Digital and Telecoms

Over the last 20 years we’ve grown used to new ways of working and living. This includes using more digital devices and online tools in our work and personal life. Alongside this, Jersey also has an increasing number of digital businesses.

This means that the role of digital and telecoms providers has evolved. Telecoms providers manage the internet access that we all rely on. They also hold personal and financial data on thousands of individuals and businesses. Both these factors mean that a telecoms company is an attractive target for a cyber attacker.

Digital and telecoms businesses should have strong cyber security measures in place to protect their business and livelihood. It will also protect other organisations that use their service or product. Taken together, this helps protect the Island’s digital economy, and Jersey’s reputation.

We’re here to offer information, advice and support. For more information, contact us, or check our Advice and Guidance page for the latest information.

If you have any questions, you can contact us:

• by phone on 01534 500050
• via email (hello@jcsc.je)

or by booking a meeting with the team

How could a cyber attack affect digital or telecoms services?

Any successful cyber attack on a digital or telecoms supplier could affect businesses, individuals, and essential services. Even a minor attack would disrupt any person or business who needs internet access. A more serious attack could affect transport, infrastructure or healthcare. It could even pose a danger to life.

An attack on the digital sector would likely have less widespread effects. Any attack would still cause disruption and loss of income to any digital business. While a more traditional business may find ways to carry out tasks offline, digital businesses are more reliant on information networks to function.

This means that the impact of a cyber attack on a digital business is likely to be greater. It’s also more likely to cause a significant financial loss.

The role of Jersey Cyber Security Centre

Our operational mandate is set out in our RFC 2350.  An RFC 2350 sets out the expectations of a Computer Security Incident Response Teams (CSIRT), like Jersey Cyber Security Centre (JCSC). Our RFC 2350 outlines our constituency, which includes:

• all organisations established in Jersey
• providers of Critical National Infrastructure (CNI) who operate services in Jersey
• individuals who are resident in Jersey
• the .JE top level domain name (the gTLD for Jersey)
• services that use telephone and IP ranges allocated to Jersey telecoms providers for use in Jersey

This means that we work with digital and telecoms providers to protect individuals and organisations.

How we can support you

JCSC is independent of Government, regulators and law enforcement agencies. This means that we can work with you in confidence.

We also cooperate with other Cyber Emergency Response Teams (CERTs) around the world. This means we have access to the latest information advice, and guidance. We use our unique position to support telecoms and digital providers in several ways.

Professional development events

We run regular events throughout the year for professionals, which are almost always free to attend.

• Cyber incident response exercises (throughout the year). These events give you a chance to test your response to a mock cyber incident. Some are also suited for non-specialists. This means that decision-makers in your organisation can attend and learn about how an incident would affect them.
• Cyber Security Awareness Month Events (October). We run workshops, talks, and gatherings to mark Cyber Security Awareness Month. We also co-organise the Channel Islands Cyber Security Conference.

You can find a list of upcoming events here.

Sharing information

We share information on the latest vulnerabilities, and updates from other CERTs. We do this in several different ways:

• in our monthly newsletter
• via the Advice and Guidance page of our website
• on our X and LinkedIn feeds.

Research and intelligence gathering

If you report an incident to us, we can carry out more research on the background and motivation of the attack. We can provide this information to you, or to the States of Jersey Police if it’s a criminal issue. This means that you can focus your efforts on responding to the incident.

Support during an incident

If you are dealing with a major cyber incident, we can provide technical advice and guidance to support you. This includes sharing relevant intelligence from other national cyber agencies.

We can also give your organisation advice on how to communicate in the aftermath of an incident.

Read more about how we can support your incident response.

Information for digital businesses and telecoms companies

This information is a starting point for digital and telecoms companies. While JCSC can issue advice and guidance, we do not act as a regulator. You should keep up to date with guidance from your regulator, and other industry bodies, where applicable.

Telecoms service providers 

Telecoms service providers are well-regulated and governed.

• Ofcom is a UK-based regulator which allocates and manages the number and spectrum in Jersey. They have this power under the Communications Act 2003 and the Wireless Telegraphy Act 2006
• The Jersey Competition Regulatory Authority (JCRA) licenses the companies who provide services to Islanders. They monitor take-up and performance, and encourage improvements through competition and service development.
• The Telecommunications (Jersey) Law 2002  provides the legal framework for telecoms companies and their regulations

The Government of Jersey is proposing changes to the telecoms security regulations. This will introduce several changes for telecoms service providers. You can find more information via the Government of Jersey website.

Digital sector businesses 

Digital sector businesses are – because of their work – more connected than other businesses. This may put them at higher risk of a cyber attack. Because so much of their work is online, they may find also it harder to keep functioning if they become a target.

We recommend that any digital business should complete the Cyber Essentials Plus accreditation. To complete it, you will need to ensure that you have standard cyber security controls in place. Cyber Essentials Plus is independently verified. This means that you can reassure your clients and customers that you have the right measures in place.

