"Are you doing the cyber essentials?"
That's the pitch to U.K. businesses via a new program called Cyber Essentials. Funded by the government's National Cyber Security Program, it offers businesses the opportunity to have their information security practices awarded one of two badges: the self-assessed "Cyber Essentials," and beginning later this summer, "Cyber Essentials Plus," which is contingent upon an annual, independent audit.
The certification program aims to ensure that businesses have at least five basic information security controls in place. It was developed in part with the venerable British Standards Institution, as well as the Information Assurance for SMEs Consortium, and the Information Security Forum.
The launch of the program has been heralded by a number of industry associations and insurers - who have promised incentives for businesses that comply - as well as U.K. information commissioner Christopher Graham. "Protecting personal data depends on good cybersecurity, and the threats and challenges are getting ever more sophisticated," he says. "This scheme focuses on the core set of actions that businesses should be taking to protect themselves, their customers, and their brand."
BAE Systems, Barclays and Hewlett-Packard are among the businesses that have promised to participate in the program. But that's not surprising, because the U.K. government also announced this week that by Oct. 1, "all suppliers bidding for certain sensitive and personal information-handling contracts" must have the Cyber Essentials certification.
Focus on the Basics
Despite the fanfare, the certification itself requires only that businesses implement a handful of relatively simple controls: boundary firewalls and Internet gateways, secure configuration, access control, malware protection and patch management.
"I'm a little underwhelmed by the content to be honest; it's basic and contains nothing that any reasonable tech-support guy won't have known anyway," says Andrew Rose, a London-based security and risk analyst at Forrester Research. "What it does achieve, however, is an escalation of the discussion around information and cybersecurity. Rather than just being left to IT, now the CEO may begin to ask questions about compliance as it becomes important to capturing certain types of new business."
Going forward, however, Rose wants to see the current program become the lowest rung - think a bronze level - in the program, to be complemented by silver-level and gold-level "higher standards of excellence."
Similarly, Gavin Millard, technical director for Europe, the Middle East, and Africa at Tenable Network Security, characterizes the guidance as "more of a 'use travelers checks, keep your possessions close,' rather than a detailed view of the controls that should be implemented by businesses to remain secure from cyberthreats."
Arguably, at least there's now an incentive for businesses to get their security house in order. But Millard also questioned some of the basic guidance being purveyed via the Cyber Essentials guidance. "For example, when ... discussing authentication best practices, they trot out the usual line of 'use characters and numbers,' rather than making the suggestion of using a password management solution, which would address many issues people face today," he says. "We have to wake up to the fact that humans are not programmed to create complex passwords repeatedly for many systems and utilize technology to address this."
Millard also characterizes as "flawed" the program's emphasis on rapidly, if not automatically, installing every patch after it gets released by a vendor. Instead, he says businesses should pursue a more rigorous vulnerability assessment program to avoid unnecessary cost and rework. "It is far more important to patch critical, easily exploitable vulnerabilities first, rather than every patch vendors release," he says.
The Right Moves
Despite those criticisms, Millard lauds the intent of the program. "The U.K. government is starting to make the right moves, defining a base level of protection we should expect from any business," he says.
Forrester's Rose, who's previously helped two law firms achieve the ISO 27001 information security certification, says any business would benefit from signing up for Cyber Essentials, especially if their practices aren't yet mature enough to pursue the ISO standard. "Certification against approved standards can be useful to prove to your clients, insurers or regulators that your firm takes security seriously," he says.