Cyber Essentials (CE) and Cyber Essentials Plus (CE+) are government-backed assurance schemes that emerged from a growing concern among senior officials that UK SMEs were not paying sufficient attention to basic cybersecurity, troubling for the government supply chain as well as wider business. A sticking point had been that existing frameworks such as the ISO27001, PCI, COBIT, or the ISF Standard of Good Practice were aimed at larger businesses with deep pockets - something more appropriate to SMEs was needed.
Launched in June 2014 by the Department of Business Innovation and Skills, Cyber Essentials was designed with two levels, described below. Broadly, Cyber Essentials is the most basic and is based on self-certification that is independently verified by a certified company on an annual basis. The more comprehensive and expensive Cyber Essentials Plus is at core the same thing but with independent testing instead of self-certification.
Cyber Essentials – accreditation bodies
Appointed by the government Communications Electronics Security Group (CESG), these are the non-profit organisations that act as gatekeepers for the companies doing certification under either of the two levels. There are currently four of these, the Council of Ethical Security Testers (CREST), Information Assurance for Small and Medium Enterprises (IASME) - founding members that were major contributors to the design of Cyber essentials/Plus - plus more recent joiners APMG Group and OG Business Group. More could be appointed in future although there is disagreement about whether that’s a good idea.
Cyber Essentials – certification companies
Commercial organisations allowed to verify or carry out tests for Cyber-Security/Essentials now number into the dozens with CREST listing 35 on its own, including well-known IT brands such as NCC group, IBM, KPMG, and PwC. There was an initial worry that not enough companies would see commercial potential in the programme but that doesn’t seem to have been the case.
What does it cost?
This will vary but the cost of annual online Cyber Essentials certification being around £300 for networks with up to 250 employees and 16 IP address ranges although some hand-holding is also available that will triple the cost. Cyber Essentials Plus will be from £1,000 -£2,000, possibly more, depending on the size and complexity of the network and the amount of consultancy asked for.
Note: organisations planning to complete Cyber Essentials Plus must complete the basic Cyber Essentials assessment first so these costs are cumulative.
Cyber Essentials (CE) – self-assessment
Organisations must first identify the systems it believes are at general risk of external compromise, defining which fall within the scope of Cyber Essentials and which don’t. Dedicated systems used in manufacturing, e-commerce, industrial control and cloud services beyond its control wouldn’t normally be included in Cyber Essentials assessment although it is important to study the requirements in detail because other areas such as BYOD are included.
Technical focus: Assessment of Internet-facing firewalls and gateways, PC security such as anti-malware, user access control, patching routines, and general secure configuration.
Assessment: documented using a self-assessment questionnaire (SAQ), filled in online after choosing a certification provider, which is viewed as a snapshot of an organisation’s security-worthiness and must be re-certified every year. The declaration of compliance must be signed by the CEO or managing director. An example SAQ can be found here.
Although the idea of filling in an online questionnaire sounds easy, superficial even, completing the form incorrectly could make assessment more time-consuming and raise the bill above the £300 level. This is a serious process and both the underlying assessment and its documentation using the SAQ should not be undertaken without care.
Cyber Essentials Plus (CE+) – independent testing
At this level a commercial testing firm from the approved list (companies not on the list can’t be used under the scheme) is paid to check that the security controls mentioned under Cyber essentials have been deployed well enough to survive an attack by “Internet based threat actors with low levels of technical capability.”
Testing covers the configuration of individual equipment but also tries to attack the whole system from within and without using real-world scenarios. Under both Cyber Essentials Plus and Cyber Essentials, SMEs will also have to confirm that their communications and cloud providers meet accepted standards of assurance such as PCI and ISO27001.
On the subject of ISO27001, it is worth noting that this standard is much more comprehensive than anything on offer in Cyber Essentials/Plus. Some firms might still feel they need to have both.
Cyber Essentials – compliance
At the end of either one of the above levels, companies meeting the compliance standards will be able to publically display a badge denoting Cyber Essentials or Cyber Essential Plus.
Has the scheme worked?
An obvious objection is that Cyber Essentials is self-certified and basic by nature which has led some to conclude that the real deal is Cyber Essentials Plus. But that costs more money which raises one obvious objection – if one reason SMEs lack adequate security is an unwillingness to invest in security why does asking them to spend money on certification improve matters?
So far, uptake has been pretty modest with Minister for the Digital Economy, Ed Vaizey revealing in September 2015 that only 1,000 firms had undertaken either one of the two levels, mostly the basic Cyber Essentials.
We asked Ian Glover, president of accreditation organisation CREST and hugely knowledgeable on the topic of Cyber Essentials and pen-testing for his views.
“It has improved security which is the primary objective,” said Glover. “It is going to take a couple of years. Whether it gets to the numbers the UK Government wants I can’t comment.”
Awareness has been high but uptake slow, which suggests that marketing of its worth could be done better. At the moment, there were several bodies promoting Cyber Essentials risked causing confusion and unevenness.
“It’s a good standard and we’ve achieved a lot but the implementation has been awkward,” said Glover. “There are political and authority issues that are slowing that rate of change down.”
One interesting thing was the level of interest from overseas, but it was currently impossible to market it beyond the UK, he said. Cyber Essentials had the making of a process that could be exported around the world to push the UK’s expertise in the area, he said.
CREST produces a useful guide to Cyber Essentials that exlores demands in mroe detail.
Cyber Essentials – the future
The Government seems to be playing a long game with Cyber Essentials and will push on, developing its requirements over time. It is to all intent and purposes mandatory for any company with direct involvement in the government supply chain and will slowly expand beyond that to become a baseline for more companies connected to those. Slow off the mark it might have been but Cyber Essentials is now part of the UK cybersecurity landscape.