Cybersecurity should be an ongoing concern for any organisation, regardless of its size and complexity. This is chiefly for two essential business reasons:
- A cybersecurity incident or breach could, depending on its severity, result in significant reputational or financial damage if not adequately safeguarded against or handled correctly.
- When judging whether to award a contract to a business for a critical function, the awarding organisation will typically need to assuage themselves of any risk associated with placing this activity “outside the garden fence”. Cybersecurity is one aspect of assessing this risk, usually focused towards understanding what controls, policies and procedures exist within a business to ensure that sensitive data is handled appropriately.
Traditionally, to adequately demonstrate sufficient competence in this area, the ISO 27001 standard acts as a watermark to indicate that proper information security management systems are in place within a business. Many routes are currently available towards achieving this accreditation. Its adoption can involve many complicated and highly integrated business changes which, for smaller organisations, may prove to be a significant challenge to put in place – laying aside any cost implications.
In recognition of this fact and as a general acknowledgement towards the increased risk the “internet age” brings to supplier/customer relationships (particularly in the public sector), the UK Government launched the Cyber Essentials scheme back in June 2014. Aimed at organisations of any size, it promises to provide the necessary help and reassurance that your business/organisation has put the necessary steps in place to ‘…protect…against common online threats’, affording the opportunity to advertise this fact to all and sundry.
I’ve been through the process of successfully attaining the standard within organisations over the past few years, so I wanted to share some of my thoughts relating to the scheme, alongside some tips to help you along the way if you are contemplating adopting the scheme in the near future.
To begin with, I wanted to provide a detailed overview of the scheme, with some reasons why it may be something your organisation should consider.
Cyber Essentials is structured as a tiered scheme, with two certification levels available, which differ significantly in their level of rigorousness:
- Cyber Essentials: Sometimes referred to as “Cyber Essentials Basic“, this level of the standard is designed to assess your current IT infrastructure and internal processes, via a self-assessment questionnaire. The answers are then reviewed and marked against the standard.
- Cyber Essentials +: Using the answers provided during the Basic accreditation process, a more thorough assessment is carried out on your network by an external organisation, taking the form of a mini-penetration test of your infrastructure.
You can read in further detail on the scheme’s website regarding each level. It should be noted, even if it may go without saying, that you must be Cyber Essentials Basic accredited before you can apply for the + accreditation. Both tiers of the standard also require renewal annually.
Whether your organisation needs the scheme or not depends on your industry focus and, in particular, your appetite for working within the public sector. As noted on the GOV.UK website:
From 1 October 2014, Government requires all suppliers bidding for contracts involving the handling of certain sensitive and personal information to be certified against the Cyber Essentials scheme.
Its requirement has also spread itself further from there into some areas of the private sector. For example, I have seen tenders/contracts in recent times explicitly asking for Cyber Essentials + as a minimum requirement for any suppliers. In short, you should be giving some thought towards the scheme if you do not have anything existing in place and if you have a desire to complete public sector work in the very near future.
What You Can Expect
The exact process will differ depending on which accreditation body you work with, but the outline process remains the same for both levels of the scheme:
- For the Basic, you will be asked to complete and return answers to the self-assessment question list. Responses will then be scored based on a Red, Amber, Green (RAG) scoring system, with full justifications for each score provided. Depending on the number and severity of issues involved, an opportunity to implement any required changes and resubmit your answers may be given at no additional cost; otherwise, failure will mean that you will have to apply to complete the questionnaire again for an additional fee. Turnaround for completed responses has been relatively quick in my experience, with the upshot being that you could potentially get the accreditation in place within a few weeks or less. For those who may be worried about the contents of the questionnaire, the good news is that you can download a sample question list at any time to evaluate your organisation’s readiness.
- As hinted towards already, the + scheme is a lot more involved – and costly – to implement. You will be required to allow an information security consultant access to a representative sample of your IT network (including servers and PC/Mac endpoints), for both internal and external testing. The consultant will need to be given access to your premises to carry out this work, using a vulnerability assessment tool of their choosing. There will also be a requirement to evidence any system or process that you have attested towards as part of the Basic assessment (e.g. if you are using Microsoft Intune for Mobile Device Management, you may be required to export a report listing all supervised devices and demonstrate a currently supervised device). It is almost a certainty that there will be some remedial work that needs to take place resulting from any scan, most likely amounting to the installation of any missing security updates. Previously, you were granted a “reasonable” period to complete these actions; for 2018, the scheme now requires that all corrective actions are completed within 30 days of the on-site assessment taking place. Once this is done and evidenced accordingly, a final report will be sent, noting any additional observations, alongside confirmation of successfully attaining the + accreditation.
Costs will vary, but if you are paying any more than £300 for the Basic or £1,500 + VAT for the + accreditation, then I would suggest you shop around. 🙂
Is it worth it?
As there is a cost associated towards all of this, there will need to a reasonable business justification to warrant this spend. The simple fact that you may now be required to contract with organisations who mandate this standard being in place is all the justification you may need, especially if the contract is of sufficiently high value. Or it could be that you wish to start working within the public sector. In both scenarios, the adoption of the standard seems like a no-brainer option if you can anticipate any work to be worth in excess of £2,000 each year.
Beyond this, when judging the value of something, it is often best to consider the impact or positive change that it can bring to the table. Indeed, in my experience, I have been able to drive forward significant IT infrastructure investments off the back of adopting the scheme. Which is great…but not so much from a cost standpoint. You, therefore, need to think carefully, based on what the standard is looking for, on any additional investment required to ensure compliance towards it. For example, if your organisation currently does not have Multi-Factor Authentication in place for all users, you will need to look at the license and time costs involved in rolling this out as part of your Cyber Essentials project. As mentioned already, ignorance is not an excuse, given that all questions are freely available for review, so you should ensure that this exercise is carried out before putting any money on the table.
The steps involved as part of the + assessment are, arguably, the best aspects of the scheme, given that you are getting an invaluable external perspective and vulnerability assessment at a rather healthy price point. Based on what I have witnessed, though, it would be good if this side of things was a little more in-depth, with additional auditing of answers from the Basic assessment, as I do feel that the scheme could be open to abuse as a consequence.
A Few Additional Pointers
- The questions on the Basic self-assessment will generally be structured so that you can make a reasonable guess as to what the “right” answer should be. It is essential that the answers you give are reflective of current circumstances, especially if you wish to go for the + accreditation. If you find yourself lacking in specific areas, then go away and implement the necessary changes before submitting a completed self-assessment.
- Regular patching cycles are a key theme that crop up throughout Cyber Essentials, so as a minimum step, I would highly recommend that you implement the required processes to address this in advance of any + assessment. It will save you some running around as a consequence.
- Both assessments are also testing to ensure that you have a sufficiently robust Antivirus solution in place, particularly one that is automated to push out definition updates and – ideally – client updates when required. You should speak to your AV vendor before carrying out any Cyber Essentials assessment to verify that it supports this functionality, as it does help significantly in completing both the Basic and + assessment.
- An obligatory Microsoft plug here, but a lot of what is available on Office 365 can add significant value when looking at Cyber Essentials:
- Multi-Factor Authentication, as already discussed, will be needed for your user accounts.
- Exchange Advanced Threat Protection is particularly useful during the + assessment in providing validation that your organisation protects against malicious file attachments.
- Last but not least, a Microsoft 365 subscription facilitates a range of benefits, including, but not limited, the latest available version of a Windows operating system, BitLocker drive encryption and policy management features.