Nearly four years into grand Cyber Security Strategy to transform the UK's digital resilience, the Government’s flood of announcements, initiatives and schemes just keep coming. The latest, the CESG-backed Cyber Essentials, was originally trailed in April, but today's official launch offered enough new detail to underline this as one to watch carefully.
Cyber Essentials is pretty simple to explain in outline. Aimed at the lower end of the SME spectrum, there will be two levels starting with a basic one that works through a self-assessment questionnaire signed off by the CEO or MD, which is then checked by a certification body. This will give participating firms a public certification 'kitemark' (our term) that tells the world they are not security idiots.
The real McCoy will be one level up and called Cyber Essentials Plus, a more in-depth scheme in which SMEs will hire an accredited vulnerability testing outfit to sniff out their network in greater detail. Areas covered will include firewall configuration, external website protection, patching and desktop and endpoint control. Naturally, this will cost, with one estimate putting the sum required at around £2,500, an entry-level amount for this sort of job.
The rub – why SMEs should pay close attention – is that any SMEs wanting to do business with the Government will have to carry out a mandatory Plus level assessment. It goes beyond this. In due course, Cyber Essentials Plus is meant to become a de-facto standard of security competence that will also be required for all SMEs plugged into big-company supply chains.
The clear implication is that dodging Cyber Essentials Plus certification won’t be an option for many, or it seems that way. The second is that just completing the basic level won’t be enough either; that is being described by sources as a sort of ‘launch pad’ for achieving the Essentials Plus certification over time.
This is a potentially big change for UK SMEs but also for the growing and fragmented industry of security pen-testing firms that make a living poking around on networks looking for holes.
In short order, more and more SMEs will realise they need to get to take on Cyber Essentials while the companies offering to carry out assessments will need to be signed off, currently by accreditation overlord CREST, a moving force behind the development of Cyber Essentials.
The number of pen and security-testers that have made it through this process currently stands at 32, with names including Deloitte, BT Group, HP, Dell SecureWorks, NCC Group and NTA Monitor. Let’s be honest, most of these are rather high-end firms that come at a price. It’s not clear that £2,500 will be enough in every case. But if Cyber Essentials expands the market by forcing more firms to carry out security certification, this kind of service could quickly become a commodity - perhaps that is even the Government’s intention by making it mandatory for so many SMEs.
“I agree that for the SME market this has been a difficult thing to process at a price they could afford,” says CREST president, Ian Glover.
He is confident that the firms awarding Cyber Essentials certification will meet high standards. “All of those companies sign up to a code of conduct. We expect companies to explain why [a client] passed or failed,” he says.
Ignoring the vexed issue of how much a 'failure' might cost an SME in upgrade spend, a key wrinkle to be ironed out is how long a Cyber Essentials certifications are good for. If history is any guide, what looks good in 2014 will look weak five years later. The certificate isn't going to be good indefinitely. According to Glover, the time period is still under discussion but he believes it could and should become a “regular” process.
There is an obvious dilemma here: make the certification an annual process and it raises costs for SMEs but make it too infrequent and it could end up looking like a meaningless scout badge.
The larger effect the initiative will have on real security protection is complex. It will without an ounce of doubt raise standards – the gap between the best and the worst will narrow over time – but it was ironic that Universities and Science Minister David Willets referenced the Gameover Zeus (GOZeus) botnet, CryptoLocker malware and the recent eBay data breach as examples of the threats faces by SMEs during the launch. Frankly, it is unlikely that anything in even the more advanced Cyber Essentials Plus would have been guaranteed to stop such threats.
Even the most sophisticated security battles to contain state-of-the-art threats and that’s before considering more fundamental vulnerabilities such as the Heartbleed SSL flaw caused by issues beyond the control of any organisation. Security has become huge a struggle for everyone. The Government has already cautioned that the initiative won’t stop targeted attacks although in their defence it’s not clear that any technology can yet do that.
The Government and CREST are still right to say that Cyber Essentials is a new security baseline, something the UK currently lacks. SMEs have been winging it for years and that can’t go on. The tickets have been sold, destination uncertain.