The UK government will require IT suppliers to comply with the five security controls laid out in its Cyber Essentials Scheme (CES) from 1 October 2014, but what benefits will this bring and is there a downside?
The most obvious benefit is it will raise the overall level of protection by putting security in the procurement process, thereby creating a commercial reason for improving security.
Adrian Davis, managing director for Europe at (ISC)² believes this is a more positive approach than mandating security standards through legislation and regulation.
“It levels the playing field. If accreditation is carried out rigorously, all suppliers can be compared in terms of their cyber security efforts and it provides a baseline from which organisations can build,” he said.
Davis also believes this approach will make it easier and relatively low cost for small and medium-sized enterprises (SMEs) to improve their security posture.
“This is important because about 90% of our economy is based on SMEs which typically do not have the resources, the time or the skills to perform information security,” he said.
The Cyber Essentials Scheme provides guidance on:
- Secure configuration
- Access control
- Malware protection
- Patch management
- Firewalls and internet gateways
Compliance with CES
Compliance with CES will be mandatory for all services handling personal information of citizens, government employees and government agents.
This is only a reinforcement of the Data Protection Act, and therefore should come as no surprise, said independent advisor on payments, risk, cyber crime and digital innovation Neira Jones.
“This actually gives a tangible set of controls – albeit basic – to start addressing the issue of information risk due diligence in the supply chain.
“Basic hygiene, especially in view of all the Information Commissioner's Office (ICO) penalties of late, can only be welcomed,” she said.
By pitching the Cyber Essentials certification costs for smaller companies between £200 and £400 at basic level, and between £1,000 and £3,000 at the CES Plus level, Jones said government is clearly trying to encourage SMEs to have a basic level of cyber protection
Compliance with CES will also be required for all products and services handling information classified as official – which is any information relating to routine government business operations and services.
“This is interesting for two reasons," said Jones. "First, it points to contracts that are handling information at the lowest level of the threat profile, not secret or top secret.
“Second, the guidelines also state that Cyber Essentials is not intended for use with bespoke IT systems such as those found in manufacturing, industrial control systems, online retail and other environments.
“This gives a good sanity check and puts it in its right place – a basic, minimum and limited set of controls for those who don’t know where to start," she said.
“Quite rightly, it is not aimed at retail, banking or critical infrastructure,” she added, but in the light of that fact, she questioned why Barclays was so quick to “jump on the CES bandwagon”.
Barclays digital banking was one of the first organisations to achieve certification under CES in July 2014, shortly after the scheme was introduced.
“I found it at once perplexing and worrying that Barclays and other big businesses are bothering to get certified for something they have been doing for some time,” said Jones.
She thinks while the move is fairly meaningless for information security professionals, it is most probably aimed at those increasingly conscious of cyber security, who are more likely to be assured by a government-backed certification.
“That’s good for big business, but it doesn’t solve any problems. Why did the government allow large organisations to use the scheme in a way that clearly contradicts the guidelines above? Your guess is as good as mine,” said Jones.
CES for SMEs
She believes the scheme should really be confined to SMEs for it to have any kind of credibility, but said it is not immediately clear whether it will really help SMEs either.
While the cost is relatively low at basic level, Jones pointed out there does not appear to be any financial help available for SMEs to close any security gaps identified in the self-assessment phase.
Jones said once CES certification is obtained, it is also unclear if SMEs will be given a fair chance at government contracts and if any incentives will be provided.
There are other questions to be answered, she said. For example, the guidelines state government authorities should be aware that a supplier may share a client's information with a third party, such as a cloud service provider.
“However, Cyber Essentials does not ensure the security of the third party is in scope of certification. So the onus is on government authorities to check the supply chain of their supply chain and indeed see if any part of it requires certification. But how will this be managed? With more and more cloud services, this could prove difficult,” said Jones.
I see this as a real opportunity for suppliers to build security into their products in a measured and consistent manner
Adrian Davis, (ISC)²
The requirement applies to new contracts advertised after 1 October 2014, but it remains unclear what happens to incumbents and whether they will be given unfair advantage over those trying to enter the supply chain, she observes.
Another problem is the scheme addresses only a very basic set of technical controls, and does not address best practice in the areas of governance or user awareness.
“One of the stated aims of the scheme is to mitigate against the risk of phishing, but it is the user that will click on that link in that email, so why are there are no requirements to educate staff?,” said Jones.
“Even the stated aim of mitigating against malware omits basic technical requirements, such as code vulnerabilities like structured query language (SQL) injection, for example,” she said.
Jones admitted this would incur more cost for SMEs to cope with, but such basic flaws plague the SME space, she said.
Jones also questioned whether government departments have the required maturity and ability to assess what level of CES certification potential suppliers require.
“All in all, the Cyber Essentials Scheme is a laudable initiative, but it should have been confined to small businesses, with the appropriate grant and incentives frameworks in place.
“We risk that these businesses will either not be able or willing to invest in even the basics if they cannot see a clear return on investment, and large corporations will easily and cheaply capitalise on the marketing spin for something they are already doing,” said Jones.
Over-reliance on CES
Adrian Davis of (ISC)² also has some reservations. He is cautious against over-reliance on CES. “It is a starting point, not the be all and end all. Just because an organisation has CES accreditation, it does not mean it is secure,” he said.
