Cyber Essentials was launched seven years ago to help organizations protect themselves against cyber attacks. But does it still satisfy its objectives today? Dan Raywood investigates.
When it was launched in 2014, Cyber Essentials was intended to help companies understand “the basic controls all organizations should implement to mitigate the risk from common internet-based threats.” This meant enabling and presenting a level of cyber hygiene, and verifying that an organization’s cyber operations were in a good state through certification.
Three years ago, I determined that Cyber Essentials does help to achieve a certain level of cyber hygiene, and the scheme had positive vibes from both the industry and those who had gone through the certification process. However, its supervision and management left a lot to be desired, and I called for more industry intervention, less focus on commercial gains, and more clarity on its purpose.
Fast-forward to the new decade and major steps have been taken; IASME Consortium was announced as the sole certification body in April 2020. Its chief executive, Dr Emma Philpott MBE, said IASME had contributed to the original writing of the scheme and had been involved in its delivery, and was “particularly looking forward to working with the wider network, which includes all Cyber Essentials Certification Bodies, which will allow us to offer expert support and certification to organizations across the whole of the UK and Crown Dependencies.”
One criticism of Cyber Essentials in the past has regarded the nature of certification being administered by different bodies, and the discrepancy around how each body was assessing cases. A statement by the National Cyber Security Centre (NCSC) said the move to a single Cyber Essentials Partner allowed it to work closely with IASME to further develop the scheme.
Despite these advances, it seems opinions remain divided on how much of a success Cyber Essentials has been. In a recent Twitter poll, we asked if the certification has done enough to ensure a company’s cybersecurity posture. Of the 107 people who responded, 80.4% agreed that it needs to be revised, while 19.6% said that it’s good enough.
Such a question is, of course, divisive, and many people who commented on the poll agreed that the scheme serves a purpose. It was described as an IT “MOT”, as well as “good enough to make sure you don’t get pwned by a stupid default password, unpatched box, unsupported software and an AV [anti-virus system] that has been disabled.”
Several others said it is a very acceptable base standard, and as long as it is acknowledged that it covers the “absolutely bare essentials” then it is fine. Another commenter claimed there is nothing “seriously missing from Cyber Essentials” as, like PCI, “it can be treated as a tick-box exercise and be next to useless, or you put in place a decent culture and use the results to drive improvement.”
Likewise, Andy Holmes, a head of IT security and compliance, said that it’s “obviously better than a company doing nothing” and is a good framework “as a starting point, if nothing else, and covers a fair amount of ground.” He also didn’t think it was ever intended to make a company’s security posture rock-solid, “just to bring it up to a basic level.”
The case for
This level of response around Cyber Essentials only being “acceptable” led us to wonder if there is a case for the certification remaining. In this newer era of Cyber Essentials, is the process of achieving compliance with certification clear enough? Or does more need to be done in order to make Cyber Essentials more relevant today?
We were unable to connect with IASME, but did speak to Chani Simms, a Cyber Essentials pool assessor for IASME Consortium and the Managing Director of Meta Defence Labs, a Cyber Essentials certification body. Chani said that in her role she “helps customers implement Cyber Essentials and often sees people who do not understand their Cyber Essentials scope and don’t implement the basics correctly.” She asked which other security frameworks are out there in the world that will provide certification for just £300, and come with a simple yet effective control set that can be applied to a one-man-band company through to a larger multinational and to home workers?
Chani said that “nothing is perfect, and everything has teething problems when newly implemented, but it’s our job to make things perfect for us. Having a certification doesn’t mean your company is secure if you haven’t implemented the controls correctly.”
Chani admitted that Cyber Essentials does not cover backup strategies, but can help to prevent a ransomware attack. Implemented correctly, you create different layers of security that help stop ransomware from getting onto your computer in the typical fashion, such as by clicking on a malicious link or via an infected email attachment. “Cyber Essentials can stop that as it will ensure you configure user accounts to not run as administrators and patch software regularly, therefore the chance of a successful attack is greatly lowered,” she said.
She called for more constructive criticism when people saw any imperfections in Cyber Essentials, saying “every framework has flaws but that is not to say it is bad.” She admitted the perfect cyber solution is not going to be found, as every business is different, but “whoever came up with it had a clever vision” and she could not “take people who come back with unfounded criticism seriously.”
Taking the Plus points
As well as the standard Cyber Essentials offering, there is the more advanced Cyber Essentials Plus certification. This, says the NCSC, “still has the Cyber Essentials trademark simplicity of approach, and the protections you need to put in place are the same, but for Cyber Essentials Plus a hands-on technical verification is carried out.”
In other words, someone else does the verification, rather than you having to do this yourself. Simms said she would “like to see the UK Government say all suppliers [should] have a minimum Cyber Essentials Plus” as a certification.
Oher comments we collected via Twitter agreed. “If you have a small IT team then Cyber Essentials+ should be your minimum standard,” said one. Another commenter opined that Cyber Essentials+ depends on the type of company you are. “If you are a small company, yes [it is good enough], but a company with servers, no [it is not good enough], as Cyber Essentials+ doesn’t have those in scope.”
The case against
The fact remains that many people who voted in the above poll felt that Cyber Essentials does not go far enough to ensure a company’s cybersecurity posture. One of the main reasons for this was the tick-box element of Cyber Essentials, in that a company can do a self-assessment and be certified. Chris Windley, CEO of Cyber Security Valley UK, agreed that the tick-box assessment does not cover cybersecurity education, but “simple guides to the key areas are helpful in general” and those “box-shifters and box-tickers have wrecked the market.”
In a recent online discussion of cybersecurity professionals, some members of the group said that too many “people use [Cyber Essentials] as a tick-box exercise and it is not the best standard for where are as a business.” Others claimed that a tick-box assessment “is not education, but it is better than nothing as it raises awareness to you as a business owner on what you need to do in other areas.”
Good enough for you and me?
This is essentially the issue: It is seen as good enough, and for some people that is satisfactory, while for others it does not go far enough in ensuring cybersecurity efficiency. Many of the people we spoke with on this issue cited the lack of acknowledgment of the human factor of cybersecurity that affects it so drastically.
Cary Hendricks, operations director of ID Cyber Solutions, runs a Cyber Essentials certification body in Scotland. He was very positive about the benefits of the certification, saying that “you get a ton of stuff and advice for £300,” which does not buy you a lot more in this industry.
“It is a brilliant way for new people in infosec to start to learn as it is a framework, set with specific questions,” said Hendricks. “The sheer amount of exposure to different types of companies is a gold mine for starters under the guidance of a lead assessor.” If you work with an assessment body, they would have achieved certification many times for other companies, so you’re collecting all of the other experience they have from other operations. Hendricks also said that going through Cyber Essentials “is a great experience for folks on a very limited budget and know-how.”
The cybersecurity sector does carry a degree of cynicism on most things, and Cyber Essentials has indeed been viewed through this lens. However, it does serve a purpose – and most people agree that is the case.
Under the new supervision of IASME, it does have the potential to further evolve into something more accepted as a framework, while preserving its intention as a certification for businesses to prove their capabilities. Either way, the future seems bright.