Analysis of continuing attacks and feedback from industry vulnerability testers has identified that a number of security controls are still not being applied.
The scheme is intended to show what good security looks like. Government hopes it will prove a cost-effective way for all UK businesses to mature their cyber security by getting the basics right.
The Cyber Essentials Scheme (CES) is aimed at raising the cyber security bar in UK business, particular in small and medium sized enterprises (SMEs).
The scheme was developed with the Information Assurance for Small and Medium Enterprises (IASME) consortium, the Information Security Forum and the British Standards Institution (BSI).
The collaborators believe that establishing a basic level of cyber hygiene, through implementing the basic controls, will solve a lot of problems and protect against most low-level threats.
Essential security controls
The Cyber Essentials Scheme provides guidance on:
- Secure configuration
- Access control
- Malware protection
- Patch management
- Firewalls and internet gateways
The CES identifies five essential security controls that organisations must have in their IT systems to ensure they begin to mitigate risk from internet-based threats (see panel, right).
Systems that fall within its scope include internet-connected user devices such as desktop PCs, laptops, tablets and smartphones; and internet-connected systems such as web and application servers.
The launch of the scheme follows successful pilot assessments, managed and reviewed by Crest, the not-for-profit organisation that represents and certifies the technical information security industry.
The CES will also offer a way to win customer confidence and competitive advantage, by certifying the level of an organisation’s compliance with the five controls set out in the guidance.
Developing the assessment framework
Crest worked with CESG, the information security arm of GCHQ, to develop the assessment framework for the CES.
Details of the first security companies accredited by Crest to deliver Cyber Essentials assessment services are available on the organisation’s website.
“Crest has built an assessment framework optimised for the CES that will ensure organisations of all sizes and from all sectors can be properly and independently assessed to have the key technical controls in place to manage cyber risks,” said Ian Glover, president of Crest.
“By displaying the Cyber Essentials 'badge' they demonstrate to customers that they have taken steps to be fundamentally cyber safe,” he said.
Global information assurance firm, NCC Group is also among the group of security specialists selected as assessors for the scheme.
Assessments will include remote and on-site tests of businesses’ IT systems, as well as a detailed questionnaire.
Read more about UK cyber security
- Government promotes cyber security profession in schools
- UK cyber security progress welcomed
- Cyber security is economic opportunity for the UK, says government
- UK finally launches national cyber emergency team
- Government lays out 2014 cyber security agenda
- Government expands private sector cyber security partnerships in NCSS drive
- UK to help lead world fight against cyber crime
- Cyber security quest strong in UK, says Isaca
Certification for businesses
Companies across the UK can now start the independent assessment process, and if successful attain the Cyber Essentials certification badge.
“This is the sort of support from government that will make a real difference to UK businesses. By putting standards in place, it gives SMEs an attainable security benchmark, and one which will provide significant protection from a wide range of attacks,” said Rob Cotton, CEO at NCC Group.
“This is not a silver bullet, but getting the fundamentals right is crucial. Cyber Essentials will provide a solid foundation for a cross-section of businesses that have historically struggled with security,” he said.
The scheme follows on from the government’s 2012 publication of its 10 Steps to Cyber Security guide, aimed at encouraging organisations to consider how they manage their cyber risks.
The guide raises the need for company boards and senior executives to take ownership of these risks and enshrine them in their overall corporate risk-management regime.
The government views the adoption of an organisational standard for cyber security as the next stage from the 10 Steps to Cyber Security guidance.
According to the Department for Business Innovation and Skills (BIS), government plans to implement the CES throughout the public sector and, in the longer term, embed it in procurement processes.