This week, the government launched a ‘Cyber Essentials’ scheme.
As previously noted, this scheme is the next stage on from the ’10 Steps to Cyber Security’ guidance which was published in 2012. The 10 Steps guidance encouraged organisations to consider whether they were managing their cyber risks. It raised the need for company Boards and senior executives to take ownership of these risks and enshrine them within their overall corporate risk management regime. The guidance also incorporated CPNI’s top 20 technical critical security controls.
What is the ‘Cyber Essentials’ scheme?
The scheme is primarily aimed at small organisations and also those medium-sized organisations that, whilst having some knowledge of the issues, have limited capability to implement the full range of controls necessary to achieve robust cyber protection.
Its objective is to help address low level cyber threat and provide a means of testing your organisation against basic critical cyber security controls and, if accredited, demonstrating that you have a basic level of cyber security in place.
It aims to do so by:
Offering clarity to businesses in what is a complex and confused standards landscape, by supporting technical controls that are accessible and fit-for-purpose;
Helping businesses follow best practice in basic cyber hygiene and mitigate cyber risks at the low-threat level e.g. hacking and phishing;
Offering a voluntary alternative to a legislative approach;
Enabling businesses that are cyber secure to differentiate themselves in the marketplace;
Answering the ‘how’ question: existing standards often do not explain how a company should implement a security measure or what ‘good’ looks like.
The Scheme includes basic controls in five areas:
- Boundary firewalls and internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
Cyber standards and government procurement
It is worth noting that, in the future, the government is likely to include this Scheme in its procurement (where relevant and proportionate).
Is the Cyber Essentials scheme enough?
ADS supports the government’s efforts to increase cyber security across all sectors of the economy and has invested a lot of time and resource in raising awareness within the aerospace, defence, security and space supply chains.
However, companies must be aware that the Cyber Essentials scheme is only a start. Implementing the controls will not be sufficient to protect against the broad range of cyber attacks: the scheme does not necessarily present the security arrangements an organisation needs to have in place to protect against other forms of threat, including interception of wireless communications, insider attacks, theft or sophisticated threats (i.e. a threat with significant capability, funding and resource, typically those associated with advanced persistent threats). The technical controls presented are also preventative in nature and exclude those typically associated with detecting and responding to cyber attacks.
The aerospace, defence, security and space sectors are the target of more advanced cyber threats compared to many other sectors. From the perspective of Defence, implementing the controls contained in Cyber Essentials will therefore only help prepare a company for the more stringent requirements that will be required by the Ministry of Defence at a later date.
ADS is leading the supply chain work stream of the Defence Cyber Protection Partnership (DCPP). DCPP is :
- Identifying how the basic controls in ‘Cyber Essentials’ should be implemented in the defence supply chain. Defence contractors are likely to have to implement the technical controls with greater vigour, to a higher level of maturity and to have a more mature risk assessment, assurance and verification process (taking into account factors such as a company’s size, the type of project a company is involved in, the sensitivity of information a company stores).
- Identifying what additional controls (above and beyond those in Cyber Essentials) will need to be implemented, in a proportionate way, by companies in the defence supply chain. These are likely to cover: technical risk assessment; control of removable media; physical security controls; people security (including information security training, roles and responsibilities); compliance with legislation; scanning for vulnerabilities; information security policy; defining information security roles and responsibilities.
- The Cyber Essentials requirements document has been published and all organisations are free to implement it within their organisation, and self-assess themselves against it.
- The government has also published a draft assurance framework for the scheme which is available for comment until 7 May. Whilst organisations are free to implement the requirements document within their organisation, some may want or need to gain independent assurance that they have fully implemented the controls, for example to demonstrate this to a third party. The assurance framework will enable organisations to be independently assessed by individuals or organisations who have demonstrated the appropriate skills and competence. The framework will provide confidence that the controls defined in the profile have been implemented correctly. This full scheme will be launched in the summer.
- DCPP’s work is currently being tested and piloted. The Ministry of Defence intends to mandate the DCPP controls in its contracts from January 2015. DCPP will identify options for incorporating this requirement into contracts and the procurement process. DCPP is also identifying critical suppliers for phased roll-out of the cyber controls.
Where can I go to for funding and further advice?
ADS has produced a guide about where you can go for further advice and support.
SMEs should also be aware that the government is making funding available to them, entrepreneurs and early stage start-ups: these companies can apply for ‘Innovation Vouchers for Cyber Security’. Companies who apply will be given £5,000 by the government to enable them to access cyber security advice and services to protect their businesses.