The cost of Cyber Essentials Plus accreditation will vary depending on the size of your business.

You can find more information about Cyber Essentials Plus below.

Internet and Cloud Service Providers

Technology service providers may have extra cyber security requirements and guidance that you need to follow.

If you provide hosted or managed IT or internet services to Jersey-based organisations, we may be able to help. We can support your security, and your customers’ security by providing you with extra services.

You can contact us via phone on 01534 500050, via email (hello@jcsc.je), by booking a free 30-minute meeting, or by visiting our offices at 1 Seaton Place.

Cyber Security Suppliers

We work with cyber security suppliers in Jersey to improve the Island’s security. We do this in two ways.

We run a Cyber Security Forum. The Forum allows us to share information with suppliers. We also ask suppliers for feedback to improve our services. If you want to join the Forum, please email hello@jcsc.je.

We also maintain a public listing of local cyber security providers. We provide this to businesses who are looking for cyber security support. If you would like to be added to the list, please email hello@jcsc.je

Cyber Essentials

Cyber Essentials aims to protect organisations against a range of cyber attacks. The scheme is backed by the UK Government and is available in Jersey.

Cyber Essentials is a certification scheme. To be certified, you need to have basic cyber security measures in place. This scheme focuses on preventing the most common types of cyber attacks. These attacks are usually targeted at organisations that have no basic protections.

Once you’ve introduced these measures, then you can become certified. There are two different levels of certification.

Cyber Essentials (CE). To reach this level, you take part in a self-assessment. This process is easy-to-follow so that even small organisations can take part. This level of certification costs from £320 (from 2 April 2024).

Cyber Essentials Plus (CE+). This level builds on the CE accreditation. We recommend this certification if your organisation uses technology to deliver your service. We also recommend this for organisations that process confidential data.

What you pay for CE+ will depend on how big your organisation is.

Find out more about on-Island providers of Cyber Essentials.

Jersey Cyber Shield

Jersey Cyber Shield is a free service offered by JCSC for organisations. We have designed it to work with the security measures you already have to give you extra protection.

We use four methods to find security weaknesses which an attacker could target. If we find weaknesses, we tell you what they are so that you can address them.

Jersey Cyber Shield is suitable for different sizes of organisation and is free to join. (There are some optional elements which are more complex. Because of this, we may need to request a contribution if you want access to these services.)

You can find out more about Jersey Cyber shield on this page.

National Institute of Standards and Technology (NIST) Cybersecurity Framework

NIST’s Cyber Security Framework helps organisations manage cyber security risks. The framework includes five sections which – used together – will help you manage risks over time.

The Framework does not set out steps to follow, but gives an outline of the things you need to consider. It gives guidance on the types of controls you can put in place, and what practices you can adopt.

Version 2.0 of the Framework is the most up-to-date version. You can read the full Framework here. There are also Quick Start Guides for different types of organisations.

International Standards Organisation (ISO) Guidelines

The International Standards Organisation (ISO) sets out best practice on a range of topics in Guidelines. These Guidelines are flexible so that organisations of different sizes can use them.

There are two Guidelines that can help you improve cyber security in your digital or telecoms provider. You should review which standard is most relevant to you. It may be that a combination of the standards is most useful.

ISO/IEC 27032:2023 is for any organisation which uses the internet as part of its day-to-day-work. ISO/IEC 27032:2023 includes guidance on:

• the links between internet security, web security, network security and cyber security
• how to address common internet security issues
• how to work with your stakeholders to resolve cyber security issues

ISO/IEC 27001:2022 is for companies of any size that own or manage data as part of their day-to-day work. ISO/IEC 27001:2022 includes guidance on:

• how to vet people, policies and technologies to ensure they are secure
• how to establish an Information Security Management System (ISMS)
• how to develop policies procedures and controls as part of your ISMS

Please note that the standards are updated from time to time to reflect the latest practice.

Reporting an Incident

If you experience a major cyber security incident and report it to us, we can help you in several ways. We can provide technical advice and guidance to help you respond. We can also use our access to intelligence and expertise to help inform how you respond.

In some circumstances, we can provide direct technical support, and help you communicate.

You can also report an incident by phone on 01534 500050, via email (incidentreports@jcsc.je) or online via this form.

Find out more about how we can help.

Jersey Financial Services Commission (JFSC). Registered persons are required to disclose information about cyber security incidents. A full list of the report requirements is available via the JFSC website.

The States of Jersey Police (SoJP). You should contact the SoJP where a crime has taken place, or if you suspect that a crime has taken place. They have the ability to handle digital forensic investigations. More information on how to report a crime is available via the SoJP website.

Jersey Office of the Information Commissioner (JOIC). You should report the incident to JOIC if the cyber attack has led to a personal data breach. You can find more information on when and how to report a breach via the JOIC website.

Action Fraud. Action Fraud is the UK reporting centre for fraud and cybercrime. You can make a report via the Action Fraud website.