What is the Cyber Essentials Scheme - and will Business buy in?
The Jury is assembling. What will businesses make of the UK Government's ideas on cyber security controls, and is Cyber Essentials worth the cost?
The UK Government's Cyber Essentials Scheme announced in April 2014 aims to drive awareness of the risks posed by cyber crime, and help smaller enterprises delivering products or services to the UK public sector to defend their IT systems, networks and customers' data from attacks.
Government is widely encouraging its adoption and is making it mandatory for Central Government contracts advertised after 1 October 2014 which feature characteristics involving handling of personal information and provision of certain ICT products and services. Details are set out in Annex A of the HMG Procurement Policy Note – Use of Cyber Essentials Scheme certification. Action Note 09/14 25 September 2014
How does the scheme operate? Is it a 'Standards framework'?
Well, no. In a nutshell: The Cyber Essentials scheme has been developed by Government and industry to provide a clear statement of the basic technical controls that all organisations should implement to mitigate the risk from common internet based threats. However, and despite words to the effect that it would be a "kite-marked" standard, Cyber Essentials is being described as a Scheme and definitely not a British Standard (BS).
The scheme's requirements have been developed within the context of the Government’s 10 Steps to Cyber Security. The documentation so far produced by BIS maps the five Cyber Essentials controls to controls in the ISO27001, ISAME and ISF Standards. The British Standards Institution (BSI) have collaborated on the project (at least in the early stages), as has CREST, who (in their own words) "...were engaged by CESG, the Information Security arm of GCHQ, to develop an assessment framework to support the scheme, which forms a key deliverable of this strategy". Hence, on the basis of the credibility of the various partner organisations, we can assume that the Assurance Framework will offer, as BIS suggests: "a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions".
What's the Government's purpose in fostering Cyber Essentials?
To begin, more or less, at the beginning. In 2011, the UK Government launched The UK Cyber Security Strategy - 'Protecting and promoting the UK in a digital world'. The strategy stated the Government's declared aim to improve the information available to people buying security products by encouraging the development of [sic erat scriptum] security ‘kitemarks’.
BIS was tasked to work with domestic, European and global and commercial standards organisations to stimulate the development of industry-led standards and guidance. This would help customers to navigate the market and differentiate companies with appropriate levels of protection and good cyber security products. Action 24 stated the aim:
Action 24: Encourage industry-led standards and guidance that are readily used and understood, and that help companies who are good at security make that a selling point.
Fast forward three years: then Universities and Science Minister, David Willetts, said at the launch of the Cyber Essentials Scheme in June 2014:
"Cyber Essentials is an easy to use cost effective way to help businesses and the public sector protect themselves against the risks of operating online. ... Organisations will now be able to easily demonstrate they are cyber safe - reassuring their clients, boosting confidence and profitability. I encourage all organisations to adopt it."
However, by the time of the launch hosted by the ICAEW IT Faculty at Chartered Accountants’ Hall in the City of London, Cyber Essentials was less of a 'standards framework' in the sense of ISO27001, and more an MOT test for cyber security hygiene. Gone was any reference to the "kite-marked" cyber security standards concept heralded in the 2011 Strategy.
What remained was the idea that the cyber security control requirements would be 'readily used and understood' and that they would be a selling point for organisations that are good at putting in place effective security.
This is the Cyber Essentials Scheme; aptly named since the mandated controls are essential to secure any IT system connected to the Internet.
Why is the UK Government promoting 'cyber security assurance'?
The Government ICT Strategy also sets out how Government is working to make its own critical data and systems secure and resilient from cyber threat. This is important in understanding what is, I would suggest, the primary motivation for introducing the Cyber Essentials Scheme and why it is important for the organisations supplying government to take notice.
Government is working with industry to develop rigorous cyber security and IA standards for ICT products and services supplied to Government and its Public Services Network. In particular they are in the process of raising the standard of cyber security that Government can expect from suppliers for sensitive defence equipment. Just as they already have in place certain requirements on contractors’ physical security, the growth of services supplied to Government that use the internet now means that it makes sense for them to look again at their cyber security requirements.
It's worth bearing in mind here that, these days, some of the companies providing services to Government are frankly tiny compared say to the Big Four professional services firms or the likes of Capita, Serco and G4S. They include organisations that qualify for membership of the Federation of Small Businesses, classified in the business size categories of micro: 0-9 employees, small: 10-49 employees, and medium: 50-249 employees.
And then there's the issue of the patchy uptake of ISO27001 and other information security standards by large organisations that would already be expected to have some knowledge or experience of cyber security. Just like their smaller counterparts, and despite the risks that they run, many it seems have only a limited capability to implement the full range of controls necessary to achieve robust cyber protection. The Cyber Security Strategy talks about modelling best practice on cyber security in reference to Government's own ICT systems, in an effort to set strong standards among suppliers to government to ensure they "raise the bar".
So what's wrong with ISO27001 when setting higher standards?
ISO27001 is currently being viewed as too complicated and costly for smaller organisations and, judging by the level of uptake, resisted by too many large organisations to be a realistic alternative to Cyber Essentials. The simple piece of evidence for this assumption is that there were only 1,923 accredited certificates issued to ISO27001 in the UK in 2013 from a total of 22,293 worldwide. However, at the start of 2014, there were 5.2 million businesses in the UK with small firms accounting for 99.3 per cent of all private sector businesses. ISO27001 has been around for 10 years and its predecessor, BS 7799 was published by BSI Group back in 1995. From a politician's viewpoint, this standard doesn't appear to be popular with the majority of organisations - certainly when compared to ISO9001 with a respectable 44,985 certificates in the UK, and 1,129,446 globally.
Some would argue that ISO9001 has been around a lot longer, hence the number of certificates issued to date is markedly higher than ISO27001.
ISO 9000 was first published in 1987. It was based on the BS 5750 series of standards, once again, from BSI, that were proposed to ISO in 1979. Even so, if annual growth rates for ISO27001 stick around the 14% mark as was the case in 2013, it will be 20+ years before ISO27001 achieves a third of the certificates issued to the ISO9001 Standard on a global basis. Cyber criminals are not going to wait around while this process continues.
As far as basic hygiene goes, I agree with the Government and GCHQ: businesses need a steer in terms of IT controls and penetration testing - and they need it now, before the damage done by cyber threats worsens.
With Cyber Essentials, any fears over certification costs are not justified. For example, ISAME Consortium is offering a self-assessment route to certification against the Cyber Essentials Scheme costing only £300 +VAT.
The price is right for smaller organisations with limited budgets for cyber security - assuming they are serious about bidding for Government work.
Of course, meeting the scheme's requirements may cost them a lot more. But then so would a data breach resulting from inadequate cyber security!
Next time: Cyber Essentials: Part II: Does the Scheme involve any form of Risk Assessment and how does this aspect compare with ISO27001?
This guest post was written by Michael Shuff. You can email him here.Find out more about Cognidox Document Management solutions for ISO standards-compliance by downloading our Information Security white paper at http://www.cognidox.com/cognidox/view/VI-403566-TM