The Electoral Commission has admitted failing Cyber Essentials at around the same time as it suffered a major security breach, writes Cyber Security Technologist Tyson McGuirk.
In August 2021, names, addresses, and other personal information from the register was compromised in a suspected hack.
This incident reflects the significance of the Cyber Essentials scheme as a fundamental pillar of cybersecurity. While many of the controls required by the scheme may seem rudimentary, they compel companies and organisations to scrutinise their cyber security practices beyond routine practices, revealing potential vulnerabilities that might otherwise go unnoticed.
The Electoral Commission’s inability to meet the Cyber Essentials standard reflects a broader lapse in their cyber security approach. Cyber Essentials is intended as a foundational layer of cyber security which can be further built upon. It is described on the GOV.UK website as: “A set of basic technical controls organisations should have in place to protect themselves against common online security threats.”
If the Electoral Commission cannot adhere to these fundamental controls, it suggests there is a wider problem in adhering to best practices and basic technical safeguards for the company.
The controls mandated by Cyber Essentials are designed to thwart common and relatively unsophisticated cyber-attacks. The Commission’s inability to implement these controls not only leaves them susceptible to such basic threats but also raises concerns about their preparedness to defend against more advanced attacks, such as the one they encountered in 2021.
While Cyber Essentials does not render an organisation impervious to all cyber threats, it does offer a level of security that can discourage attackers, as they would need to invest additional effort to breach the organisation.
The Commission’s failure to obtain certification shows they cannot demonstrate that they are getting the basics right, so how can they hope to demonstrate to the Information Commissioner’s Office (ICO) that they believed they were adequately protected from a more sophisticated attack?