IN CYBER COMPETENCE
TRUSTED - ASSURED - COMPETENT - SECURE
- Cyber competence and data security standards are oustanding
- Cyber competence and data security standards are good
- Cyber competence and data security standards are satisfactory
- Cyber competence and data security standards needs major improvement
- Cyber competence and data security standards are inadequate
The CyberSure Rating Scheme was established to help organisations and the public choose which businesses they want to engage with based on their rated cyber competence and data security. We understand the growing cyber threats facing business as reported by leading industry institutions. These showed that 47% of businesses reported a cyber incident. The National Cyber Security Breaches Survey 2019 found a third (31%) of small businesses had suffered a cyber-attack within the last 12 months at a growing average cost of £3,650.
The scheme was established through academia and industry whilst now working closely with local authorities. The scheme is also fully aligned with Cyber Essentials' requirements.
This scheme gives businesses a star rating from 1 to 5 which can be displayed on their premises or via their website. This enables businesses and the public to make informed decisions as to what businesses they wish to share their personal data, transact or partner with.
The scheme is yet to be mandated across England, Scotland, Wales and Northern Ireland, therefore displaying the rating sticker is currently voluntary. However, research has shown the benefits to businesses in displaying ratings, especially high ratings, in attracting new and retaining existing customers through peace of mind and continued trust.
An example of the rating sticker is shown below. Please note that the local authority used is fictious and is just for illustrative purposes only.
CyberSure ratings are a snapshot in time of the organisation's security position regarding their cybersecurity systems and behaviours, as well as their data security standards. It is always the responsibility for the business to comply with the data protection regulations at all times.
The rating covers the following:
How secure the behaviours are of the business.
How secure data is whilst being stored and processed.
How secure are the business' network and devices.
The current processes and policies in place regarding cybersecurity.
How vulnerable the business is to the current cyber threat landscape.
The level of cyber readiness of the business.
How robust and resilient the business is against common cyber attacks.
The CyberSure rating scheme does not provide information on the following factors:
How good are the security appliances, software and applications being used.
- How secure are the suppliers to the business.
- How compliant the business is to their security certifications or standards.
- Frequency of business' security training.
- How the business handles data complaints or customer service.
For suspected data breaches, you can report this by contacting the Information Commissioner's Office (ICO)
The CyberSure rating shows how well the business has demonstrated cyber competence and how secure they are with data based at the time of the assessment. The ratings can be found online and on certified stickers which can be displayed at the business' premises. The back of the sticker and online rating will show the date of the assessment, the local authority or authoritative organisation who supports it, and the authorising signature by an accredited assessor.
Ratings are typically given to organisations who handle data, especially personal data such as:
Biographical information or current living situation such as dates of birth and contact details
Looks, appearance and behaviour such as eye colour, weight and character traits
Workplace data and information about education such as salary, National Insurance number and student details
Private and subjective data such as political opinions and geo-tracking data
Health, sickness and genetics such as medical history, genetic data and information about sick leave
Businesses can range from any sector such as Retail, Energy, Financial & Insurance and Accommodation.
During the assessment process, the three elements that are assessed are:
The security behaviours of the business - looking at how actions can lead to insecure situations against current cyber threats such as phishing or ransomware.
The technical systems implemented by the business as aligned with Cyber Essentials -including how the business protects their network, how systems are securely configured, how systems and data are accessed, what malware protections are in place, and how systems, software, and applications are kept up-to-date.
Against a unique weighted intelligence-based decision-making system linked to the current threat landscape.
THE RATING SCALE
The cybersecurity standards and security behaviours found at the time of the assessment are then rated on a scale:
5 is the top scale which means the cyber competence is excellent, data security measures are very high, behaviours are secure and the business complies with data protection regulations and exceeds the Cyber Essential's threshold.
1 is at the bottom of the scale which means the business does not have adequate security measures in place, insecure behaviours are prevalent, and the business and its data are at a high risk of being compromised by current cyber threats.
A business can be unrated whilst it is awaiting a new rating or has failed an assessment. Ratings will also be archived for those businesses who have requested to be removed from the scheme.
To achieve the top rating, businesses need to be outstanding in the first two elements (i.e., security behaviours and implemented technical systems) and be able to demonstrate capabilities to address the current high-level cyber threats facing them. If the top rating is not issued, then the assessor will issue a series of mitigation steps necessary to improve their rating to achieve the top one. It is then down to the business to decide on whether to implement those actions or not.
Detailed information will be captured during the assessment process and if there are any concerns in the process or rating given, then this can be sent to our Engagement Support Team at firstname.lastname@example.org.
It is worth noting that there is a Right2Reply process inbuilt within the scheme where businesses have 30 days to appeal the rating and also to formally record any exceptions at the time of the assessment.
Businesses which are awarded low ratings (e.g. 1 or 2 stars) should make urgent improvements to their cybersecurity or data security standards. The certified assessor may have remedial actions they can implement as allowed by the terms of how CyberSure has been implemented within a region or supply chain. This could include giving advice and guidance to make sure the improvements are made effectively.
The assessor will also advise the business how quickly these improvements should be made and this will depend on the type of issue that needs to be addressed and the urgency of the rating requirement.
If the assessor discovers any serious issues or evidence of a data breach, then the assessor is bound by our terms to inform the relevant authorities who then decide on whether to formally investigate. This could result in fines and/or the formal publishing of judgements on government sites.
The aim of CyberSure is not to cause issues for businesses, but to help deliver an increase in standards around cybersecurity for the benefit of the business themselves, their customers and the wider public.
A new rating is given each time a business is inspected by a certified assessor.
Each local authority or authoritative organisation can plan for a programme of assessment every year. The frequency of assessments can alter if there is a significant increase in cyber threats.
The assessment can take place in the following situations:
after a significant security change in the business.
following a reported breach.
following a reported negative mystery shopper visit.
requested by an authoritative third-party.
re-visit requested by the business after 3 months of being awarded a rating.
In between assessments, local authorities or relevant certification bodies may also monitor businesses in other ways to ensure they are maintaining required information or cybersecurity standards. If these results in any significant findings of nonconformities, then a special CyberSure assessment may take place.
If the local authority or authoritative organisation receives a complaint or new information about a business, then this again could trigger a special CyberSure assessment taking place.