smaller and newly established organisations, have limited controls developed or implemented to secure and protect their information systems and data.

Using Cyber Essentials as the first step on a journey towards better information security is a great starting point and provides a foundation to progress towards other standards such as ISO 27001.

Certification to the scheme has multiple benefits, including:

– Helps protect your organisation from 80% of cyber attacks.

– Demonstrate to your customers and supply chain that you’ve taken the necessary security measures and that you take their security seriously.

– Shows potential new customers that you have Government-backed security measures in place that are independently verified.

– Become eligible to bid for contracts with Government bodies and the Ministry of Defence.

– A great starting point towards achieving compliance with other Standards and Regulations such as the GDPR and ISO 27001.

Organisations can struggle to achieve certification to the scheme, especially if they lack technical expertise or don’t have the correct resources in-house. That’s why IASME introduced the Cyber Advisor scheme.

How Does the Cyber Advisor Scheme Work?

The Cyber Advisor Scheme is a cost-effective initiative aimed at helping small and medium-sized organisations ensure they have baseline cyber security controls in place, helping protect them from the most common cyber threats.

Cyber Advisor is the ideal scheme for organisations who want, or need, to achieve Cyber Essentials but don’t know where to start.

Focusing on the Cyber Essentials controls, the scheme starts off by assessing your organisation and your internet-facing IT and identifying where you meet (or don’t meet) the Cyber Essentials standard.

A detailed report is produced explaining why the controls are met or not, and highlights any risks your organisation is exposed to, providing recommended solutions that are suited to your organisation.

When working with 3B Data Security, our team of specialists will offer hands-on, practical advice to implement the Cyber Essentials controls, with confidence that they will significantly improve your security when correctly implemented.

3B Data Security are assured by the National Cyber Security Centre (NCSC) and is one of only a select few Assured Service Providers for the Cyber Advisor Scheme.

Find out more about the Cyber Advisor Scheme, and how our team of experts can help your organisation improve their cyber security.

Find Out More

Posted

in

by