';

Our cyber security journey

Our cyber security journey

When I joined CITI in 1999, cyber security wasn’t really a thing. We had a Compaq server that used an ISDN line to dialup the Internet and collect the emails every hour – if you wanted to stop an email that had been sent by mistake, you could catch it before it left the building! Browsing the Internet wasn’t particularly a requirement for desktop computers. Software and devices were regularly shipped and deployed with simple passwords to unencrypted logon panels.

By the early noughties, we had moved to a leased line which created a permanent connection to the Internet; and allowed desktops to connect to the Internet to browse. The main threat was that of computer viruses, and the thought of a hacker targeting us was perceived as an unlikely event – due to our mainstream obscurity, and low-value online assets.

Things started to change in 2010, and even movie franchises like James Bond highlighted the risk of hackers to cyber security (Skyfall, 2012). We hosted websites from our server with sensitive information being transmitted and recorded for capability assessments – we also started taking payments online more and had a flourishing eCommerce website. Penetration tests and cyber security became the norm, as companies needed assurance that their data was safe with us – as we handled online payments and sensitive data.

By 2015 we had decided to get cyber security accreditation, and Cyber Essentials was the de facto standard and requirement for the high-level government organisations we were working with. The assessment was a great way of highlighting to our clients the assurance it provided, along with raising cyber security awareness within our own organisation – and it provided a stepping stone to more robust security frameworks.

On-premises

Cloud hosted

The move from Cyber Essentials to Cyber Essentials Plus

Over the years, the self-assessed aspect of Cyber Essentials Basic troubled me – and I am aware that many organisations treated the certificate with much higher regard, penalising organisations that allowed the certificate to lapse by a day by ceasing trading. In reality the certificate cannot even be compared to an MOT for a car – because at least an MOT is independently verified. This is where Cyber Essentials Plus steps in.

Today the total economic cost of cyber-attacks and breaches for the UK is in the tens of billions of pounds annually. The average cost per business experiencing a non-phishing cyber-crime is around £1,000 – though costs are much higher for specific incidents like fraud resulting from a breach. 

Some high-level figures based on the UK economy in 2024

£64 billion annually

This figure, from research by ESET, encompasses direct and indirect costs for UK businesses from cyber-attacks

£3.1 billion annually for the general public

A 2016 report by Detica estimated the economic cost of cyber-crime for UK citizens, including identity theft and online scams

£3.4 billion annual losses for SMEs

A Vodafone report indicated that SMEs face significant annual losses due to inadequate cyber security measures.

£990 average cost per cyber-crime

Businesses experienced a mean average of £990 in self-reported costs from non-phishing cyber-crimes in the last 12 months

£5,900 average cost per cyber-facilitated fraud

This type of fraud cost an estimated £5,900 per business

£x billion annually

The potential cost of a significant breach, both financially and reputationally, would have an unknown and imeasureable cost to businesses

Why CITI values the Cyber Essentials Plus accreditation

At CITI, we recognise that robust cyber security is not just a technical necessity – it is a cornerstone of trust, resilience, and operational excellence. Achieving the Cyber Essentials Plus accreditation reflects our unwavering commitment to safeguarding our organisation, our clients, and our partners against the growing threat of cyber-attacks.

Cyber Essentials Plus goes beyond basic compliance. It involves independent verification and hands-on testing of our systems, including vulnerability scans, endpoint security checks, and simulated phishing attacks. This rigorous process ensures that our defences are not only in place but actively tested and validated.

Internally, the accreditation has driven improvements in our infrastructure, policies, and device management. From ensuring secure configurations and patch management to auditing mobile and laptop access points, the process has strengthened our IT posture across the board. It has also fostered a culture of accountability and awareness, with staff actively participating in updates and assessments.

Externally, Cyber Essentials Plus enhances our reputation and credibility. It signals to clients, suppliers, and stakeholders that we take cyber security seriously and meet government-backed standards. This is especially important for contracts involving sensitive data or regulated environments, where higher assurance is essential.

Final Thought

This certification is a testament to our collective diligence and investment in IT resilience. It opens doors to new opportunities, reinforces trust, and ensures that we continue to operate securely and confidently in an increasingly digital world.

As we look ahead, our cyber security journey is far from over – it is a continuous commitment to vigilance, innovation, and shared responsibility. At CITI, we believe that true resilience is built not only through robust systems and certifications like Cyber Essentials Plus, but through a culture where every individual plays a role in safeguarding our digital future.

Let’s continue to challenge complacency, embrace best practices, and support one another in staying secure. Together, we can ensure that trust, integrity, and operational excellence remain at the heart of everything we do – if these values ring true with you and your organisation, get it touch to see how we can help!

Chat
Call
Email

Get in touch for more information

logo