Cyber Essentials: benchmarking best practice
Ian Clover, president of Crest
Addressing a cyber security conference earlier this year, Ciaran Martin, director general for cyber security at GCHQ, emphasised that providers of critical infrastructure – and others in the public and private sectors, needed to be able to distinguish good quality suppliers of cyber security solutions from the ‘less good'. “That's why the government continues to provide or endorse quality mark schemes to identify good products and services.
“Our partners in the Cabinet Office – the lead Government Department for cyber security – and in the Department for Business have launched the Cyber Essentials (CE) scheme, an organisational standard developed in close consultation with industry.”
CESG, the information security arm of GCHQ, analysed successful cyber-attacks, identified the best way to most effectively stop or mitigate cyber-attacks from those using widely available attack tools – and drew up the Cyber Essentials programme as a result. It explains what companies need to do to stop most of these threats. It's not intended to prevent APTs, but it should ensure that companies can stop the 80 percent of cyber threats that come from less skilled attackers.
Initially the certification is a one-off exercise, and Sarb Sembhi, director at consultancy Storm Guidance and a prominent member at ISACA UK, tells SC Magazine UK: “Cyber essentials is like an MOT, showing that everything is fine right now – but of course it may not be three hours later.”
Ian Glover, president of Crest (one of two accrediting bodies for CE) tells SC Magazine UK, “Crest is recommending that there be a review date – and discussions are ongoing to ensure the system is fit for purpose. Some who did the Beta test ahead of Heartbleed passed, but subsequently failed – which is as it should be - circumstances change.”
Alan Calder, CEO of IT Governance (one of the certification bodies for CE which provides consulting services and PEN testing under Crest) adds: “The certificate affirms that on the date it was issued the company met the requirements of the Cyber Essentials scheme. Six months later it simply tells the state of play when it was issued, and says to institutions that there was a certain minimum level of security in place.
“We would expect larger organisations to require certificates (for themselves and their suppliers) to be no more than three months old (in line with PCI).”
However, Howard Pinto, head of technology security at Vodafone, the first telecoms provider and first multinational organisation to achieve Cyber Essentials Plus accreditation, comments to SC Magazine UK: “(Frequent testing) is a practical issue requiring deployment of our resources and those of others. It's a dynamic industry and the nature of threats is always changing so we are constantly updating what we do, looking to raise the bar. It's ongoing. But I think that once a year is suitable for certification.”
Sembhi notes, “It's a positive move, and it needed to start somewhere, so it has started with the bar set fairly low. Where we need to get to is measuring the ability of an organisation to manage risk over a period of time – regardless of the risks faced, ensuring that the processes are in place and they have the capability to deal with the risk. It would not have been possible to introduce on day one, it needs to work through stages, moving up to the next stage – but it's a useful starting point.”