Davis noted CES is a set of controls, and does not in itself enable a proper risk-based approach to security. He is concerned organisations may follow CES and think they have covered their risks, when in reality they have not.
“Accreditation, like an audit, refers to a point in time, so acquiring organisations will still need to perform their own investigations and/or due diligence of the supplier, depending on the information to be shared and the risks associated with that information,” he said.
Davis also pointed out there is no update cycle for CES, no indication of who is responsible for it, and little awareness of the scheme among SMEs. Like Jones, he highlighted the lack of government support to help SME implement CES.
“I see this as a real opportunity for suppliers to build security into their products in a measured and consistent manner, and in the IT service provision market, this may mean all users of a service will benefit from greater security, which can only benefit the provider, the users and the wider market.
“And while CES is not perfect, driving its use through commercial imperatives is a lot better than the situation we have now. Indeed, we at (ISC)² have argued that if cloud suppliers raise their security game it will benefit SMEs and the providers themselves,” said Davis.
Jay Abbott, founder and managing director of security consultancy JustASC, also supports CES for highlighting the five things that cause the most common issues.
Potential issues with CES
But, he said there are some “interesting gotchas” in CES that could create some issues for organisations, especially the larger ones.
“Take self-assessment question 108, for example, which asks if all operating systems on devices are supported by a supplier which sends regular fixes for any problems.
“This seems innocuous at first glance, but if you have Windows XP in use, the answer is no, and that is a fail. Larger organisations may struggle with this one,” said Abbott.
As far as the SME sector is concerned, he said while there is nothing in the CES that is too difficult to achieve and it will undoubtedly improve the inherent security posture of businesses, there is limited appetite to do so.
“Most SMEs are focussed entirely on the delivery of their core business in an aggressive market, often with significant competition and many financial pitfalls to sidestep daily. As a small business owner myself, I can 100% vouch for this.
“Achieving this certification requires they stop thinking about their day job for a moment and seriously consider their entire use of IT. This in itself is a time-consuming thing if you know what you’re looking for, but for the average UK SME, they probably do not even have someone in the business with the right skills to do it,” he said.
More on cyber essentials
- Government mandates Cyber Essentials for public sector supply chain
- Crest welcomes Barclays CES certification
- Cyber Essentials ensures SMEs protected, says Databarracks
- Cyber risk and the UK’s Cyber Essentials Scheme
- UK government launches cyber security support scheme
- Government to help UK business get cyber security basics right
Like Jones, Abbott is concerned about the cost burden this creates if they are forced to seek outside support from consultants, who may then tell them they need to buy new licenses for software, spend money on new equipment, and spend time on integration of technology.
“From the security industry’s perspective, CES is great, a real step forward in securing the UK, but from the average SME’s perspective it is a little bit of a different feeling,” he said.
Even if CES certification enables an SME to win a government contract, Abbott points out that all it will have achieved is “good security housekeeping”, rather than something that makes it more profitable in the long run.
“If everyone is required to achieve certification, there will no longer be lingering competitive advantage, just the ongoing cost and time commitments to maintain the basics will remain,” he said.
“So Cyber Essentials is a problem as much as it is a solution. It will improve the UK SME security stance, it will ultimately benefit the SME in ways they cannot quantify or measure, but it will cost the SME money and time in an aggressive free market, and that in itself will make it a difficult sell,” said Abbott.
Improving cyber security with CES
That said, he believes CES is a good thing that will improve the SME’s ability to defend against and withstand simple, common security attacks they may already be victim to.
It will prevent simple attacks succeeding that could easily leave them with an empty bank account due to a direct fraud, or have them facing material fines from the ICO.
“Let us not forget that these SMEs are the supply chain to our country’s central government agencies, so their insecurity is ultimately a problem we all share, so yes, it is very much a good idea that I personally support,” he said.
Abbott believes CES should be treated as an opportunity by getting the right advice. “An SME probably did not plan the IT strategy for its business and just acquired machines and software ad hoc as it grew.
“CES is a great opportunity to take stock of everything and speak to an expert, not only in security, but in IT as a whole. Someone who can advise them on whether what they are doing as a business needs with the way the way they are using IT.
“This is where the opportunity for improvement comes and where the standard can be used to drive improvements in productivity. After all, security is just a concept in IT that should be designed in the systems from the start,” he said.
Abbott noted CES does not allow the company that helps an organisation to achieve compliance through advice and support to award certification.
“That has to be done by a different company, therefore providing a solid segregation of duties and mitigating against fly-by-night organisations looking to make a quick buck off the ignorance of the market through one-stop package solutions that really do not meet the goals of the standard,” he said.
While there is support for CES because of the benefits it will bring, that support is qualified. It appears government has a lot more work to do in creating awareness of CES and in clarifying some key issues.
Mandating CES certification for IT suppliers to the public sector is a good start, but government will have to go a lot further to provide incentives and support to the SME sector to ensure it does not become an overwhelming burden.
The government will also have to be more transparent about how departments will decide which suppliers need CES basic or CES plus certification to ensure the process does not become arbitrary and subjective.