Cyber Essentials: going mainstream?

As I’m sure many of the readers of this blog will be aware Cyber Essentials is a UK Government scheme encouraging organisations to adopt good practice in information security. It includes an assurance framework, and a simple set of security controls, to protect IT.

It was launched in a big fanfare in June of last year; it became mandated for certain UK Government IT contracts in October 2014; but it has seen relatively low take-up. Or at least thus far.

Recently I helped organise an event in association between the East Midlands branch of the Institute of Information Security Professionals (IISP) and the East Midlands Chambers of Commerce that brought together about 75 people with an interest in the scheme on a cold winter’s eve in Nottingham.

The audience on the night was an eclectic mix ranging from one-man bands to global blue-chip companies; from novices to information security professionals. But that is exactly what a scheme like Cyber Essentials is about. Whilst it provides some guidelines it then allows the user to identify what a suitable cyber defence strategy is based on the circumstances of their organisation.

Paul Midian, from PwC, expertly covered the nuts and bolts of the scheme in a rapid 30-minute session.

Some of Paul’s top tips for the five categories were:

• Firewalls do not provide complete protection against internet based threats. A multi-layered defence is required;
• To ensure a secure configuration, rigorous IT asset management will pay dividends;
• The Joiner/Mover/Leaver (JML) process is complex; tracking your user populations is hard!
• End point malware protection is good hygiene but anti-virus software can be bypassed. Comprehensive malware protection requires a multi-layered approach – at the network perimeter, at the end point, and within the corporate environment;
• The Cyber Essentials guidance document states patch management applies to “computer and network devices that are connected to or capable of connecting to the internet”. This should include every computer.

Following a chance for everyone to catch their breath and get a cup of coffee, Ian Glover from CREST gave a second presentation. This time the focus was on how the Cyber Essentials scheme fitted in to what at times can be a complex picture of different assurance schemes.

The final part of the evening was a panel discussion with delegates able to fire questions at the two presenters. Also joining the panel was Cyber Matter’s very own, Colin Robbins, who was able to draw upon the experience of Cyber Essentials certification last year.

Key themes emerging were:

• How long would it take to achieve Cyber Essentials? Answer – depends upon the organisation and what is in place already; but with a few weeks of preparation, certifying can take a matter of days, so as a ball park figure 6-8 weeks potentially.
• Cyber insurance – is this any good? Mixed opinion as to the value of it but definitely something worth considering. (see this previous blog)
• What is the scope of Cyber Essentials? Again difficult to quantify but even something like a closed-circuit TV could well be within scope.

Overall the consensus of the evening seemed to be that Cyber Essentials was picking up some momentum as a scheme with growing interest from not only those working within cyber security and that it wasn’t necessarily an easy thing to do but it should be achievable for most.

More information on the Cyber Essentials scheme can be found at:

• UK Government website
• IASME – Accreditation body
• CREST – Accreditation body
• QG Business Solutions – Accreditation body
• Cyber Essentials: a baseline for Cyber Security – event resources