Five months since the launch of the Cyber Essentials scheme on 5 June 2014, opinions differ about whether it can deliver what it has promised. Some experts have warned that it is too basic, while others have stated that it may be too technical for SMEs.
I’ve been following related coverage in the trade press and, despite the different views, there seems to be a sense of unanimity that while the scheme may not be quite perfect, the benefits outweigh any drawbacks.
Baseline from which organisations can build
Adrian Davis, managing director for Europe at (ISC)², was quoted by Computer Weekly in September 2014, saying: “It levels the playing field. If accreditation is carried out rigorously, all suppliers can be compared in terms of their cyber security efforts and it provides a baseline from which organisations can build.”
Alan Calder, founder and executive chairman of CE certification body IT Governance said: “Small and medium-sized organisations will benefit from the scheme by ensuring they implement at least a minimum level of security.”
Reinforcement of the Data Protection Act
Neira Jones, independent advisor on payments, risk, cyber crime and digital innovation, sees the scheme as a reinforcement of the Data Protection Act: “Basic hygiene, especially in view of all the Information Commissioner’s Office (ICO) penalties of late, can only be welcomed.”
Basic cyber security practice
According to Francis Maude, the Cabinet Office Minister, the scheme provides clarity on good basic cyber security practices to thwart most cyber attacks. At the GovNet Cyber Security Summit 2014 in London, Maude said: “After going through a certification process, businesses will be able to show they have the right measures in place by displaying the Cyber Essentials badge, which we hope becomes the cyber equivalent of the MOT certificate.”
Areas for improvement
While welcoming the scheme, experts have been quick to add that it falls short of some critical elements, and they’d like to see the scheme evolve.
According to Jones, the scheme addresses only a very basic set of technical controls, and does not address best practice in the areas of governance or user awareness. She said: “One of the stated aims of the scheme is to mitigate against the risk of phishing, but it is the user that will click on that link in that email, so why are there are no requirements to educate staff?”
Calder also warns that the human factor deserves more attention: “We would like to see the inclusion of staff training and awareness, coping with the ‘hacking the human’ method of social engineering, training people what to look for in phishing attacks. Secondly, how to respond, drawing up instant response procedures.”
Ian Glover, president of CREST, has called for better integration of the scheme with existing standards: “If it is aligned, it could feed into PCI requirements and pull together the different institutions and standards and the plan should be to work to one good set of standards. That would ensure protection to a minimum level, and define what good practice is, and improve overall security.”
Certification to Cyber Essentials is growing
Undoubtedly, the number of Cyber Essentials and Cyber Essentials Plus certificates issued since the launch of the scheme in June 2014 has been growing. CREST, an approved accreditation body for the Cyber Essentials scheme, has published a list of certified companies on its website. A search across the certification bodies’ websites, including IT Governance, hints at more than 100 companies certified to the scheme (please note, this is not an official number).
Vodafone, Barclays, Airbus Defence & Space Ltd, BPL Global, MASS and Sheffield Futures are some of the companies that have received their badge in the past few months. This also speaks for the variety of companies and industries that have embraced the scheme.
Cyber Essentials is here to stay and it is in every organisation’s interests to be audited against the five security controls recommended by the scheme. While it does not give a company full protection (is there a scheme that does?), it is an excellent starting point for organisations that don’t have an information security plan.
From 1 October 2014, the UK Government requires organisations to prove compliance with the scheme in order to bid for government contracts that involve the handling of sensitive and personal information, and the provision of certain technical products and services.
IT Governance has conducted a number of CREST-accredited Cyber Essential certifications, and our initial results show that the success rate for applicants is 88%, which demonstrates that with the right level of competence and help, meeting the requirements is not overly complicated.
It is also affordable.
IT Governance’s CyberComply is a unique online service that enables companies to apply for CREST-accredited certification to Cyber Essentials for only £300, following a convenient ‘do-it-yourself’ approach.
Visit our website for more information and to book your CREST-accredited Cyber Essentials certification.