Back in 2014, the state of cybersecurity had got so troublesome that the UK government developed a standard to prove a level of cyber-hygiene. Three years on, Dan Raywood takes a look at the progress that Cyber Essentials has made, and analyzes its success.
"The way that they implemented it was not the way that we designed it"
Cast your mind back to summer 2014: cybersecurity was suffering from a bad string of major retail breach disclosures, while the UK government – then led by a coalition of the Conservatives and Liberal Democrats – launched its first Computer Emergency Readiness Team (CERT-UK, now part of the National Cyber Security Centre).
In order for organizations to ensure their cyber operations were in a good place and could prove it, a scheme named Cyber Essentials was launched in June 2014. According to the official Cyber Essentials summary, this enabled companies to understand “the basic controls all organizations should implement to mitigate the risk from common internet based threats”, essentially enabling a level of cyber-hygiene.
Backed by the Federation of Small Businesses, the CBI and a number of insurance organizations, Cyber Essentials concentrated on five key controls (see below for the list of controls) and is available at two different levels: Cyber Essentials and Cyber Essentials Plus.
Cybersecurity is a fast moving industry and what was once deemed to be excellent advice can fast be retracted and replaced with new advisories. So three years on, in a world where crude ransomware can dominate the world’s attention and global politics are dominated by a new set of leaders, does Cyber Essentials still matter?
Further, who is actually looking after this scheme? It was originally developed by the Department of Business, Innovation and Skills which was later merged into the Department for Business, Energy and Industrial Strategy (BEIS) in July 2016 by Theresa May upon her appointment as Prime Minister.
Given this change, one could perhaps assume that the Cyber Essentials concept had been abandoned. That is far from the case, but while research by Infosecurity has found adoption to be acceptable, there is a general negativity towards its supervision.
A Freedom of Information request from 2015 found that in its first eight months (between June 2014 and February 2015), a total of 405 certificates were issued – 333 for the basic scheme, and 72 for the PLUS scheme.
In a question posed to parliament in December 2016 about the number of small and medium-sized businesses who had complied with Cyber Essentials, minister for the Department for Culture, Media and Sport Matt Hancock MP said that by the end of November 2016, 4792 Cyber Essentials certificates had been awarded. This was further broken down as being issued to the following businesses: micro (1237), small (1350), medium (1095) and large (1110).
The numbers are not all that disappointing, but attitudes towards Cyber Essentials were not particularly encouraging.
Information security consultant Andrew Agnes tells Infosecurity that, previous to Cyber Essentials, there was no way to prove what steps were being taken and this is something that a business can – and should – do “to demonstrate that they take cybersecurity seriously.”
Agnes claims that the five basic controls, when properly implemented, “will help defend against low skilled attacks” and argues that even though the basic scheme (Cyber Essentials) relies on honesty, “when it is so basic, it does make you wonder why you would bother cheating on it?”
Agnes continues: “Similarly, once you complete it, you can get cyber-liability insurance and a lot of business, and if you lie about what you put down” you won’t get an insurance pay out. Essentials PLUS is a high level of assurance where you get independent assessors who approve results and simulate basic hacking and phishing attacks, and it is designed for the small-to-medium enterprise (SME). If you have more than 500 people there are probably better schemes, but it is perfect for one to 400 people.
“It is accessible and easy: think of a small shop with an accountant on site, they will not hire a full-time security manager and having a virtual manager costs. Also, assurance programs like ISO27001 and SANS Critical Security Controls are great, but it doesn’t make much sense for an accountant to implement them – Cyber Essentials make sense.”
Agnes is particularly keen to highlight the benefits for the small business with limited resources, those who have to be “realistic with what resources they have.”
Another proponent is James Webb, product marketing manager for Cyber Essentials scheme at IT Governance, who says that Cyber Essentials is worth it, but it depends on what version you undertake.
The Four Accreditation Bodies
Rather than being issued by government, Cyber Essentials certificates are issued by one of four accreditation bodies: IASME, CREST, Quality Group and APMG. Certificates issued by IT Governance are approved by CREST.
Sometimes, Webb says, “when customers look to renew, and as we look at their questionnaires to review them in the second year, we ask ‘how did they pass [first time]?’ That can be a worry if companies are undergoing a non-CREST approved version of the scheme and are not implementing the same controls, then the reputation of the scheme can be damaged”.
CREST president Ian Glover tells Infosecurity that, three years in, he feels many lessons have been learned: including issues that arise from the fact that the two certificates have the same name: “So from a marketing perspective, it is a nightmare as you’re calling the scheme the same as the certificate, if we approved the lowest level we wouldn’t have called it a certificate, we would have called it something else.
“The way that they implemented it was not the way that we designed it,” Glover adds. “What you’ve got now is not collaborative, not international, not talking to NIST or ENISA and it’s isolated with multiple accreditation bodies, so it is confusing.”
