Government unveils Cyber Essentials Scheme

From October contractors for many public sector information handling projects will need to be Cyber Essentials certified

The government is again seeking to educate private companies on the need for effective IT security with its new Cyber Essentials Scheme, which seeks to improve the response of UK businesses to cyber security threats, as well as certify their capabilities.

The idea is that participating companies - of all sizes - will be provided with a step-by-step framework involving five key controls: access control, boundary firewalls and Internet gateways, malware protection, patch management and secure configuration.

Unlike previous initiatives, the Cyber Essentials Scheme will work alongside existing resources, such as the Information Security Forum and the British Standards Institution, giving firms the opportunity to qualify for badges that display their aptitude in online security.

Insurance companies are being encouraged to offer discounts on cyber security insurance in much the same way that homes and businesses are rewarded with discounts if they fit a suitable alarm system and high-security locks.

In addition, the government says that, from the 1October, all suppliers bidding for certain information handling contracts in the public sector will need to be Cyber Essentials certified.

The scheme will be overseen by CREST, the not-for-profit organisation that represents and certifies the technical information security industry.

According to the government's universities and science Minister David Willetts, the GameOver Zeus and CryptoLocker attacks - as well as the eBay hack - shows how far cybercriminals will go to steal people's financial details, and the UK absolutely cannot afford to be complacent.

“We already spend more online than any other major country in the world, and this is in no small part because Britain is already a world leader in cybersecurity. Developing this new scheme will give consumers further confidence that business and government have defences in place to protect against the most common cyber threats,” he said.

CREST says it has worked alongside CESG, the Information Security arm of GCHQ, to develop the assessment framework for the scheme.

Ian Glover, CREST's president, says that not all organisations have the resources available to invest in the most rigorous levels of information security and compliance.

“Cyber Essentials addresses this by creating a baseline for UK cyber security. By assembling and working with a forum of industry and technical experts, CREST has built an assessment framework optimised for the Cyber Essentials Scheme that will ensure organisations of all sizes and from all sectors can be properly and independently assessed to have the key technical controls in place to manage cyber risks,” he explained.

Reaction to news of the scheme - announced this morning by the government - was cautious.

Professor John Walker, a visiting professor with the Nottingham Trent University's School of Science and Technology, said the scheme is a good idea - provided the idea is carried out properly.

"I'd like to see the money put to good user, perhaps by establishing a central resource that will act as THE information source on UK cybersecurity policies," he said, adding that the US model in this regard may be the best option.

"Would we, for example, see a government entity - as has happened in the US - advising Internet users to stop using Internet Explorer due to security concerns? I doubt it," he explained.

Peter Wood, CEO of First Base Technologies, the pen-testing specialist, said the scheme is better than nothing at all.

"Something really has to be done for small to mid-sized businesses. The government has to get involved, so this scheme gives it the chance to tackle the small business security education issue," he noted.

Jonathan Brooks, practice leader in Willis's Financial and Executive Risks practice (FINEX), agreed with Wood's point on SME security education.

The government initiative, he says, is particularly relevant to SMEs, which form a major part of the Internet eco system, but which have, to date, found the perceived time, cost and complexity of cyber security very challenging.

“The government announcement provides a timely reminder for boards of directors in companies of all sizes to take ownership of these risks and enshrine them within their overall corporate risk management regime not only within their own organisations but also within those with which they do business," he said.

Mark Brown, director of information security at EY (the new name for Ernst & Young) was more upbeat in an email to journalists, saying that whilst the scheme is a positive step, businesses should not view this scheme as a complete solution as it only addresses the basic controls.

"For best practice we would expect businesses to go above and beyond this scheme and as such a continuing refinement and enhancement of this scheme is required in the long-term from government," he said.