An organisation can be assessed against Cyber Essentials 5 controls, using machines rather than humans.
To a certain extent, this is already being done with Cyber Essentials Plus certification, although the analysis and interpretation of results are currently done by a human being, which makes it both time consuming and expensive.
This part can also be automated. Checks against the current test specification can be automatically interpreted: secure configuration; boundary firewalls and internet gateways; patch management; and malware protection can all be objectively checked.
In some cases, e.g. policies for access control and administrative privilege management, a few simple questions are required.
Everything else can actually be assessed automatically without the need for a consultant.
Critics of the current scheme cite 3 principal quality issues:
Automation by its nature can potentially address all 3: -
Needless to say, there are other ways in which automation can increase quality. The first and most obvious one is to potentially dispense with the self-certification based upon subjective answers. In other words: why bother with basic Cyber Essentials, a standard of debatable value due to its subjective nature, when you could have an objective, evidence-based standard, for less effort?
The next and most obvious possibility created by automation is that of continuous compliance. If computers are answering the Cyber Essentials questions, why not ask them to do so 365 days a year, rather than just once?
Automation offers the potential for expert knowledge to be embedded within a managed service, and to be made available to a non-expert user. This makes the Cyber Essentials scheme accessible to small and mid-sized businesses currently lacking the knowledge to self-certify, but reluctant to pay for expensive expert consultancy.
For larger organisations, also unwilling to break the bank with third-party consultants, automation provides them with the autonomy to self-certify on a business unit by business unit basis, rather than on a monolithic basis. Decisions related to scope can be left to the end users and their service providers, rather than to assessors who lack the knowledge to flex the scope based upon sensible, risk-based decisions.
The key to driving adoption is, therefore, to place more power into the hands of end users and to move away from the idea that end users require intervention from cybersecurity experts, particularly when questions exist as to how competent those experts might actually be. End users should be able to self-certify for Cyber Essentials Plus; the challenge for NCSC and its new partner will be to ensure that automated tools and services are assured.
The cost of an annual Cyber Essentials Plus certification was around £3,500 for XQ Cyber. An automated service could not only reduce that price to less than £1,000, but it could also deliver twelve times the value by assessing the end-user continuously (monthly would be enough) throughout the year. By removing the human being from the initial phases of certification (identifying the issues to be fixed), end-users can instead focus on addressing the issues and putting processes and procedures to make those fixes less costly to implement.
For Governments, the potential big win offered by automation (other than increased adoption) is increased visibility. Automation offers the possibility of introducing scoring, analysis and trending data; the kind of learning that can be used to inform policy and shape the guidance offered to end users. For example, automated services could identify: -
Unless something is done to address the lack of adoption, the scheme will, in our view, probably die, or be diluted to the point of adding no business value. The demise of the scheme would be a disaster, not so much in terms of embarrassment for NCSC, but more in terms of the cybersecurity of the nation.
If we can’t find a way to allow large numbers of public and private sector organisations to demonstrate conformity to 5 technical security controls, then the UK will remain acutely exposed to commodity cybercrime, whose own growth figures are depressingly exponential.
Want to learn more about CyberScore? Visit our website to book a demo.