When Standards aren’t standard.
Author David Riley
I don’t hold any punches when asked my opinion on Cyber Essentials,
it is an awful standard.
It is a good idea but it is executed poorly. Let me explain why.
In 2014 the UK government released Cyber Essentials as a new accreditation. It is now being used as a requirement for working with government departments because we don’t already have enough standards to choose from (apparently!)
Cyber Essentials is a little different than other standards though. For a start it is narrowly focused, only covers technology implementation and isn’t standardised. The government created a framework and then washed their hands of it.
The core issue with Cyber Essentials is – depending on the Accreditation/Certification body you choose, you get a different assessment.
Seriously!? Given most accreditations are seen as badge of honour to secure a contract why would you accredit with a body that wants you to answer 48 questions when you can choose one that only wants you to answer 34? Now beyond the Self-Assessment-Questionnaire (SAQ), at least one of the accreditation bodies has added a little bit of strength by requiring all their certification bodies to perform a vulnerability scan on the public facing IPs which will highlight some lies if you say you are patching within a timely manner. But the scan isn’t part of the basic cyber essentials framework?! So they have just ‘decided’ to add it, as it’s a “good idea” (which it is, but it’s never a been part of the ‘standard’). Don’t want the cost and hassle of a scan? Then choose someone else.
I’ll go back to my previous statement. The government created a framework, the accreditation bodies implemented it how they saw fit based on that framework. The framework provided guidance and examples but unfortunately the Accreditation bodies took it as gospel.
Here is an example:
Cyber Essentials Requirements Statement:
“All security patches for software running on computers and network devices that are connected to or capable of connecting to the internet should be installed in a timely manner (e.g. within 14 days of release or automatically when they become available from vendors).”
What the Accreditation bodies interpreted:
All security patches for software running on computers and network devices that are connected to or capable of connecting to the internet should be installed within 14 days of release.
However, this is not the biggest issue with Cyber Essentials. It’s narrow focus means it only covers technical controls and only OS and configuration issues, it doesn’t drive a culture of security, it doesn’t get management buy-in and it doesn’t even account for two of biggest risks to your organisation; Humans and application flaws. Having spent years trying to convince senior leadership that security isn’t an IT problem, Cyber Essentials comes along and it is an IT problem again(!).
And then there is the assessment process. For basic Cyber Essentials this is self-assessment and if anything years of working with PCI-DSS (credit card security standard) has taught me self-assessment doesn’t work, people just tick the boxes to get through. But at least it isn’t just a tick box “yes” or “no” process like PCI-DSS, you are required to detail how you meet each control, but all that does is make it a little more time consuming to ‘tick the boxes’.
Don’t get me wrong if you have no idea about security and have no controls in place then yes it is better than nothing but there are much better standards out there. ISO 27001 is a great starting point, even if you don’t want to attain accreditation, work to the framework. It covers security across a wide range of business areas from HR to IT. ISO 27001 does require a little more effort and work to implement, but it doesn’t have to be laborious or difficult. But feel free to go with Cyber Essentials and ‘tick the box’. But please be aware that many people involved in Cyber Security can see what it’s worth. And that’s not a lot.
Cyber Essentials is a good idea, poorly implemented.