There is wide acceptance that adherence to the controls of the Cyber Essentials Scheme is the best way to avoid commodity cyber-attacks. However, despite the best efforts of Government and industry, scheme adoption levels remain stubbornly low.
Businesses don’t see enough value in compliance: small and mid-sized businesses are deterred by the scheme’s costs; large businesses feel that compliance is probably unachievable and not worth the effort. As the scheme enters its fifth year and is set to evolve in the hands of a single industry partner, this paper sets out the transformational opportunity offered by automation: improved quality, lower barriers to adoption and reduced costs. By embracing automation, the scheme will be able to evolve towards continuous compliance, customers will be able to concentrate on getting better rather than re-stating a known problem, and Government will be able to offer policy and guidance based upon empirical evidence.
For those who haven’t heard of it Cyber Essentials is a scheme backed by the National Cyber Security Centre (NCSC) whose aim is to protect organisations of all sizes from the most common forms of cyber-attack. As well as reducing risk, conforming to the scheme’s 5 technical controls allows organisations to demonstrate a commitment to cybersecurity to customers, partners and insurers. Basic Cyber Essentials certification can be achieved on a self-certification basis, or, for the higher level, on an evidential basis via an independent assessment.
XQ is a mid-sized company employing 60 people, and we’re a cybersecurity company, making it relatively easy for us to achieve basic certification. Our CISO spent three days answering the questions and it took a few more days for the business to address any shortcomings. The certificate itself cost £300. For the past two years, we have certified at the higher level using an independent assessor (despite being a Cyber Essentials certification body, we can’t mark our own homework), which took a day and cost around £3,500 each time.
At the scheme’s inception, the Government estimated that the scheme would be appropriate for around 250,000 public and private sector organisations within Government and its supply chain. An internal target for the first year of the scheme was set at 10,000 certifications. Five years on, despite grant schemes across the UK to pay for certification, and despite becoming a procurement prerequisite at the Scottish Government, the Government of Jersey, and the UK Ministry of Defence, there have been only 22,000 certificates awarded,
Inevitably, the underlying reasons for low adoption are likely to be complex and are the subject of much debate. Government has done a lot to raise awareness, and most businesses in the government supply chain are now likely to be aware of the scheme.
Security is a hard sell. When faced with a choice between spending money now in order to avoid the possibility of future jeopardy, or taking a chance and hoping to get away with it, human beings are notorious gamblers.
Some have suggested that the bar is set too high, however, the cybersecurity industry often complains that the scheme doesn’t go far enough. In fact, it is set quite low when viewed against more comprehensive standards and schemes such as 10 Steps or the NIST framework. My view is that the bar, as an initial baby step, is probably set about right.
Another possible factor is a shortage of proficient security professionals. However, there are around 250 Certification Bodies servicing the UK market, overseen by 5 Accreditation Bodies. If every UK Certification Body delivered one certificate on each working day of the month, around 70,000 certificates would be generated every year. It is therefore unlikely that we are approaching anywhere close to our national certification capacity.
Small and medium-sized businesses don’t employ cybersecurity experts, and they often don’t have many IT staff, if indeed they have any at all. Therefore, they don’t know how to answer the scheme’s questions, and, as a result, they must employ consultants to help them to do so. Whilst basic certification is only £300, a week of cyber consulting is prohibitively expensive for a small business. Add £3,500 to this for an independent assessment, and they could be looking at a bill of around £5,000 to £8,000 to achieve the higher level of certification.
Large organisations often operate sprawling IT estates whose architectures and asset inventories are unknown, or are, at best, partially documented. In many cases, they contain ageing, unsupported and therefore highly vulnerable equipment, which was never intended to be operated in an Internet-connected environment. If this equipment is within scope, as they are often told it must be by Certification Bodies, they face the prospect of certain failure. This is further compounded by ownership: much of their infrastructure and applications are run by third parties who demand additional fees even for a discussion about the scheme.
Large businesses, therefore, face a different set of difficulties to those facing small and medium-sized businesses. However, the barrier to adoption is common, and also relates to value, or rather the lack of it. The triple whammy of scale, scope and ownership, makes the Cyber Essentials Scheme off-limits for large organisations because the prospect of certain failure renders any spending nugatory.
If it is the case that businesses simply don’t see value in the scheme, then the answer must lie either in mandation, or in evolving the scheme, or both.
Mandation alone is unlikely to drive adoption. Historical data indicates that even in the supply chains where compliance has been made mandatory, uptake remains stubbornly low, and resistance to the scheme has hardened amongst larger organisations like the NHS.
Evolving the scheme to generate greater business value could involve many things. To my mind, the fundamentals to be addressed are:
1. Improving quality
2. Lowering barriers to adoption
3. Reducing costs
At XQ, we believe that the key enabler to deliver all 3 and to drive adoption, as a result, is automation.
In our next blog, we will take a look at how automation works in the context of Cyber Essentials.
XQ Cyber also offers a range of incident response and consultancy services such as Penetration Testing, Cyber Posture Assessments and Incident Response preparedness and testing.