My Basket0

Cyber Essentials and Counter Fraud Fundamentals: Which scheme does my business need and what is the difference?

News article

Publication date:

29 April 2021

Last updated:

29 April 2021

Author(s):

IASME Consortium

As a way of winning contracts and demonstrating to customers and suppliers that they are compliant with recommended cyber security and best practice counter fraud measures, many organisations are getting themselves certified to a recognised scheme.

What are the threats to business?

More businesses than ever operate online with their services accessible digitally. This has meant an increase in the very significant threat of cyber-crime which affects almost every modern business. The threat could mean anything from a virus affecting how a computer operates, the theft of personal data resulting in an investigation by the Information Commissioner's Office (ICO), or the loss of access to all data in a ransomware attack. A recent Trend Micro report found that 90% of cyber attacks start with a fraudulent email commonly known as 'phishing'.

As businesses compete to attract new customers in an exclusively online environment, they also face the huge challenge of mitigating fraud. The 2019 financial cost of fraud report by Crowe UK and Portsmouth University found that the average organisation in the UK can expect losses owing to fraud to account for 3-6%, although in some cases it is as high as 10%.

As consumers are becoming more and more aware of the growing threats from cyber-crime and fraud, they are increasingly demanding trusted secure services. They do not want their username/passwords compromised or their data stolen, their account hacked or fraudulent payments made in their name. Organisations need to show that they are taking cyber security and counter fraud seriously. Businesses that hold certification to Cyber Essentials and Counter Fraud Fundamentals therefore have advantages over their competitors.  

Organisations wishing to certify their business to Cyber Essentials and Counter Fraud Fundamentals are usually motivated by two key factors: 

  • They want to be seen to take cyber security, data protection or counter fraud seriously, as these are considered important for the organisation, their customers and their supply chain. Certification gives them a clear and affordable way to show that they have their house in order. Companies that get Cyber Essentials and Counter Fraud Fundamentals are listed in a directory of certified organisations. They are provided with a certificate and badge to display on their branding. 
  • Contracts, funding and grants are increasingly stipulating that a company has Cyber Essentials certification as a pre-requisite. Counter Fraud Fundamentals is the first counter fraud certification of its kind and is starting to generate interest within the financial services and insurance sectors. 

 

About Cyber Essentials

  • Cyber Essentials is a simple but effective, Government backed scheme that helps protect organisations, whatever their size, against a whole range of the most common cyber-attacks.
  • Cyber Essentials works as a verified self-assessment. Organisations log onto a secure portal to answer a series of questions, a senior member of the board will sign a document to verify that all the answers are true and then a qualified external assessor will mark the answers.
  • The questions are based around the scope of the company, their employees, devices, software, access control, secure configuration, security update management, firewalls and routers, and malware protection.
  • The preparation and process of getting certified to Cyber Essentials will give an organisation a clear picture of their cyber security and an opportunity to improve.
  • The cost of assessment and certification is currently £300 + VAT

Most cyber attacks are untargeted and use commodity tools to attack large amounts of devices, services and users at the same time in an indiscriminate way. Most cyber attacks are made up of repeated stages that are probing for further information or leads that can lead to a more targeted attack. These untargeted attacks exploit basic weaknesses that can be found in many organisations such as poorly configured firewalls, software that hasn't been patched and legacy computer systems that are no longer supported. Cyber Essentials focuses on the five technical controls that have been proven by a Lancaster University cyber security controls effectiveness study to close the security gaps that up to 90% or cyber attacks depend on.

About Counter Fraud Fundamentals

The Counter Fraud Fundamentals (CFF) certification scheme was developed by a team of counter fraud experts in a collaboration between IASME and Open Banking Implementation Entity. The CFF scheme is an ideal way for any business dealing with financial transactions to show to their customers and supply chain that they take their responsibility to combat fraud seriously and have the fundamentals in place regarding fraud detection, prevention and investigation. 

  • The CFF scheme operates as a verified self-assessment. Organisations log onto a secure portal to answer a series of questions, a senior member of the board will sign a document to verify that all the answers are true and then a qualified external assessor will mark the answers.
  • The questions are centred around the company, its employees, the responsibilities for reporting fraud, and managing and documenting fraud risk. Other measures include prevention, protection and monitoring tactics, liaising and reporting to business partners and law enforcement agencies, processing and disseminating intelligence, recording data and analytics and recording and tracking financial loss.
  • The preparation and process of getting certified to Counter Fraud Fundamentals will give an organisation a clear picture of the measures they have in place to prevent, detect or respond to fraud. It provides an opportunity to improve.
  • The preparation and process of getting certified to Counter Fraud Fundamentals will give an organisation a clear picture of the measures they have in place to prevent, detect or respond to fraud. It provides an opportunity to improve.
  • The cost of assessment and certification is currently £400 +VAT.

In law, fraud is the intentional deception to secure unfair or unlawful gain, or to deprive a victim of a legal right. Fraud involves deceit with the intention to illegally or unethically gain at the expense of another. Organisations can experience fraud from many angles, for example, a third party using stolen customer credentials, or their own customers, suppliers or an insider working within the company. According to the Metropolitan Police, 85% of fraud is now cyber enabled, yet cyber enabled fraud is still fraud. Cyber Essentials addresses the technical side of a cyber breach which could be used to commit fraud, whereas, Counter Fraud Fundamentals fully addresses the human element of fraud, the intention to trick or deceive, which can of course, take place against an organisation without a cyber element. Counter fraud measures involve awareness, staff training, staff monitoring, and having polices and strategies in place to prevent and detect crime.

 

Summary

An organisation that can provide assurance that it has both Cyber Essentials and Counter Fraud Fundamentals will add value, stability and confidence to staff, customers and stakeholders alike.

 

N.B. The Counter Fraud Fundamentals scheme is not government endorsed.

 

 

This document is believed to be accurate but is not intended as a basis of knowledge upon which advice can be given. Neither the author (personal or corporate), Society of Claims Professionals or Chartered Insurance Institute, or any of the officers or employees of those organisations accept any responsibility for any loss occasioned to any person acting or refraining from action as a result of the data or opinions included in this material. Opinions expressed are those of the author or authors and not necessarily those of the Society or Chartered Insurance Institute.