What’s more, Glover explains that whilst there is potential for international rollout where UK government could have taken it around the world, because of what he deems to be an inconsistency, it is not clear what Cyber Essentials is actually for.
“We could be exporting it and UK could be doing more to support the small enterprise by providing it free of charge and providing a better level of service for SME,” he argues. “We have the opportunity to export it by talking to ENISA and NIST and the Attorney General’s office in Australia, Singapore and Hong Kong. As far as I am aware, UK government has never talked to NIST.”
Glover claims that this is “being implemented into organizations, which it was never designed to do”, as enterprise-level security requires greater levels of security “and while it is still asking the basic cyber-hygiene questions, it is not asking the questions that I would ask a medium- to large-sized enterprise that supplies services to government.”
Asked if he felt that the accreditation model was broken, Glover says that his job is to make sure that the standard is maintained, but he is not convinced others are doing the same.
One IT manager who has gone through the Basic scheme is Dre Johnson, who tells Infosecurity that if he was faced with the decision on whether to go through the process again, he would rather spend the money (£200-£400 for basic Cyber Essentials and £1000-£3000 for PLUS) on technology.
Dre admits Cyber Essentials includes “really generic questioning”, and it does not take into account third parties and private clouds.
“The way it works makes it hard for you when you have two environments side by side that interact, as the way that Cyber Essentials works doesn’t really lend itself to that mixed model,” Johnson says.
“It lends itself to a single node, a private cloud or an infrastructure, but with a mixed model it’s very hard to fill out the questionnaire for that model as you have to say ‘I do this here but do this here in this space’, it just makes things a lot more complex. A lot of people have mixed models and if you’re in Azure, but have a secure private cloud, that needs to be reflected in the questions that they ask.”
"It lends itself to a single node, a private cloud or an infrastructure"
When Basic is Too Basic
Johnson also questions the value of the Basic program. He claims that the drivers for Cyber Essentials are for people who want to work with government, but for some departments the Basic is not enough, and tenders are lost to those who have the Plus certificate. However, he points out that “no one will tell you until after you got the tender – so you lose it by default.”
So why did he not do the Plus version in the first place? “It was cost prohibitive to do the Plus version,” he says. “I could have used that money to do another penetration test and do a risk-based approach to those issues internally.”
Johnson claims that overall, he would refrain from saying it’s not worth it, but that it is about circumstance, and if you’re a small to medium organization and have not got a grip on security, it is fairly cost-effective to get a good start on that.
“If you’re willing to spend a bit of money and you want to get an accreditation at the end that gives your customers assurance [it’s a good thing], but in my opinion you’re probably better spending the money elsewhere.”
"This is being implemented into large organizations, which it was never designed to do"
What the Future Holds
What does the future hold for Cyber Essentials? Webb claims that it does have a future, and a steady rise in the number of those being certified show a move away “from the early adopter stage.”
He adds: “With new data protection regulations and GDPR, there is a demand that companies put proper security measures in place to protect personal data, so you need ISO or a Cyber Essentials certificate to prove that you comply. However, I do worry about the quality of some of the certification bodies out there.”
Webb mentions that there is opportunity to expand the controls to include incident management and breach reporting and even make the audit external, while Glover adds that if he were asked to start over, he would include web applications in the requirements.
Asked if he felt it could be fixed, Glover says yes, but “we need to get the accreditation stuff sorted out and that could be done by putting something on the accreditation bodies. Unfortunately, the motivation is to issue as many certificates as possible and make £500 a time, so it is currently a financial motivation.”
Security researcher Daniel Cuthbert says that Cyber Essentials is essentially “putting a band aid over an ugly gash”, as there are companies offering it and “penetration testers with very little skills” are doing the testing. “You also you get to mark your own homework”, he adds.
Calling the implementation of Cyber Essentials to be very ‘government like’, Cuthbert understands why the standard is needed, but argues that this is a money-making exercise and argues an annual steering committee is needed to “look at how to bring up the level of national security for small businesses.”
As Cyber Essentials now falls under the jurisdiction of both the National Cyber Security Centre (NCSC) and the Department for Digital, Culture, Media and Sport (DCMS), it is clear to see how fractured the leadership of the standard is.
DCMS did not respond to a comment request from Infosecurity, while an NCSC spokesperson says: “NCSC regularly review the technical controls of Cyber Essentials and are confident that they still meet the majority of internet-based attacks at the very basic level. We are in the process of reviewing all our assurance schemes to identify what changes are needed in the future. Cyber Essentials is part of that.
“The way we work with industry in general and our specific partners is also an area that is being discussed.”
What is very clear is that Cyber Essentials does help achieve a level of cyber-hygiene, but the supervision and management of it leaves a lot to be desired. Perhaps with more industry intervention, less focus on commercial gains and more clarity on its purpose, there could be a future for the Cyber Essentials standard.