NCSC launches Cyber Resilience Audit scheme for CAF-based audits

This new NCSC initiative is set to elevate cyber resilience across UK sectors by offering a vetted network of audit providers wholly committed to upholding high standards of security and independence.

According to the Government’s Cyber Security Breaches Survey 2024, 50% of businesses and 32% of charities have reported experiencing some form of cyber security breach or attack during the last 12 months, with the rate even higher among medium-sized businesses (at 70%), large businesses (74%) and high-income charities (66%).

Phishing was the most common attack type, affecting some 84% of businesses and 83% of charities, followed by impersonation attacks impacting 35% of businesses and 37% of charities and malware affecting 17% of businesses and 14% of charities.

Potential service providers

Since August, the NCSC has been accepting applications from potential service providers to join the CRA scheme, resulting in a growing list of providers who meet the required standards for CAF-based auditing.

Many of these providers are also accessible through the Crown Commercial Services CSS3 Framework, making it easier for organisations to secure qualified auditors for CAF compliance.

Early adopters of the CRA scheme include the Department of Finance Northern Ireland, the Department of Health and Social Care and NHS England. These bodies are collaborating closely with organisations in their sectors, clarifying CAF requirements and providing guidance on audit expectations.

Organisations under these bodies’ oversight will be notified directly about how to fulfil CAF auditing needs and connect with CRA-approved providers.

Regular audits

Matt Gibney, CTO of adCAPTCHA, commented: “All people and businesses can be the target of a cyber or bot attack, so it’s vital that they conduct regular audits of their digital health and security risk in order to prevent themselves from falling victim to a costly breach. The launch of the Cyber Resilience Audit scheme by the NCSC is a welcome moment, promoting as it does regular assessments of cyber resilience at a sector and national level in order to make infrastructure recommendations and boost security.”

Gibney continued: “With services becoming increasingly digitised and creating endless entry points for cyber criminals, monitoring for the presence of bot networks should be an essential element of cyber audits. Once bot networks infiltrate IT systems, they can scrape and steal valuable data as well as sell-off monetised advertising space and content, costing organisations millions of pounds in the process. Uncovering the extent of the bot issue will allow organisations to prioritise investment in detection and prevention systems in order to protect their data, in turn bolstering their overall cyber resilience.”

Additional growth

The CRA scheme is prepared for further growth as more oversight bodies develop sector-specific CAF audit programmes. The NCSC will continue collaborating with these bodies to evolve the CRA scheme, all the while helping to monitor and enhance cyber resilience across the UK.

This collaboration aims to build a stronger cyber security infrastructure nationwide, while the scheme itself provides the NCSC with valuable data to understand and support resilience across given industries.

The NCSC remains open to applications from new providers, particularly so those in geographically remote or underrepresented areas. The CRA scheme is designed to lower barriers for entry, aiming to create an accessible and inclusive cybersecurity network.

As such, the NCSC encourages applications from organisations working to increase diversity within the cyber security workforce and welcomes feedback on any obstacles encountered during the application process.

*Further information is available online at www.ncsc.gov.uk